security issue: hard disk lock

security issue: hard disk lock

[Jonas Diemer]

Hello!

I don't know if you guys already know, there is a possible security risk with 
all modern desktop-pcs and ata hard drives. In short:

Modern ata drives can be locked by password. This lock could be set by a 
malicous software. This security feature can be frozen, so no programs can 
set a lock until the next reboot. Ususally, the BIOS should take care of 
locking the security feature, but most desktop BIOSes (unlike laptop BIOSes) 
fail to do so. Once a lock is set and the password is unknown, the drive is 
trash.

See http://www.heise.de/ct/english/05/08/172/ for more details.

In the above article, a patched hdparm is used to freeze the drive's security 
features. This can be used during boot to prevent programs from setting a 
password. However, a malicous program could infect the computer and install 
itself in the boot sequence prior to the execution of hdparm...

I figured there could be a kernel compiled-in option that will make the kernel 
lock all drives found during bootup. then, a malicous program would need to 
install a different kernel in order to harm the drive, which would be much 
more secure.

What do you think of this? 

Regards,
Jonas

PS: Please CC me in replies, I am not subscribed to the list.

Re: security issue: hard disk lock

[Horst von Brand]

Jonas Diemer <diemer@gmx.de> said:

[...]

> I figured there could be a kernel compiled-in option that will make the
> kernel lock all drives found during bootup. then, a malicous program
> would need to install a different kernel in order to harm the drive,
> which would be much more secure.

Doing it in initrd should be plenty of time, no need to involve the kernel.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: security issue: hard disk lock

[Florian Weimer]

* Jonas Diemer:

> What do you think of this? 

I think that these days, the underlying assumption (software cannot
destroy hardware, and if it can, we have a problem) is simply no
longer valid.

Re: security issue: hard disk lock

[Chris Friesen]

Horst von Brand wrote:

> Doing it in initrd should be plenty of time, no need to involve the kernel.

Not everyone uses an initrd.

Chris

Re: security issue: hard disk lock

[Vernon Mauery]

Horst von Brand wrote:
> Jonas Diemer <diemer@gmx.de> said:
> 
> [...]
> 
> 
>>I figured there could be a kernel compiled-in option that will make the
>>kernel lock all drives found during bootup. then, a malicous program
>>would need to install a different kernel in order to harm the drive,
>>which would be much more secure.
> 
> 
> Doing it in initrd should be plenty of time, no need to involve the kernel.

Technically, according to the article, the only safe time to do it is in the BIOS or in one of their special safe CDs that freezes the drive before the boot loader loads.  This makes sense because a particularly malicious place to put something like this is a worm that attaches to your boot loader.  Then, even doing it in the kernel at boot time is too late.

--Vernon

Re: security issue: hard disk lock

[Jonas Diemer]

Am Dienstag 05. April 2005 17:41 schrieb Vernon Mauery:
>  This makes sense because a particularly malicious
> place to put something like this is a worm that attaches to your boot
> loader.  Then, even doing it in the kernel at boot time is too late.

I understand... Didn't know that worms could attach to the bootloader :-) 
Well, then even fixing this in the bootloader would be too late, if the worm 
could simply replace the bootloader. I guess it's not a kernel-issue then and 
should really be addressed in the boot-up sequence (as long as BIOS vendors 
fail to fix it), be it with or without initrd.

regards,
Jonas

PS: Still not in list, so please CC me on eventual replies.

Re: security issue: hard disk lock

[Alan Cox]

On Llu, 2005-04-04 at 18:42, Jonas Diemer wrote:
> I figured there could be a kernel compiled-in option that will make the kernel 
> lock all drives found during bootup. then, a malicous program would need to 
> install a different kernel in order to harm the drive, which would be much 
> more secure.

It makes little difference as the attacker can replace the kernel and
reboot.
Anyway they can flash erase your video card bios, your IDE firmware,
your BIOS
and far more just as easily.

I wrote an analysis for the UK government a few years back about this
threat and concluded that a sufficiently malicious attacker and a
suitable hole would allow someone to wipe out large numbers of PCs on a
fairly permanent basis. We can just be glad that the folks writing stuff
like slammer mostly want either fame or are operating "commercially" (ie
DoS protection rackets, spam etc) so don't wish to kill their hosts.

>From an OS perspective it is very hard to protect against. Locking the
boot media can help providing the BIOS settings cannot be used to boot
another disk. Dropping CAP_SYS_RAWIO early in boot will protect against
most of the potential root user directly accesses the hardware type
attacks. hdparm can help but really it needs to be in the BIOS options
to make much difference so kick your pet BIOS vendor/PC maker.

Alan

Re: security issue: hard disk lock

[Jonas Diemer]

Hi Alan!

Thanks for the info

Am Montag 11. April 2005 17:36 schrieb Alan Cox:
> It makes little difference as the attacker can replace the kernel and
> reboot.
> Anyway they can flash erase your video card bios, your IDE firmware,
> your BIOS
> and far more just as easily.

Yes, but a new video-card or Motherboard can be easily bought (although it 
costs), but the data on a locked disk is lost forever, unless you pay for 
professional recovery (which is also a time-issue, if time critical data is 
stored on the disk). Of course, this can be solved with a good backup 
strategy...

I agree with you though, that this really isn't a kernel issue, but a BIOS 
thing. Distributors should/could provide additional security by freezing the 
security-features early during boot, until BIOS vendors do their homework.

regards,
Jonas

PS: Still not on the list, so please CC me in an eventual reply.

Re: security issue: hard disk lock

[Mark Lord]

hdparm-6.0 is currently winding through release channels,
and includes support for freezing/managing the security status.

Cheers

Re: security issue: hard disk lock

[Alan Cox]

On Llu, 2005-04-11 at 17:01, Jonas Diemer wrote:
> Yes, but a new video-card or Motherboard can be easily bought (although it 
> costs), but the data on a locked disk is lost forever, unless you pay for 
> professional recovery (which is also a time-issue, if time critical data is 
> stored on the disk). Of course, this can be solved with a good backup 
> strategy...

It still causes great inconvenience I agree. 

> I agree with you though, that this really isn't a kernel issue, but a BIOS 
> thing. Distributors should/could provide additional security by freezing the 
> security-features early during boot, until BIOS vendors do their homework.

Its really for Jeff and Bartlomiej to call but I'd certainly not be
opposed to freezing the security state in the kernel at boot by default.

Alan