This was a great read. One of the things we've done in the past is to modify the firmware of the drive to be able to give errors on command. The purpose was for testing RAID systems in real life scenarios. One can include a 'unit test' drive in a RAID array which will run through a series of known bad disk behaviours. From the simple like returning read failure, to the more complex like returning the wrong block or returning a block that has been silently corrupted (both things NetApp observed in the wild on 'real' drives), and my personal favourite acknowledging a write but not actually writing the data (nearly killed the Cisco relationship they had at the time)
The difference is that the enterprise storage space gets such firmware from the vendor rather than hacking it on its own. At least where I've been so far (NetApp is not included so far :-)
Before I got my hand on vendor provided error injection I would have thought this to be of great use but hacking in ARM assembly to get this would be quite a task.
If you liked this, then you might like Travis Goodspeed's really cool talk about "Writing a Thumbdrive from Scratch" (for antiforensics) [1] at the 29th Chaos Communication Congress [29c3].
The thing that interests me, though, is the idea of modifying your hard drive firmware for better performance.
My understanding is that the effective width of the write head is 10x the width of the read head... E.g. with the right firmware, it should be possible, if you are okay with a write-once medium, to write the outermost track, move the write head in 1/10th what you'd normally move it, then write the next track, etc... and get 10x the space out of the drive you normally would. In theory, the read head wouldn't have trouble. (of course, this would be write once storage, as the effective width of your write head is still pretty huge; but for a bunch of things? I can totally work with that... if more than X% of a drive was garbage data, I copy the good data to a new drive and reformat the old one. Done.)
I hear rumors that both the major drive manufacturers are actually shipping drives with this technology, but are only selling those drives to really big players, for some reason.
Here's a reasonable reference to the 'shingle' technology, and he roadmap for the rest of us:
but that's the thing, with the datasheets (and, well, a lot more skill than I personally have) we should be able to setup something like shingling on the cheap disks we have today.
Of course, from reading the article, I'm not sure I'm any closer to that particular dream.
Shingled writes require a special asymmetrical write head, you can't do it with current drives. Actual shingled write drives are not yet shipping AFAIK.
My knee-jerk reaction was, why didn't WD sign the code and use on-chip fuses and a secure boot path to verify the code before transferring control to anything outside their boot ROM? (Many ARM-based systems-on-a-chip are capable of doing this).
Adds cost, for one thing. But you can arrange for the unit to never run a byte of code (even one loaded from the platter) that didn't come from WD.
Your typical motherboard's BIOS code is not signed. Your video card's BIOS is not signed. Your network's card firmware is not signed. Your optical disc drive's firmware is not signed. Etc. This threat vector exists with each of these devices.
As always security is a trade-off. The threat vector of flashing a backdoored BIOS/firmware is irrelevant for 99% of the market: most people will never be targets of such highly-technical attacks.
PS: I tip my hat off to Sprite_TM; fascinating research! I love to disassemble firmware myself :) I liked how you were able to reverse-engineer the data structures in RAM.
The latest generation of SAS enterprise drives do exactly this. All firmware is signed and there is extra hardware to ensure unsigned code is never run. They also disable the JTAG port before the drives leave the factory so there's no opportunity for shenanigans.
These features are required by enterprise customers to prevent just this sort of tampering.
something I hadn't really considered about hard disk encryption, before reading this, is how it could protect against compromised disk controllers. if the OS encrypts the data stored on the disk, it would be a lot harder (perhaps, with the right composition, impossible) for a malicious disk controller to insert/change/modify important data (like code, or password files) stored on the computer.
we think of the system as a holistic entity, but turned on its head, you can see how the inside of a computer is just a network...
Could this attack compromisse dedicated/rent servers? If so, the attacker could rent, install the exploit on the hardware and terminate the contract.
What about cloud servers? Sure there are virtualization layers, but can't those be breached? If so that would pose imense danger given the distributed nature the hardware exploit could render the entire farm vulnerable
The attack could compromise other servers yes. I think the scenario you describe is a possibility, although there are some technical feats that would make wide-scale exploitation difficult - you need to know what you want to modify ahead of time which would be difficult.
Virtualised environments that don't pass the vendor specific commands should be immune to the attack though. As others have said, encryption would probably allow tampered pages to be detected. I'd be interested to see if the modified firmware could ignore new firmware...
After reading this, i know I am unworthy to comment.
However, I will be forwarding this to my wife who gives me a hard time when I, before getting rid of an old computer, remove the HD and give five or so well placed hits with a hammer on the whole HD assembly.
I think some hard drives like some Seagates has a serial console in the firmware that provides low level access that data recovery companies for example use.
> Because Linux caches the shadow file (like all files recently accessed), I have to generate a lot of disk activity for the file to be 'pushed out' of the cache
Great article. But what I came away from it thinking was about how much money is spent by state security institutions to prevent this sort of thing, and yet secrecy breeches at scale are the Walkers, Mannings, and Snowdens using USB sticks and DVD's and copiers.
This is some hard core hacking! Love it! First, as others mentioned, this is why you should always encrypt your os drives. Second, it also got me thinking, how many other devices are open to this kind of attack. Like a network switch, perhaps? Say you buy 100 network switches, alter the firmware to call home and maybe even load a Linux instance, and then resell them on amazon, eBay, or even better, give a "good" cash deal to some local IT company. Then you just seat back and wait for your 100 bots to call home for their new business class Internet homes.
This is incredibly scary. Will HD vendors start implementing firmware code signing anytime soon? Or will some enterprising hackers start working on an open source firmware implementation?
That's a whole world of spying opportunities. A government could make secret deals with hard drive manufacturers. Perhaps not US government, but Taiwan government, if it makes you happier... (I'm from neither country)
This is very cool. I have a pile of dead and old hard drives. I should see if my local hackerspace has something that can connect to JTAG, and if so, see what secrets the old drives contain.
[+] [-] ChuckMcM|12 years ago|reply
[+] [-] stephengillie|12 years ago|reply
[+] [-] baruch|12 years ago|reply
Before I got my hand on vendor provided error injection I would have thought this to be of great use but hacking in ARM assembly to get this would be quite a task.
[+] [-] WestCoastJustin|12 years ago|reply
[1] http://www.youtube.com/watch?v=D8Im0_KUEf8
[+] [-] lsc|12 years ago|reply
My understanding is that the effective width of the write head is 10x the width of the read head... E.g. with the right firmware, it should be possible, if you are okay with a write-once medium, to write the outermost track, move the write head in 1/10th what you'd normally move it, then write the next track, etc... and get 10x the space out of the drive you normally would. In theory, the read head wouldn't have trouble. (of course, this would be write once storage, as the effective width of your write head is still pretty huge; but for a bunch of things? I can totally work with that... if more than X% of a drive was garbage data, I copy the good data to a new drive and reformat the old one. Done.)
I hear rumors that both the major drive manufacturers are actually shipping drives with this technology, but are only selling those drives to really big players, for some reason.
Here's a reasonable reference to the 'shingle' technology, and he roadmap for the rest of us:
http://www.theregister.co.uk/2013/06/25/wd_shingles_hamr_roa...
but that's the thing, with the datasheets (and, well, a lot more skill than I personally have) we should be able to setup something like shingling on the cheap disks we have today.
Of course, from reading the article, I'm not sure I'm any closer to that particular dream.
[+] [-] magila|12 years ago|reply
[+] [-] kabdib|12 years ago|reply
Adds cost, for one thing. But you can arrange for the unit to never run a byte of code (even one loaded from the platter) that didn't come from WD.
[+] [-] mrb|12 years ago|reply
As always security is a trade-off. The threat vector of flashing a backdoored BIOS/firmware is irrelevant for 99% of the market: most people will never be targets of such highly-technical attacks.
PS: I tip my hat off to Sprite_TM; fascinating research! I love to disassemble firmware myself :) I liked how you were able to reverse-engineer the data structures in RAM.
[+] [-] magila|12 years ago|reply
These features are required by enterprise customers to prevent just this sort of tampering.
[+] [-] achille2|12 years ago|reply
[+] [-] fragmede|12 years ago|reply
[+] [-] munin|12 years ago|reply
we think of the system as a holistic entity, but turned on its head, you can see how the inside of a computer is just a network...
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] im3w1l|12 years ago|reply
[+] [-] gabriel34|12 years ago|reply
[+] [-] testbro|12 years ago|reply
Virtualised environments that don't pass the vendor specific commands should be immune to the attack though. As others have said, encryption would probably allow tampered pages to be detected. I'd be interested to see if the modified firmware could ignore new firmware...
[+] [-] wiredfool|12 years ago|reply
[+] [-] cupcake-unicorn|12 years ago|reply
But this is really amazing. I'd love to see how it could be extended to other OSes, if possible?
[+] [-] batiste|12 years ago|reply
[+] [-] jrarredondo|12 years ago|reply
However, I will be forwarding this to my wife who gives me a hard time when I, before getting rid of an old computer, remove the HD and give five or so well placed hits with a hammer on the whole HD assembly.
[+] [-] gabriel34|12 years ago|reply
EDIT: right now on page 1: https://news.ycombinator.com/item?id=6146279
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] AsymetricCom|12 years ago|reply
[+] [-] quasque|12 years ago|reply
It reminds me of a similar proof-of-concept hack on a common network card firmware: http://esec-lab.sogeti.com/post/2010/11/21/Presentation-at-H... (the slides linked from that page have a good more technical overview that the blog post).
[+] [-] yuhong|12 years ago|reply
[+] [-] 0x0|12 years ago|reply
[+] [-] swang|12 years ago|reply
[+] [-] dsr_|12 years ago|reply
[+] [-] wereHamster|12 years ago|reply
http://linux-mm.org/Drop_Caches
$ echo 3 > /proc/sys/vm/drop_caches
or as non-root
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
[+] [-] brudgers|12 years ago|reply
[+] [-] x0054|12 years ago|reply
[+] [-] 0x0|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] b0rsuk|12 years ago|reply
[+] [-] korethr|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] unknown|12 years ago|reply
[deleted]