Theoretical Question ?

Discussion in 'all things UNIX' started by rrrh1, Aug 28, 2015.

  1. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    Theoretical Question ?

    Conditions:

    Something like Lightweight Portable Security or basically any Linux distribution on CD / DVD can't be written to if the disk is closed.

    With all of the problems lately with malware / BIOS (Leveno LES) attacks and such:

    1. Build a computer without any internal storage (No HDD or SSD).

    2. Then equip this computer with 32 GB of ram.

    3. A DVD / BD (not a writer - R ) drive.

    4. Maybe use an older motherboard without Unified Extensible Firmware Interface (limited space to store malware and possibly a jumper to prevent writing to the BIOS ROM, may be hard to find now).

    5. Boot a Linux disk and run everything in memory.

    You would only be vulnerable while the machine was running rebooting would be a clean slate.

    Except for something being stored in the BIOS, or device firmware could ANY malware survive a reboot ?

    rrrh1 (arch1)
     
  2. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    I think there is malware that can stay inside the RAM?

    Besides that it could infect other devices in your network which then re-infect your system after reboot.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    1 - Why go through all this trouble? For a BIOS malware? Seems like just buying a 200$ BIOS chip with CoreBoot is way better. Not to mention, the Levono bootkit worked only on Windows.

    2 - Why 32 GB of RAM?

    3 - Just using a distro like Debian or Arch or Gentoo with the hardened Kernel (GRSecurity + PAX) is probably enough to keep you 99% safe. Then use Iceweasel with Firejail, to prevent exploits.
     
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Chromebook/Chromebox/Chromebit is already doing exactly what is described with the browser settings kept in the cloud and cloud storage. I'm still considering going that way or if I can ever get ChromiumOS installed on my machine.

    @zakazak The 'in memory attack' on Kaspersky was described as every computer on a network would have to be shut down and then you could restart them all to clear the exploit. But first you have to know its there. Kaspersky doesn't even know how long they were being spied on though once they found out they watched it look around for some time weeks/months before eradicating it.
     
    Last edited: Aug 28, 2015
  5. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    I was trying to figure a way around any zero day malware.
    32 GB was just a number thought with more ram could load more maybe even a ramdisk.
    I could not figure a way for anything to survive a reboot except it hid in the BIOS or some Device Firmware.

    I have read of a concept malware that hides itself in the firmware of the video card but could not find a link.

    This is all theoretical just trying to think of some other way to make malware persistent.

    No Hard Disk or USB storage to write to.
    The Boot disk is read only.
    Every operation would have to be carried out in RAM.
    If a malware was found and ran where would it store it's self in order to run at the next boot ?

    This is for later thought...
    Would every boot be clean and how could we verify there was not any malware running ?
    How could we be sure the distribution we are using has no unintended malware ?

    Wanted more thinkers...

    Looks like I forgot the Network...

    How about the Router how safe is it ?

    Think some more...

    Thanks...

    rrrh1 (arch1)
     
    Last edited: Aug 28, 2015
  6. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Btw I think I once read (or watched a documentation) that some countries have such fast internet that they literallily store no data on their pc. They simply re-download/execute after a reboot.

    This is something you might want to consider as well. For example running the same live cd with the same browser will give you the same out dated browser again and again and again. Instead you could execute a script after booting which instantly downloads the latest portable firefox/archive app/etc so you have the latest version in your RAM when you need it.
     
  7. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    Since we are straying from this part of the forum (all things UNIX) this may need to be moved.

    To a more general security section.

    rrrh1 (arch1)
     
  8. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    If it was executed as root than it could hide anywhere in the filesystem. But I don't think anyone is stupid to execute random code as root, and that includes you ;) You won't, right? You'll use only reviewed programs, and not download anything from the web and execute it.

    But if you have the right mitigations in place you won't need to worry about them and use this crazy-nut setup.

    Rkhunter can do that, IIRC. First you create a "trusted database fingerprint", and then (at any time) you can compare the stored fingerprint with the current fingerprint to see if something has changed.

    We can't. It's impossible to read the source code of every application there is. BUT, since the source code is open people can read what really matters in security, like the network-stack or crypto-modules, for example.

    Depends on the model, the firmware....
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada