Fire Wire - Security Issues

Security Issues

Devices on a FireWire bus can communicate by direct memory access (DMA), where a device can use hardware to map internal memory to FireWire's "Physical Memory Space". The SBP-2 (Serial Bus Protocol 2) used by FireWire disk drives uses this capability to minimize interrupts and buffer copies. In SBP-2, the initiator (controlling device) sends a request by remotely writing a command into a specified area of the target's FireWire address space. This command usually includes buffer addresses in the initiator's FireWire "Physical Address Space", which the target is supposed to use for moving I/O data to and from the initiator.

On many implementations, particularly those like PCs and Macs using the popular OHCI, the mapping between the FireWire "Physical Memory Space" and device physical memory is done in hardware, without operating system intervention. While this enables high-speed and low-latency communication between data sources and sinks without unnecessary copying (such as between a video camera and a software video recording application, or between a disk drive and the application buffers), this can also be a security or media rights-restriction risk if untrustworthy devices are attached to the bus. For this reason, high-security installations will typically either purchase newer machines which map a virtual memory space to the FireWire "Physical Memory Space" (such as a Power Mac G5, or any Sun workstation), disable relevant drivers at operating system level, disable the OHCI hardware mapping between FireWire and device memory, physically disable the entire FireWire interface, or opt not use FireWire hardware.

This feature can be used to debug a machine whose operating system has crashed, and in some systems for remote-console operations. On FreeBSD, the dcons driver provides both, using gdb as debugger. Under Linux, firescope and fireproxy exists.