[Arm-netbook] ARM's OOB para-virtualization & FreeZone in A10?

[Gordan Bobic]

On 07/10/2012 07:17 PM, freebirds at fastmail.fm wrote:

> Gordon Bobic, I appreciate your giving more advice on AV and using AV in
> Firefox and Thunderbird. Yet, all of you are ignoring that AV does not
> scan BIOS, HPA of hard drives and graphic cards.

/me bashes head against his desk until it is no longer dulling the pain.

Do you have any idea how hard it is to actually modify the BIOS without 
rendering the machine completely unbootable? I do not recall off the top 
of my head of a single instance where some well known, widely propagated 
malware infected the machine's BIOS. Flashing the wrong BIOS, even if it 
is for a similar motherboard with the same chipset, will typically brick 
it. Having malware that re-flashes the BIOS in a way that still has the 
BIOS operational while having a malicious component in it would be way 
too difficult expensive to be worthwhile - and even then, that BIOS 
infecting payload would only work on a very specific motherboard - you'd 
have to do the work again for any other motherboard. Given the sheer 
range of motherboards on the market today, and the rate at which the new 
ones are appearing, this just isn't a feasible thing to consider.

Disk HPA is inaccessible from the userspace. It is inaccessible in just 
about every way by everything, until you re-configure the disk's 
firmware setting to expose the area. Suffice to say, your machine 
couldn't actually run anything from the HPA because it is inaccessible, 
so having malware within the HPA is going to be pretty damn ineffective 
as far as attack vectors go. You could have 2-piece malware, one part 
that handles the HPA re-programming and loading the stage 2, but then 
the first stage of it would be detectable by normal means. In practice 
it is far easier for malware to encrypt itself to hide itself, the way 
graphics drivers from Nvidia are encrypted. Not that this is particulary 
effective since there has to be a part that is executable to handle the 
decryption, and that part will be detectable. Again, not an issue or 
worth worrying about.

Similar for the graphics cards. While you could put malware into the GPU 
BIOS, this comes with the same difficulties as having malware in the 
motherboard BIOS.

And even if these as-good-as-impossible difficulties were overcome 
because some entity with near unlimited resources REALLY has it in for 
you, they would still have to plant the malware onto your machine 
somehow in the first place, which should be at the very least extremely 
difficult if you have done your homework right.

> I need to read articles
> on fingerprinting to ascertain whether having numerous plugins and
> addons in Firefox will enable crackers from fingerprinting my browser.

Only if you go and visit their website. And the chances are that there 
are at least a few thousand people around the world with the same 
combination of plugins (e.g. ABP, FlashBlock and NoScript).

> Also, if the AV add-on for Firefox connects to the AV's IP address every
> time I use the browser, that would be leaving a paper trail.

AV on your machine will call home to check for signature file updates 
periodically (between once/hour and once/day, typically). There is no 
real way around that if you want your protection to be up to date. Every 
time you use your browser your ISP keeps a log trail of everything you 
did anyway. Even if you are using something like TOR, they will still at 
the very least have the ability to tell that you used TOR even if they 
cannot see exactly what for.

You need to ask yourself what exactly are your requirements. What attack 
vectors are you aiming to protect yourself against? What level of 
monitoring do you need to circumvent, over and above the inevitable and 
extensive level that can be trivially performed by your ISP every time 
your computer goes on the internet. If that dose of reality is 
unacceptable for you, then you shouldn't be using the internet at all. 
Or phones for that matter (because voice analysis could be used to 
identify people). Or walking down to the shops (facial recognition from 
TV images). So before you start worrying about surveilance and being 
tracked, you need to establish what is acceptable for your use-case and 
what isn't. And bear in mind that the chances are that no matter how 
good you are, you will miss at least one CCTV camera somewhere on your 
travels within minutes.

How deep is your rabbit hole?

Gordan