Tip:
Highlight text to annotate it
X
DMA attack
In computer security a DMA attack is a type of side channel attack where the
corruption of basic OS security mechanisms or theft of cryptographic keys can be
conducted by an attacker who has direct access to the physical memory address
space of the computer. Contents
In modern operating systems, non-system (i.e. user-mode) applications are
prevented from accessing any memory locations not explicitly authorized by the
virtual memory controller (called the MMU or Memory Mapping Unit). In addition
to containing damage from inadvertent software bugs and allowing more efficient
use of physical memory, this architecture forms an integral part of the security
of a modern operating system. However, kernel-mode drivers, many hardware
devices, and occasional user-mode vulnerabilities allow the direct, unimpeded
access of the physical memory address space. The physical address space includes
all of the main system memory, as well as memory-mapped buses and hardware
devices (which are controlled by the operating system through reads and writes
as if they were ordinary RAM).
The OHCI 1394 specification allows for devices for performance reasons to bypass
the operating system and access physical memory directly without any security
restrictions. But SBP2 devices can easily be spoofed, allowing an
operating system to be tricked into allowing an attacker to both read and write
physical memory, and thereby to gain unauthorised access to sensitive
cryptographic material in memory.
Systems may still be vulnerable to a DMA attack by an external device if they
have a FireWire, ExpressCard, Thunderbolt, or other expansion port that, like
PCI and PCI-Express in general, hooks up attached devices directly to the
physical address space. Therefore systems that do not have a FireWire port may
still be vulnerable if they have a PCMCIA or ExpressCard port that would allow
an expansion card with a FireWire to be installed.
Uses
An attacker could, for example, use a social engineering attack and send a "lucky
winner" a rogue Thunderbolt device. Upon connecting to a computer, the device,
through its direct and unimpeded access to the physical address space, would be
able to bypass almost all security measures of the OS and have the ability to
read encryption keys, install malware, or control other system devices. The
attack can also easily be executed where the attacker has physical access to the
target computer.
In addition to the abovementioned nefarious uses, there are some beneficial uses
too as the DMA features can be used for kernel debugging purposes.
There is a special tool called Inception for this attack, only requiring a
machine with an expansion port suspectible to this attack.
Mitigations
Kernel-mode drivers have many powers to compromise the security of a system, and
care must be taken to load trusted, bug-free drivers. For example, recent
versions of Microsoft Windows require drivers to be tested and digitally signed
by Microsoft, and prevent any non-signed drivers from being installed.
IOMMU and VT-d are recently introduced technologies that apply the concept of
virtual memory to such system busses, and may be used to close this security
vulnerability (as well as increase system stability). However they are mostly
used instead to give guest virtual machines passthrough access to host hardware.
PrivateCore vCage software provides a method of securing x86 servers from DMA
attack by securing systems from potentially malicious devices and encrypting
random access memory.