Implementation and Implications of a Stealth Hard-Drive Backdoor

Abstract : Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial off-the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back-door. The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a remote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to exfiltrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key file) in less than a minute. This paper claims that the difficulty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
Document type :
Conference papers
Complete list of metadatas

Cited literature [22 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-00869263
Contributor : Jonas Zaddach <>
Submitted on : Wednesday, October 2, 2013 - 7:28:39 PM
Last modification on : Wednesday, August 7, 2019 - 12:18:06 PM
Long-term archiving on : Monday, January 6, 2014 - 10:01:10 AM

File

acsac13_zaddach_no_copyright.p...
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00869263, version 1

Collections

Citation

Jonas Zaddach, Anil Kurmus, Davide Balzarotti, Erik-Olivier Blass, Aurélien Francillon, et al.. Implementation and Implications of a Stealth Hard-Drive Backdoor. ACSAC '13, Dec 2013, New Orleans, United States. pp.978-1-4503-2015-3/13/12. ⟨hal-00869263⟩

Share

Metrics

Record views

669

Files downloads

896