[Cryptography] trojans in the firmware
Mirimir
mirimir at riseup.net
Fri Feb 20 04:39:07 PST 2015
On 02/20/2015 03:50 AM, grarpamp wrote:
> On Thu, Feb 19, 2015 at 7:35 PM, Mirimir <mirimir at riseup.net> wrote:
>>>> https://www.virtualbox.org/manual/ch09.html#rawdisk
>>
>> VirtualBox in Linux doesn't require root rights. I just checked htop on
>> the host, and all VM processes are running as user. And visudo shows
>> nothing about VirtualBox.
>
> It may be setuid and switching users, or kernel module
> or helper program or something, otherwise vbox
> docs about pointing at /dev/sdx are bogus because
> the raw devices aren't available to non root users.
> I didn't read vbox docs closely.
OK, I'll dig. It might be that mounting physical disks on the host
requires root rights. But that's obviously insecure. What concerns me is
guest access to the host's disk firmware when using VDIs.
>> How would I test that? I suppose that I could setup a VM to boot from an
>> HDD, and then see if I can flash the HDD's firmware. But I'm not the
>> NSA, and so only success would be probative. But hey, I'll take a shot.
>
> http://www.t13.org/documents/UploadedDocuments/docs2008/d1699r6a-ata8-acs.pdf
> With whatever windows tools you find. Probably sdparm hdparm on linux.
> camcontrol's cmd capabilities and cam(4) debug options on freebsd.
> I wouldn't try to flash or fuzz a drive you can't afford to brick.
Not a problem. I have a bunch of retired disks.
More information about the cypherpunks
mailing list