12

Since Firewire lacks security, allowing a plugged-in device to access host memory, it's a good thing to fully disable it. If we're not using the BIOS to disable the Firewire port then how could we do it using "software methods"? The OS running on the PC is OpenBSD or Fedora or Ubuntu.

Edit: Is it sufficient to disable Firewire support in the operating system to prevent a Firewire attack device from accessing the memory? Which steps are required to prevent this kind of threat?

AviD
  • 72,708
  • 22
  • 137
  • 218
LanceBaynes
  • 6,209
  • 12
  • 60
  • 92

4 Answers4

10

Software method:

  • Disable the Firewire driver / recompile kernel

Disabling the firewire driver prevents the use of any firewire device, as it disables the firewire hardware controller. In order for the attacks to work several requirements exist: The driver must be loaded so that the controller is initialised (bus-mastering etc), it must be configured to 'open-access' and not per-device, and dma must be enabled (ohci1394 had a disable dma option).

In Ubuntu firewire drivers are kernel modules. There is an easy way to blacklist them: Open /etc/modprobe.d/blacklist-firewire.conf, there you will find there a list of modules to be blacklisted. 

blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394
#blacklist firewire-ohci
#blacklist firewire-sbp2

Just remove the # in front of everything and save it. Then run sudo update-initramfs -k all -u

Other methods:

  • Disable the Firewire ports in BIOS
  • Seal the actual ports, as often done for USB ports in some environments.
user47093
  • 103
  • 2
john
  • 10,998
  • 1
  • 36
  • 43
  • 1
    Does merely disabling the driver prevent a Firewire device from accessing host memory? – Gilles 'SO- stop being evil' Jan 17 '12 at 12:40
  • Disabling the firewire driver does indeed prevent the use of any firewire device, as it disables the firewire hardware controller. In order for the attacks to work several requirements exist: The driver must be loaded so that the controller is initialised (bus-mastering etc), it must be configured to 'open-access' and not per-device, and dma must be enabled (ohci1394 had a disable dma option) – john Jan 17 '12 at 13:50
3

Compiling a custom kernel that lacks device support for the firewire interface should suffice. What prevents you from restricting access to those devices by permissions settings?

Removing the driver will prevent plugged-in devices from establishing DMA transfers:

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • @Gilles Another resource stating the same: http://support.microsoft.com/kb/2516445. DMA isn't possible until code is run on the CPU to let it happen. – Jeff Ferland Jan 17 '12 at 12:56
1

OpenBSD doesn't supports Firewire by default:

https://en.wikipedia.org/wiki/Comparison_of_open_source_operating_systems#Supported_hardware

LanceBaynes
  • 6,209
  • 12
  • 60
  • 92
1

...you can also fine tune access to devices using /etc/fbtab

http://www.openbsd.org/cgi-bin/man.cgi?query=fbtab&sektion=5&apropos=0&manpath=OpenBSD+Current&arch=i386

based on a login through firewire/usb/other ports, everything can be disabled

maurice
  • 11
  • 2
  • Can you copy information from that link and edit it into your post? Links can get broken, which can make your post useless. Thanks! – Ohnana Sep 29 '15 at 19:38