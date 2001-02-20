from the total-recall dept.
DMA attacks have never really gone out of fashion and, contrary to popular belief, do not necessarily require physical access. DMA is a misfeature designed provide peripherals with direct, unconstrained, high-speed read-write access to the whole of a system's RAM. Firewire (IEEE-1394) and Thunderbolt are two of the more infamous avenues for attacks, but network cards and other peripherals can also have this capability. One example of abuse would for the peripheral to read and exfiltrate private encryption keys as they rest in memory.
Eclypsium's latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.
DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system. As the name suggests, DMA attacks enable a potential attacker to read and write memory off a victim system directly, bypassing the main CPU and OS. By overwriting memory, attackers can gain control over kernel execution to perform virtually any manner of malicious activity. We collectively refer to these as Memory Lane attacks.
Swedish hardware hacker Ulf Frisk has published today instructions on how to build and use a $300 device that can retrieve login passwords for Macs protected by Apple's FileVault2 disk encryption system.
Frisk's invention is named PCILeech, a device he created for carrying out Direct Memory Access (DMA) attacks, which allows an attacker to read the memory of 64bit-based operating systems such as Linux, FreeBSD, macOS and Windows.
PCILeech, which only runs on Windows 7 and Windows 10 PCs, uses custom software, which users can download from GitHub. The device also runs on a custom hardware rig, and the same GitHub repo provides the list of needed components.
Frisk says he discovered this summer two design flaws in how Apple implemented FileVault2 Mac disk encryption. The researcher says he integrated these two bugs in version 1.3 of PCILeech, capable of extracting Mac passwords in cleartext.
Security researches at the Network and Distributed Systems Security Symposium in San Diego unveiled a series of new Thunderbolt vulnerabilities collectively named Thunderclap.
We look at the security of input/output devices that use the Thunderbolt interface, which is available via USB-C ports in many modern laptops. Our work also covers PCI Express (PCIe) peripherals which are found in desktops and servers.
Such ports offer very privileged, low-level, direct memory access (DMA), which gives peripherals much more privilege than regular USB devices. If no defences are used on the host, an attacker has unrestricted memory access, and can completely take control of a target computer: they can steal passwords, banking logins, encryption keys, browser sessions and private files, and they can also inject malicious software that can run anywhere in the system.
We studied the defences of existing systems in the face of malicious DMA-enabled peripheral devices and found them to be very weak.
[...] We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA. Because this is a software model, we can easily add malicious behaviour to find and exploit vulnerabilities.
We found the attack surface available to a network card was much richer and more nuanced than was previously thought. By examining the memory it was given access to while sending and receiving packets, our device was able to read traffic from networks that it wasn't supposed to. This included VPN plaintext and traffic from Unix domain sockets that should never leave the machine.
[...] More generally, since this is a new space of many vulnerabilities, rather than a specific example, we believe all operating systems are vulnerable to similar attacks, and that more substantial design changes will be needed to remedy these problems. We noticed similarities between the vulnerability surface available to malicious peripherals in the face of IOMMU protections and that of the kernel system call interface, long a source of operating system vulnerabilities. The kernel system call interface has been subjected to much scrutiny, security analysis, and code hardening over the years, which must now be applied to the interface between peripherals and the IOMMU.
In short, consider disabling Thunderbolt drivers on important machines now.
You can read up more on Thunderclap here.
(Score: 0) by Anonymous Coward on Saturday February 01, @03:44PM (3 children)
What a world we live in, where achieving decent computing performance is called a "misfeature".
(Score: 2) by canopic jug on Saturday February 01, @04:00PM (2 children)
High-speed is, problematially, not the only characteristic there. If it were the only descriptor then maybe your point would be valid. However, it is the unconstrained aspect which has turned the combined end result an abomination.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Saturday February 01, @04:35PM (1 child)
It (DMA) is a performance enhancement that can be miss-used.
It is that improper miss-use that is problematic, not the basic underlying feature.
A claw hammer can be miss-used to perform murder. But that fact does not make a claw hammer an abomination, any more than the miss-use of DMA makes DMA itself an abomination.
(Score: 2) by canopic jug on Saturday February 01, @04:43PM
In this case the DMA claw hammer is made from plain aluminum, not an alloy, and marketed as a normal hammer.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Saturday February 01, @04:17PM
The rest of the article is FUD designed to sell this new level of Microsoft's control of "their" HW to the gullible.
When you leave your laptop in such interesting places that some interested parties can even disassemble it and do interesting things to the entrails, you should believe it compromised afterwards, period. Microsoft-trademarked "security" shit notwithstanding. The only party they can secure the device against, is the sucker who bought it.