Firewire Physical DMA Security

After seeing Quinn's FireStarter demo of what could be done with Firewire physical memory access, I was curious about the security implications. Could a random person wander up to a password-locked ibook and slurp all the memory off it? As far as I can tell, yes! (see this thread for the same problem on other platforms). Alternatively, they could figure where in memory the screensaver/locking process is, blat some 0x0 bytes over it, and crash the locking program.

However, there is an (AFAIK) undocumented way to disable this feature in Mac OS X, which is found in the IOFireWireFamily kernel driver. If you have set an Open Firmware security-mode other than "none", all physical access is disabled:

From IOFireWireFamily-140.4.0/IOFireWireFamily.kmodproj/IOFireWireController.cpp:

        OSString * securityModeProperty = OSDynamicCast( OSString, options->getProperty("security-mode") );
    
        if( securityModeProperty != NULL && strcmp("none", securityModeProperty->getCStringNoCopy()) != 0 )
        {
            // set security mode to secure/permanent
            mode = kIOFWSecurityModeSecurePermanent;
        }

So if you want to physically secure your Apple laptop, make sure you have an Open Firmware security-mode and password. Of course this is common-sense if you're wanting to prevent single-user booting etc, but if you are relying on an encrypted drive which loses its key after a reboot, an Open Firmware security-mode mightn't have been set. Although a really determined attacker could warm-swap your hard disk or something anyway.

Problems with FileVault/Keychain

Try the following in 10.3:

sudo -s
cd /var/vm
strings -8 swapfi* | grep <part of your password>

You'll probably see your password. OS X 10.4 now provides encrypted virtual memory which seems to fix this issue.

Booting in target-disk mode with an open firmware password enabled.

If you've enabled a firmware password, sometimes you might want to use target-disk mode. Holding "T" as usual won't work, so you have to drop to the OF prompt instead (command-opt-O-F). If you go:

dev /
ls
you can see there's a /firewire-disk-mode entry. To use that, go:
dev /firewire-disk-mode
Now we can see what commands are available:
words
we choose the obvious one, typing target-mode. Now you should see the happy firewire logo on the screen, and target-mode will be working.

Decrypting and extracting keychain secrets.

Apple's keychain implementation is quite nifty though a bit hard to backup to a textfile encrypted with gpg. After a bit of hunting through the Security-177 code I came up with extractkeychain. It is a small Python program that will decrypt all passwords in the keychain and print them out. Obviously you require the password for the keychain. It uses Apple's commandline "security" program, so only runs on OS X. It parses the program's output, replacing the raw encrypted data with the cleartext passwords. The main program is extractkeychain.py.

Hibernate on older macs

Hibernate support was introduced in 10.4.3, and with some prodding works on iBooks and other macs.

Memtest86+ for Intel Macs

A patch and .iso

Back to my homepage.

Matt Johnston <matt at ucc.asn.au>