4
1
Some OEM include energy saving apps that can switch off certain devices such as webcam or optical drive. Is there any brand-agnostic app out there that can do it? If the list of disabled device is customizable, it would be useful too for mitigating DMA attack (disabling Firewire, PCMCIA, SDIO, Thunderbolt, etc). Even better if it can recognize lock/logoff event, to mimic OSX behavior in mitigating the DMA attack.
Martheen Cahya Paulo
Posted 2012-06-15T10:18:41.787
Reputation: 1 347
4
You can disable hardware devices via commandline
I am not sure that merely disabling a device is sufficient to mitigate the DMA attack
Microsoft provides devcon as a command line device management tool
devcon is located in “drive:\your\temp\folder\WinDDK\7600.16385.win7_wdk.100208-1538\tools\devcon\amd64\".devcon find * | find "DVD"devcon disable PCI\VEN_1102Note: it may be possible to do this using only powershell but I wasn't able to find the correct calls. The closest I found was get-wmiobject Win32_PNPEntity
Jeremy W
Posted 2012-06-15T10:18:41.787
Reputation: 3 529
+1, I was expecting a ready to use app, but maybe I would just code this myself. Thanks for the new devcon version, previously I found the XP version and I thought it was discontinued. I will select this as the answer if no one can come up with a ready to use app. – Martheen Cahya Paulo – 2012-06-23T05:21:00.497
About the DMA attack, would it still be possible even if all DMA-capable external ports are disabled? – Martheen Cahya Paulo – 2012-06-23T05:22:29.170
0
Microsoft supplies Power management profiles that allow one to run with the most suitable profile.
It is possible to further extend Power management by third-party products :
Aerofoil extends Vista and Windows 7 notebook battery life by :
Power Plan Assistant for Windows 7 is capable of much much more than automatic switching of power plans. (Donationware - without donation it requires weekly reinstallation.)
harrymc
Posted 2012-06-15T10:18:41.787
Reputation: 306 093
-1, I need to disable device – Martheen Cahya Paulo – 2012-06-23T05:18:18.393
Power management of Microsoft is very sophisticated and allows one to control the status of devices when on battery or mains power. It is certainly much more powerful and automatic than using devcon from a batch file. Down-voting answers you haven't researched out is not a good idea. – harrymc – 2012-06-23T05:24:54.467
I have tried those application. I already mentioned optical drives and webcam, Power management don't touch those, and several OEM include custom apps to disable them automatically, that's the main reason I'm interested to brand-agnostic solution. And my other interest is in completely disabling device to mitigate DMA attack, that require the port to not respond to anything, instead of standing by and spring up to life when a device is connected. – Martheen Cahya Paulo – 2012-06-23T05:36:11.647
The products I mentioned above extend Power management beyond Microsoft. However, their doc doesn't specifically mention optical drives and webcams, so one would need to install and see. – harrymc – 2012-06-23T06:31:10.657
Anyway, I don't believe in DMA attacks on a modern operating system. If you look at this article, this became impossible already on XP SP3, so no reason for it to be possible in Windows 7.
– harrymc – 2012-06-23T06:36:23.090Quote from http://www.breaknenter.org/projects/inception/ "able to unlock Windows XP SP2-3, Windows 7 SP0-1, Vista SP0 and SP2, Mac OS X Snow Leopard and Lion, Ubuntu 11.04, 11.10 and 12.04 x86 and x64-bit machines"
– Martheen Cahya Paulo – 2012-06-23T06:41:22.587Quote from same : "Inception requires a unix-flavor operating system to perform the attack from". A simple disabling of autorun and autoplay (now disabled by default for most devices), is entirely sufficient to defend against this highly theoretical attack. I don't really think that Linux booting itself from a device can go unnoticed. In all cases, there is absolutely no defense possible against anyone capable of booting your computer with his CD in your optical drive, using much simpler attack vectors than DMA. – harrymc – 2012-06-23T08:04:16.573
from, not to. We're talking about an attacker carrying a Linux box, pluggin into victim's box, which can use any system. And the scenario is this. My box is system-wide encrypted using TrueCrypt, so if turned off/hibernated, it's secure from direct attack, excepting the attacker modify the bootloader to keylog me later. The only hole is when I left it at standby or locked, in which the DMA attack is possible, to directly copy the decryption key to the system along with Windows logon – Martheen Cahya Paulo – 2012-06-23T08:09:44.217
And there is no autorun or autoplay involved. The DMA attack works because Windows install the appropriate driver automatically, then the device use the DMA to access the memory directly, bypassing APIs or other protection. That's why OSX disable DMA devices when the session is locked – Martheen Cahya Paulo – 2012-06-23T08:11:37.537
1Does you computer contain documents of worldwide importance ? The level of effort required to mount the attack that you describe is on the level of a national intelligence agency, and believe me that there are much easier attack vectors than DMA. – harrymc – 2012-06-23T09:12:04.353
I think one of the main problems such a software would face is that a lot of drivers require a reboot when they are re-enabled. – Robert – 2012-06-15T19:20:11.687
Ah, didn't thought about that. But perhaps if we can choose the device list it will be OK? Most webcam and optical drives don't require reboot on disabling or enabling. – Martheen Cahya Paulo – 2012-06-16T04:31:45.213