Phil Rhodes explores the potential security problem which Thunderbolt-equipped computer users should be aware of as the Mac Pro goes slot-less
With the recent announcement of the new Mac Pro, which lacks conventional PCI Express expansion slots, there has been more interest than ever in Thunderbolt, the current darling of the computer world – or at least the Apple Mac world. It’s not at all surprising that Thunderbolt is such a hot topic, given that it can carry over a gigabyte of data per second - which is something we’ve not seen before. There is, however, at least one small potential security problem which Thunderbolt-equipped computer users should be aware. I'm not aware of anything having exploited the issue yet, but that's probably the best time to become aware of a trap.
Thunderbolt achieves its performance by basing its operation on the extremely capable PCI Express Bus. Although Thunderbolt isn't as capable as even the medium-sized 4-lane PCIe connectors within most workstations, it is enjoys exactly the same engineering limitations – or, more to the point, lack thereof – which apply to plug-in cards. What's important to understand here is that PCIe Buses and their predecessor, PCI, were designed and intended to be for internal use, the assumption being that security was largely ensured by physical access restrictions. It's impossible to remove a PCIe card from its slot, or insert a new one, without substantially disassembling the host computer, which is a pretty conspicuous piece of behaviour from a criminal-activity point of view. Based partly on this assumption, PCIe devices have the ability to access any area of the host computer's memory, at will and without restriction.
Compare this to the situation faced by malicious software. On modern operating systems, each piece of software exists within a restricted chunk of memory, reserved for its use only, and is not permitted to access memory outside that area. Certain types of software, such as device drivers which act as a translation layer between software and specific pieces of hardware, must be allowed to access memory outside the usual ranges, but this behaviour is strictly controlled. These restrictions are enforced by the processor, in silicon, and are designed to be difficult to circumvent. People who can remember all the way back to the early 80s and the 286 and 386 processors will remember talk of “protected mode”, which is what we're talking about here.
The Rules of the Protected Mode
These rules are mainly intended to make multi-tasking operating systems, which run more than one piece of software simultaneously, to be more reliable, by preventing a misbehaving program from overwriting information belonging to another. They also enforce a degree of security; it is supposed to be difficult, for instance, for a virus to read your bank-account details out of memory belonging to your web browser. In practice there are, necessarily, ways for users (or particularly clever viruses) to make exceptions the restrictions, but in general a degree of discipline is enforced.
But as we saw above, a PCIe device, or by extension a Thunderbolt device, has absolutely no memory-access restrictions whatsoever. This was also true of ExpressCard, which can also include PCIe lanes, and to an extent of things like FireWire which use controller devices capable of directly accessing memory, although FireWire is really too slow to be particularly dangerous in this scenario.
It would take a moderately significant engineering effort to produce a malicious Thunderbolt device designed to make malfeasant use of this situation, but it's also entirely possible that legitimate test equipment might be co-opted to such a use. Certainly, Thunderbolt (or ExpressCard, arguably) is capable of downloading a complete image of an average laptop's memory in something well under ten seconds, given adequate storage. With laptops rarely rebooted, and programs sometimes less than ideally diligent about cleaning up memory after they're finished with it, the possibility arises that security-critical information that was last used some time ago might be at risk.
In theory, the virtual-machine hardware present in the most recent CPUs, which include the memory controller with the processor hardware, might be used to isolate the Thunderbolt PCIe lanes and solve the problem. I have no idea if this will become necessary, but until we find out, best beware of sketchy-looking people bearing Thunderbolt connectors.