tag:blogger.com,1999:blog-24586388.post1453328084371931288..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Beyond The CPU: Cheating Hardware Based RAM ForensicsJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-24586388.post-30086773488579167442008-11-25T08:26:00.000+01:002008-11-25T08:26:00.000+01:00Excellent work!.. it is interesting to read.., i a...Excellent work!.. it is interesting to read.., i am not in hardware industry but i liked its title.<BR/>"Beyond The CPU: Cheating Hardware Based RAM Forensics"<BR/><BR/>Intresting..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-91242441797382172852008-08-23T06:26:00.000+02:002008-08-23T06:26:00.000+02:00This is great, thank you so much for sharing! You ...This is great, thank you so much for sharing! You should go global with this, hit up Black Hat Japan if you're not already planning to.<BR/><BR/>MattAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-50890332922115003742008-07-11T20:40:00.000+02:002008-07-11T20:40:00.000+02:00What no one seems to mention is that a CPU cache’s...What no one seems to mention is that a CPU cache’s contents are NOT always coherent with the DRAM copy! This sort of defeats DMA, and even the proposed "shadow" RAM of Uli Dinklage.<BR/><BR/>Some code could even "unroll" whatever it wanted to a section of cache that had been configured to NOT map to physical/logical RAM address and no one would see it!<BR/><BR/>RightWay Systems.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-45176873514720617802008-04-06T05:48:00.000+02:002008-04-06T05:48:00.000+02:00Interesting story. Any new updates?Interesting story. Any new updates?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-65071830404898729272007-07-05T19:30:00.000+02:002007-07-05T19:30:00.000+02:00I understand your dissappointment at being unable ...I understand your dissappointment at being unable to source these cards.<BR/><BR/>I myself used an off-the-shelf PCI-based FPGA demo board. The PCI functions are provided by an IP-Core and you can simply code the engine in Verilog or VHDL.<BR/><BR/>So, No SMT work at all (I know that SMT worries some people) and it romps in much MUCH cheaper (and more flexible) than those proprietary DMA sniffer cards that nobody wants to part with.<BR/><BR/><BR/>Increasingly these days the FPGA is the hackers closest ally. Armed with an FPGA you can process spliced uplinks on the fly (A PIC microcontroller struggles above 10Mbps and stronger controllers struggle above 100Mbps) - but a cheap FPGA solution can MITM, inject, clone and reroute selected packets on DMT and QAM64 based technologies after dropping in some IP-Cores and a little packet logic.<BR/><BR/>I respectfully suggest that Joanna takes a look at the readymade IP-Cores for PCI functionality and demoboards which are fully wired SMT PCI cards with an FPGA programmable logic IC premounted.<BR/><BR/>Lets face it, with FPGA's making their way into HSC environments it is almost mandatory for the hacker to invest some time in learning to code in Verilog/VHDL.<BR/><BR/>I've implemented DMA before in this fashion although not for this particular application. I'd suggest it is almost certainly the best route for the hacker to explore such detection systems on a tight budget.<BR/><BR/><BR/>Of course, let them have these cards... for such a technology to be useful they need to be able to RECOGNISE malware. And that, as we all know, is a much trickier proposition.<BR/><BR/>I've yet to meet a career hacker that used off-the-shelf rootkits anyway. And heuristic analysis at the kernel layer is almost impossible against all but the simplest and most direct of rootkit approaches.Ancienthttps://www.blogger.com/profile/01337685950268059189noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-21129779718091360572007-03-14T21:19:00.000+01:002007-03-14T21:19:00.000+01:00...So when are you going to change your name to Tr......So when are you going to change your name to Trinity? Excellent work!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-53621003573900569062007-01-27T21:43:00.000+01:002007-01-27T21:43:00.000+01:00Hi Jonna
I got your name reading a VISTA article...Hi Jonna <br /><br />I got your name reading a VISTA article in tha Australian PC Authority magazine.<br /><br />I immediately went on your website and I must say I am quite impressed.<br /><br />One part talks about using a PCI card and DMA to take a memory shot. First I thought<br />this is an excellent idea, but when I really started thinking about it I found 2 flaws.<br /><br />1. With DMA you never get an EXACT memory snapshot, because you cannot stop the processor<br /> before you take the shot.<br />2. Background DMA slows down other processes (because of the additional memory cycles)<br /> so it is detectable by self timing programs.<br /><br />I think I have a solution that works better.<br /><br />1. Instaed of using DMA you install a second memory on the PCI card that runs on the same<br /> address range than the PC's memory.<br />2. This memory is configured in a way that you can only WRITE to it from the PC's address<br /> and data bus. Reading is not required and not recommended, because the output drivers <br /> of the two memories would not like it. <br />3. To take a snapshot you just disable the write.<br />4. To read the data the address and data bus is switched to an on board processor that <br /> reads it and transmits it to an external PC via serial port or other means.<br /><br /> This type of memory snapshot is always current and more important IT IS TOTALLY <br /> TRANSPARENT to the PC. It does not slow it down in any way and does not need any<br /> PC software to operate it.<br /><br /> There is another nice advantage.<br /><br /> When you add a third memory to the adress range and connect a clock to the databus<br /> of that memory you get a TIMESTAMP for each memory write. <br /><br /> With this timestamp you can trace the scheduling of processes and analyze how spyware<br /> blocks protected processes, for example two processes that wait for input from each <br /> other without a timeout.<br /><br /> Regards<br /><br /> Uli Dinklage (uli.dinklage@hotmail.com)Uli Dinklagehttps://www.blogger.com/profile/06648544034127335600noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-14494062804655947622007-01-25T02:26:00.000+01:002007-01-25T02:26:00.000+01:00¡CHAPEAU JOANNA! zorionak¡CHAPEAU JOANNA! zorionakaranhttps://www.blogger.com/profile/09361996466495425011noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-38280538472944208322007-01-22T15:37:00.000+01:002007-01-22T15:37:00.000+01:00Will you also present this at Black Hat Europe?
D...Will you also present this at Black Hat Europe?<br /><br />DidierAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-54245518784482550672007-01-21T23:55:00.000+01:002007-01-21T23:55:00.000+01:00It's about damn time. Good luck with your present...It's about damn time. Good luck with your presentation.<br /><br />- Rossetoecioccolato.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-55673011630341238542007-01-20T16:27:00.000+01:002007-01-20T16:27:00.000+01:00I wish I could stay in DC next month!! Well, there...I wish I could stay in DC next month!! Well, there is one only thing about this article I disagree with: you're not an ordinary mortal person!!! You're an extraordinary amazing girl! :p Enjoy DC Joanna! Kisses from Spain.Adminhttps://www.blogger.com/profile/03458703017257051442noreply@blogger.com