1. 12

“Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec.”

  1.  

  2. 3

    Ah! Clever! Using something like an IO-MMU (Intel VT-D, AMD-Vi) would probably solve this little problem. The IO-MMU is a virtual address translator for DMA, so you can enforce that the device can only read and write certain pages in memory, not any of them. The idea is that this would help manage virtualized devices and allow them to use some form of DMA with a hypervisor, but, I find the virtualization argument for it rather short-sighted. We can use it to better secure a general-purpose, single-instance, mostly-single-user OS too!

    1. 2

      As I read it – this means that if your computer is on, your full disk encryption is useless against this tool? Seems incredibly scary.

      1. 6

        Except on OS X, where enabling full disk encryption automatically disables DMA for firewire/thunderbolt.

        Caveats

        OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled.

        If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

      2. 2

        Well, just need to find a FireWire cable and test :) Kind of want to see this thing with my own eyes :)

        1. 1

          Would love to see a demo if you end up doing this.