DMA attacks have never really gone out of fashion and, contrary to popular belief, do not necessarily require physical access. DMA is a misfeature designed provide peripherals with direct, unconstrained, high-speed read-write access to the whole of a system's RAM. Firewire (IEEE-1394) and Thunderbolt are two of the more infamous avenues for attacks, but network cards and other peripherals can also have this capability. One example of abuse would for the peripheral to read and exfiltrate private encryption keys as they rest in memory.
Eclypsium's latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.
DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system. As the name suggests, DMA attacks enable a potential attacker to read and write memory off a victim system directly, bypassing the main CPU and OS. By overwriting memory, attackers can gain control over kernel execution to perform virtually any manner of malicious activity. We collectively refer to these as Memory Lane attacks.
Earlier on SN:
Thunderbolt Enables Severe Security Threats (2019)
$300 Device Can Steal Mac FileVault2 Passwords (2016)
(Score: 4, Interesting) by sjames on Saturday February 01 2020, @08:05PM
Then, just to make matters worse, just as the IOMMU becomes more commonly supported, Intel decides to implement the Management Engine that can bypass it and provide a nice and safe place to tuck a persistent threat into. And the cherry on top is that they designed systems so that if you disable the ME, the thing won't boot at all. And it doesn't even help performance.