Stories
Slash Boxes
Comments

SoylentNews is people

Direct Memory Access Attacks – A Walk Down Memory Lane

posted by Fnord666 on Saturday February 01 2020, @03:24PM   Printer-friendly
from the total-recall dept.

canopic jug writes:

DMA attacks have never really gone out of fashion and, contrary to popular belief, do not necessarily require physical access. DMA is a misfeature designed provide peripherals with direct, unconstrained, high-speed read-write access to the whole of a system's RAM. Firewire (IEEE-1394) and Thunderbolt are two of the more infamous avenues for attacks, but network cards and other peripherals can also have this capability. One example of abuse would for the peripheral to read and exfiltrate private encryption keys as they rest in memory.

Eclypsium's latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.

DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system. As the name suggests, DMA attacks enable a potential attacker to read and write memory off a victim system directly, bypassing the main CPU and OS. By overwriting memory, attackers can gain control over kernel execution to perform virtually any manner of malicious activity. We collectively refer to these as Memory Lane attacks.

Earlier on SN:
Thunderbolt Enables Severe Security Threats (2019)
$300 Device Can Steal Mac FileVault2 Passwords (2016)

Original Submission

 
This discussion has been archived. No new comments can be posted.
Direct Memory Access Attacks – A Walk Down Memory Lane | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by Dr Spin on Sunday February 02 2020, @07:29AM (1 child)

    by Dr Spin (5239) on Sunday February 02 2020, @07:29AM (#952660)

    SCSI is effectively the same thing as an IBM mainframe channel controller. The SCSI controller uses the DMA to move data into/out of memory - not just the disk contents - in some cases, it can use DMA to fetch the SCSI instructions to the disk controller, and return information on the outcome of performing the instructions.

    Everyone who knows anything about the subject has known since the PDP11 (ie about 1970) that DMA can be a security risk in a multi-user environment, and the only way to avoid this is suitably designed hardware
    An IOMMU is supposed to be part of this "suitably designed hardware". A lot hangs on who can alter the IOMMU's configuration.

    It is beginning to look like "suitably designed hardware" excludes Intel architecture. SCSI, channel controllers and DMA all exist in parallel universes where Intel is regarded as an over priced bad risk which consumes too much power,
    just as they used to exist in a universe where "Unix is snake oil".

    --
    Warning: Opening your mouth may invalidate your brain!
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 1, Informative) by Anonymous Coward on Monday February 03 2020, @06:19AM

    by Anonymous Coward on Monday February 03 2020, @06:19AM (#953041)

    http://blog.frizk.net/2016/10/dma-attacking-over-usb-c-and.html [frizk.net]