rentzsch.com: tales from the red shed

Securing Firewire

Mac OS X
When Quinn won best hack at MacHack 2002 for his FireStarter hack, I publicly declared (though never on this blog) that this piece of software would force Apple to lock down the Firewire ports on the Xserve.

The idea is simple: Firewire provides direct memory access. So I can plug in my PowerBook into an Xserve, and arbitrarily read and write to all of the Xserve's RAM, sans any logical protection.

Quinn's masterpiece was a dramatic proof of concept. I was there when he couldn't get it working in 2001, so it was a treat to see it come to life. For his demo, he booted an iMac off the Mac OS X installation CD (thus proving no custom software on the target iMac) and then plugged in a another Mac. All of a sudden, fire appeared at the bottom of the target's screen, overwriting the bottom of the installer's screen. Quinn simply blitted a fire animation over Firewire to the target's video ram. Great job.

Well, Apple didn't lock down the Firewire port and no one really went off filling their ports with epoxy. I ate crow. It took a couple of years, but the security community eventually made this a little more high-profile. Their hook, of course, was the iPod. "Use an iPod to 0wn an Xserve" the cry went. Everything's sexier if you can tie it to the iPod. It was on the mainstream geek press radar for about a week.

Now Paul Day released his Securing Mac OS X paper and slides. Nicely done. Paul mentions something -- almost off-hand -- that's very interesting. Paul claims enabling the Open Firmware password also automatically disables Firewire DMA, preventing tricks like Quinn's.

I don't know when this happened, but it speaks well of Apple. This is a fairly serious security issue, but one that's pretty much under everyone's radar. If Apple's silently plugging this hole, what others are they plugging that I'm not aware of?

Conversely, this is entirely undocumented. It seems like a little surprise gift for the folks who care about security so much they enable firmware passwords. What else gets enabled in this ultra-paranoid mode? Why isn't Apple telling folks about this feature? Do they think calling attention to it will yield more downside (negative press; corporate confirmation of the "flaw"; legal liability) than upside (better secured systems; happier sysadmins)?

In retrospect, I guess I wasn't 100% wrong about the Firewire lock down, but I wasn't 100% right either. Frankly, I didn't know this was "fixable" in software. Maybe it isn't, across all Macintosh models (which could help explain Apple's lack of promotion of this enhancement). So, I'll call it a draw this time.

Update: Paul Day sends a followup:

Hi Jon,

A little more about OpenFirmware/Firewire security.

First off, I tried not too get too far into the nitty-gritty in the paper, so yes, it probably does appear a little off-hand. My aim was obviously to say "this stops it".

The only evidence I have seen of the "fix" was in Darwin's source-code - ie, nothing official from Apple.

It first appeared in IOFireWireFamily v122.4.2 (Darwin v6.2/Mac OS X 10.2.2) which was release Novemeber 2002. That was obviously a few months after MacHax Best Hack Contest 2002 where Quinn released his FireStarter hack.

The file in question is within IOFireWireFamily.kmodproj/OFireWireFamily-140.4.0/IOFireWireFamily.kmodproj/IOFireWireController.cpp of the IOFireWireFamily package.

The code where it checks OpenFirmware is:

IORegistryEntry * options = IORegistryEntry::fromPath( "/options", gIODTPlane );{
if( options != NULL ) {
  OSString * securityModeProperty = OSDynamicCast( OSString, options->getProperty("security-mode") );
  if( securityModeProperty != NULL && strcmp("none", securityModeProperty->getCStringNoCopy()) != 0 ) {
    // set security mode to secure/permanent
    mode = kIOFWSecurityModeSecurePermanent;
  }
  options->release();
  options = NULL;
}

Basically, "If OPFW varibale 'security-mode' is set to anything other than 'none', disable physical memory access." There are three (defined) levels in the OpenBoot/Firmware standard:

  • none = Can do anything and everything without authentication.
  • command = Boot normally without a password. Require a password for anything other than default boot options.
  • full = Require a password to get past OPFW.

I found it interesting that this security feature was pretty much undocumented so I meticulously downloaded every Darwin package (all 145 of them - they don't seem to be made available in a single tarball) and went off looking for any other undocumented side-effecets of enabling an OPFW password.

Sadly, there was nothing. :)

Oh, and as far as I'm aware - yes, this fixes every Mac that has Firewire400 and uses OpenFirmware (every Mac since '99?).

Cheers, Paul

Friday, November 12, 2004
12:00 AM

Overview
Focus of this site
Contact Me
Topics
RSS Feed
Linkblog
Twitter

Most Popular
PSIG 125: Thu Jul 2 2009
C4 Blitz Talks
apple's antiCAPSLOCK
PSIG 123: Thu May 7 2009
PSIG BYOB (and Food)
PSIG 122: Thu Apr 2 2009
PSIG 121: Thu Mar 5 2009
PSIG 120: Thu Feb 5 2009
PSIG 124: Thu Jun 4 2009
Programmers Don't Like to Code
C4[1] Videos Available
Intel-based Mac Boot Incompatibility
Google Cache Hacking
C4[2] Registration Open
Textcast: The Story

Recently Updated
Wed, Jul 01: Programming Special Interest Group
Tue, Jun 02: PSIG 124: Thu Jun 4 2009
Wed, Dec 24: Ralph Rentzsch 1925-2008
Wed, Dec 24: Textcast: The Story
Sun, Nov 16: Open Radar

Weblogs I Read
Andy Finnell
Bill Bumgarner
Brent Simmons
Daniel Jalkut
Dave Dribin
Eric Albert
Eric Rescorla
Eric Sink
Greg Miller
Gus Mueller
Jeremy Zawodny
John Gruber
Mark Dalrymple
Michael Tsai
Peter Ammon
Raymond Chen
Ryan Wilcox
Scott Stevenson
Steven Frank
The Daily WTF
we hates software
Wil Shipley

Copyright © 1997-2009 Jonathan 'Wolf' Rentzsch. All rights reserved.
Questions? Comments? Contact Me.