A DMA attack is a side-channel attack in the field of computer security in which an attacker exploits a high-speed expansion port that allows direct memory access (DMA) to break into a computer or other device

A DMA attack is a side-channel attack in the field of computer security in which an attacker exploits a high-speed expansion port that allows direct memory access (DMA) to break into a computer or other device.

DMA technology allows devices connected to a computer (such as a camcorder, network card , storage device, or other accessory or built-in PC card ) to read and write main memory using direct hardware access without any supervision or interaction from the operating system , maximizing Optimize data transmission speed. Legitimate accessories and connections using DMA technology already exist, but an attacker can use the same method to craft a malicious accessory connected to a port, which may then directly access some or all of the address space of the computer's physical memory, thereby bypassing all operating system security. mechanism and lock the screen , read everything a computer does, steal data or keys, install or run spyware , or exploit other vulnerabilities , and modify systems to allow software backdoors or other forms of malware.

Physical connection fencing of such ports prevents DMA attacks. DMA connections can be disabled in the BIOS or UEFI of many computers to reduce or eliminate such attacks.

Connections that use DMA technology and are potentially vulnerable include FireWire , CardBus , ExpressCard , Thunderbolt , USB 4.0 , PCI , PCI-X , and PCI Express , among others.

overview

In modern operating systems , non-system-level (i.e., user-mode ) applications cannot access any memory locations not explicitly authorized by the virtual memory controller (i.e. , memory management unit , MMU). This architecture is also part of the operating system security, in addition to preventing damage that may be caused by software bugs and improving the efficiency of physical memory usage. However, vulnerabilities in kernel-mode drivers, many hardware devices, and user-mode allow direct, unobstructed access to physical memory address space. The physical address space includes all of the main system memory, as well as the memory-mapped bus and hardware devices (controlled by the operating system in a manner similar to ordinary memory reads and writes).

The OHCI  1394 specification allows devices to bypass the operating system for performance reasons and directly access physical memory without any security restrictions. SBP2 devices, however, can be easily counterfeited to trick the operating system into allowing an attacker to read and write to physical memory, thereby gaining unauthorized access to sensitive data in memory.

Systems with FireWire , ExpressCard , Thunderbolt , or other expansion ports (like the ubiquitous PCI and PCI Express ) may be vulnerable to DMA attacks from external devices, devices connected to the system may directly access physical memory address space rather than secure virtual memory address space. Even if the system itself does not have a FireWire port, if it allows a FireWire ported device to be installed through a PCMCIA / CardBus / PC Card or ExpressCard port, it could be vulnerable to this attack.

use

An attacker could use a social engineering attack to send a malicious Thunderbolt device to a "lottery winner." When connected to a computer, the device has direct, unhindered access to the physical address space, bypassing nearly all security measures of the operating system, and being able to read encryption keys, install malware, or take control of other system devices. If the attacker has physical access to the target computer, the attack can also be easily carried out.

In addition to the above malicious uses, DMA can also be used for legitimate purposes such as kernel debugging .

A tool called Inception can carry out this attack. The well-known spyware FinFireWire can also gain unauthorized access to running Windows, Mac OS or Linux computers.

Mitigation

Physical security measures against potentially malicious devices can prevent DMA attacks.

Kernel-mode drivers have many permissions that can compromise system security, so only trusted, bug-free drivers should be loaded. For example, newer versions of 64-bit Microsoft Windows require drivers to be tested and digitally signed by Microsoft and prevent the installation of any driver that is not digitally signed.

The Input Output Memory Management Unit (IOMMU) is a technology that applies the concept of "virtual memory" to this type of system bus, which can be used to eliminate such security holes and improve system stability. Intel's IOMMU technology is named VT-d, and AMD's IOMMU technology is named AMD-Vi. Linux and Windows 10 support the above IOMMU technologies and use them to prevent unauthorized I/O transactions.

Newer operating systems themselves may also provide protection against DMA attacks. Recent Linux kernels include an option to disable DMA for FireWire devices without affecting other functionality. Microsoft Windows  8.1 blocks access to the DMA port on an unattended, control interface locked device. But as of 2019, mainstream operating systems have yet to consider the vulnerabilities created by complex interactions between multiple simulated peripherals that could be exploited by malicious devices.

Another mitigation against DMA attacks is to not store sensitive data in unencrypted memory. However, the measures to prohibit the reading of memory content are not comprehensive, and writing to memory through DMA may achieve code injection , thereby damaging seemingly safe out-of-memory storage devices. One such example is TRESOR-HUNT, which, by overriding parts of the operating system, can expose encryption keys that are never stored in physical memory, but only in specific CPU registers.

For concerned users, Microsoft recommends changing the default configuration of Windows.

see

• cold boot attack
• Pin control attack

References

1. ^  Freddie Witherden. (PDF). 2010-09-07 [2011-04-02]. ( Archived  from the original  (PDF) on 2021-05-02).
2. ^  Piegdon, David Rasmus. (PDF). Seminar of Advanced Exploitation Techniques, WS 2006/2007. 2006-02-21 [2022-03-30]. ( Archived from  the original  (PDF) on 2021-05-08).
3. ^   .  Microsoft . 2011-03-04 [2011-03-15]. ( Archived from the original on 2012-08-13).
4. ^   Tom Green. .  Microsoft . [2011-04-02]. ( Archived from the original on 2011-04-09).
5. ^  . 28 June 2019 [2022-03-30]. ( Archived from  the original on 2022-04-01).
6. ^  (PDF). Gamma International. October 2011 [2014-04-28]. ( Archived  from the original  (PDF) on 2022-01-20).
7. ^   . 14 July 2014. ( Archived from the original on 14 July 2014).
8. ^  . cateee.net. [2022-03-30]. ( Archived from  the original on 2021-05-11).
9. ^   Dansimp. . docs.microsoft.com. Retrieved 2021-02-16. (Original content archived on 2020-04-22) (US English).
10. ^   Hermann, Uwe. . 14 August 2008. ( Archived from the original on 4 March 2016).
11. ^   .  Microsoft . January 2014. ( Archived from the original on 2014-03-24).
12. ^   . [2020-01-21]. (Original content archived on 2019-08-06) (US English).
13. ^  Blass, Erik-Oliver. . Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC '12. 2012: 71. ISBN 9781450313124. doi:10.1145/2420950.2420961.
14. ^   .  Microsoft . 2011-03-04 [2011-03-15]. ( Archived from the original on 2012-08-13).

external link

• 0wned by an iPod - hacking by Firewire Presentation by Maximillian Dornseif at PacSec/core04 conference, Japan, 2004
• Physical Memory Attacks via Firewire/DMA - Part 1: Overview and Mitigations (Updated)

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.