SoylentNews is people
SoylentNews
DMA attacks have never really gone out of fashion and, contrary to popular belief, do not necessarily require physical access. DMA is a misfeature designed provide peripherals with direct, unconstrained, high-speed read-write access to the whole of a system's RAM. Firewire (IEEE-1394) and Thunderbolt are two of the more infamous avenues for attacks, but network cards and other peripherals can also have this capability. One example of abuse would for the peripheral to read and exfiltrate private encryption keys as they rest in memory.
Eclypsium's latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.
DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system. As the name suggests, DMA attacks enable a potential attacker to read and write memory off a victim system directly, bypassing the main CPU and OS. By overwriting memory, attackers can gain control over kernel execution to perform virtually any manner of malicious activity. We collectively refer to these as Memory Lane attacks.
Earlier on SN:
Thunderbolt Enables Severe Security Threats (2019)
$300 Device Can Steal Mac FileVault2 Passwords (2016)
(Score: 2) by RS3 on Sunday February 02 2020, @12:13AM (2 children)
Sort of but not really. That's more about the CPU communicating with a channel controller, which then gives some device access to the channel (bus). In the PC, the CPU does this directly most of the time. But to allow the CPU to do more important CPU work rather than sit waiting for some external thing to happen, some architectures use channel controllers, which may or may not use DMA.
DMA is where the CPU tells a device's controller to go ahead and access memory directly and get or put data into RAM without CPU intervention.
An example in PC land is a SCSI or very modern SATA / SAS / Fiber channel interface where a command is given to the hard disk controller to go get some data, then signal back when the data is ready, rather than the CPU sitting waiting for the needed data. Generally called "command queuing".
More along the lines of DMA, IBM had a thing called "cycle steal adapter" https://en.wikipedia.org/wiki/Cycle_stealing [wikipedia.org]
DMA was originally used in the 4.77 MHz Intel 8088 IBM PC because DMA was faster than having the CPU do I/O operations, and used mostly for hard disk controllers, although parallel ports can use DMA.
Somewhat ironically, the next generation 80286 PC / AT, even at only 6 MHz, being a fully 16-bit I/O machine, could do hard disk I/O faster using CPU I/O than DMA could do. When PCI came out, the DMA spec. got much faster again, so DMA became useful again.
(Score: 4, Insightful) by Dr Spin on Sunday February 02 2020, @07:29AM (1 child)
SCSI is effectively the same thing as an IBM mainframe channel controller. The SCSI controller uses the DMA to move data into/out of memory - not just the disk contents - in some cases, it can use DMA to fetch the SCSI instructions to the disk controller, and return information on the outcome of performing the instructions.
Everyone who knows anything about the subject has known since the PDP11 (ie about 1970) that DMA can be a security risk in a multi-user environment, and the only way to avoid this is suitably designed hardware
An IOMMU is supposed to be part of this "suitably designed hardware". A lot hangs on who can alter the IOMMU's configuration.
It is beginning to look like "suitably designed hardware" excludes Intel architecture. SCSI, channel controllers and DMA all exist in parallel universes where Intel is regarded as an over priced bad risk which consumes too much power,
just as they used to exist in a universe where "Unix is snake oil".
Warning: Opening your mouth may invalidate your brain!
(Score: 1, Informative) by Anonymous Coward on Monday February 03 2020, @06:19AM
http://blog.frizk.net/2016/10/dma-attacking-over-usb-c-and.html [frizk.net]