Agence nationale de la sécurité des systèmes d’information

In the last few years, many proof-of-concepts showing how an attacker could take control of a computing device by exploiting a vulnerability in a firmware have been demonstrated in security conferences.

The goal of the work that has been presented during the Cansecwest 2011 conference is to show how it is possible for an operating system to verify during runtime that firmwares running inside peripheral devices (such as network adapters and keyboard controllers) are not modified by an attacker as a result of a successful attack.

We concentrate on one particular model of network adapter and show how the operating system can check:

• that the code area of the firmware is not modified;
• that the adapter is running code that is indeed inside of the code area;
• that the control flow is not unexpectedly modified.

A prototype has been developped and demonstrated during the conference. The prototype has been crafted for the particular model of network adapter we studied and adapting it for other devices still requires a lot of work.

Run-time firmware integrity verification: what if you can’t trust your network card?

L. Duflot, Y.-A. Perez, B. Morin, CanSecWest 2011