A DMA attack is a type of

side channel attack In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is Implementation#Computer science, implemented, rather than flaws in the d ...

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

, in which an attacker can penetrate a computer or other device, by exploiting the presence of high-speed expansion ports that permit

direct memory access Direct memory access (DMA) is a feature of computer systems and allows certain hardware subsystems to access main system memory independently of the central processing unit (CPU). Without DMA, when the CPU is using programmed input/output, it is t ...

(DMA). DMA is included in a number of connections, because it lets a connected device (such as a

camcorder A camcorder is a self-contained portable electronic device with video and recording as its primary function. It is typically equipped with an articulating screen mounted on the left side, a belt to facilitate holding on the right side, hot-swa ...

network card A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. Ear ...

, storage device or other useful accessory or internal

PC card In computing, PC Card is a configuration for computer parallel communication peripheral interface, designed for laptop computers. Originally introduced as PCMCIA, the PC Card standard as well as its successors like CardBus were defined and devel ...

) transfer

data In the pursuit of knowledge, data (; ) is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted ...

between itself and the computer at the maximum speed possible, by using direct hardware access to read or write directly to

main memory Computer data storage is a technology consisting of computer components and recording media that are used to retain digital data. It is a core function and fundamental component of computers. The central processing unit (CPU) of a computer ...

without any

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

supervision or interaction. The legitimate uses of such devices have led to wide adoption of DMA accessories and connections, but an attacker can equally use the same facility to create an accessory that will connect using the same port, and can then potentially gain direct access to part or all of the physical memory address space of the computer, bypassing all OS security mechanisms and any

lock screen A lock screen is a computer user interface element used by various operating systems. They regulate immediate access to a device by requiring the user to perform a certain action in order to receive access, such as entering a password, using a cert ...

, to read all that the computer is doing, steal data or

cryptographic key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...

s, install or run

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...

and other exploits, or modify the system to allow

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...

s or other malware. Preventing physical connections to such ports will prevent DMA attacks. On many computers, the connections implementing DMA can also be disabled within the

BIOS In computing, BIOS (, ; Basic Input/Output System, also known as the System BIOS, ROM BIOS, BIOS ROM or PC BIOS) is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the ...

UEFI UEFI (Unified Extensible Firmware Interface) is a set of specifications written by the UEFI Forum. They define the architecture of the platform firmware used for booting and its interface for interaction with the operating system. Examples of f ...

if unused, which depending on the device can nullify or reduce the potential for this type of exploit. Examples of connections that may allow DMA in some exploitable form include

FireWire IEEE 1394 is an interface standard for a serial bus for high-speed communications and isochronous real-time data transfer. It was developed in the late 1980s and early 1990s by Apple in cooperation with a number of companies, primarily Sony an ...

CardBus In computing, PC Card is a configuration for computer parallel communication peripheral interface, designed for laptop computers. Originally introduced as PCMCIA, the PC Card standard as well as its successors like CardBus were defined and develop ...

, ExpressCard,

Thunderbolt A thunderbolt or lightning bolt is a symbolic representation of lightning when accompanied by a loud thunderclap. In Indo-European mythology, the thunderbolt was identified with the 'Sky Father'; this association is also found in later Hell ...

, USB 4.0,

PCI PCI may refer to: Business and economics * Payment card industry, businesses associated with debit, credit, and other payment cards ** Payment Card Industry Data Security Standard, a set of security requirements for credit card processors * Pro ...

PCI-X PCI-X, short for Peripheral Component Interconnect eXtended, is a computer bus and expansion card standard that enhances the 32-bit PCI local bus for higher bandwidth demanded mostly by servers and workstations. It uses a modified protocol t ...

, and

PCI Express PCI Express (Peripheral Component Interconnect Express), officially abbreviated as PCIe or PCI-e, is a high-speed serial computer expansion bus standard, designed to replace the older PCI, PCI-X and AGP bus standards. It is the common ...

Description

In modern

s, non-system (i.e.

user-mode In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security). Computer ...

) applications are prevented from accessing any memory locations not explicitly authorized by the virtual memory controller (called

memory management unit A memory management unit (MMU), sometimes called paged memory management unit (PMMU), is a computer hardware unit having all memory references passed through itself, primarily performing the translation of virtual memory addresses to physical ad ...

(MMU)). In addition to containing damage that may be caused by software flaws and allowing more efficient use of physical memory, this architecture forms an integral part of the security of the operating system. However, kernel-mode drivers, many hardware devices, and user-mode vulnerabilities allow direct, unimpeded access of the physical memory address space. The physical address space includes all of the main system memory, as well as memory-mapped buses and hardware devices (which are controlled by the operating system through reads and writes as if they were ordinary RAM). The

OHCI A host controller interface (HCI) is a register-level interface that enables a host controller for USB or IEEE 1394 hardware to communicate with a host controller driver in software. The driver software is typically provided with an operating sys ...

1394 specification allows devices, for performance reasons, to bypass the operating system and access physical memory directly without any security restrictions. But SBP2 devices can easily be spoofed, making it possible to trick an operating system into allowing an attacker to both read and write physical memory, and thereby to gain unauthorised access to sensitive cryptographic material in memory. Systems may still be vulnerable to a DMA attack by an external device if they have a

, ExpressCard,

or other expansion port that, like

and

in general, connects attached devices directly to the physical rather than

virtual memory In computing, virtual memory, or virtual storage is a memory management technique that provides an "idealized abstraction of the storage resources that are actually available on a given machine" which "creates the illusion to users of a very l ...

address space. Therefore, systems that do not have a FireWire port may still be vulnerable if they have a

PCMCIA The Personal Computer Memory Card International Association (PCMCIA) was a group of computer hardware manufacturers, operating under that name from 1989 to 2009. Starting with the PCMCIA card in 1990 (the name later simplified to ''PC Card''), i ...

PC Card In computing, PC Card is a configuration for computer parallel communication peripheral interface, designed for laptop computers. Originally introduced as PCMCIA, the PC Card standard as well as its successors like CardBus were defined and devel ...

or ExpressCard port that would allow an expansion card with a FireWire to be installed.

Uses

An attacker could, for example, use a social engineering attack and send a "lucky winner" a rogue Thunderbolt device. Upon connecting to a computer, the device, through its direct and unimpeded access to the physical address space, would be able to bypass almost all security measures of the OS and have the ability to read encryption keys, install malware, or control other system devices. The attack can also easily be executed where the attacker has

physical access Physical access is a term in computer security that refers to the ability of people to physically gain access to a computer system. According to Gregory White, "Given physical access to an office, the knowledgeable attacker will quickly be able to ...

to the target computer. In addition to the abovementioned nefarious uses, there are some beneficial uses too as the DMA features can be used for

kernel Kernel may refer to: Computing * Kernel (operating system), the central component of most operating systems * Kernel (image processing), a matrix used for image convolution * Compute kernel, in GPGPU programming * Kernel method, in machine learnin ...

debugging In computer programming and software development, debugging is the process of finding and resolving '' bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems. Debugging tactics can involve in ...

purposes. There is a tool called Inception for this attack, only requiring a machine with an expansion port susceptible to this attack. Another application known to exploit this vulnerability to gain unauthorized access to running Windows, Mac OS and Linux computers is the spyware

FinFireWire FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. FinFisher can be covertly installed on targets' computers by exploiting security lapses in t ...

Mitigations

DMA attacks can be prevented by

physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physica ...

against potentially malicious devices. Kernel-mode drivers have many powers to compromise the security of a system, and care must be taken to load trusted, bug-free drivers. For example, recent 64-bit versions of Microsoft Windows require drivers to be tested and digitally signed by Microsoft, and prevent any non-signed drivers from being installed. An IOMMU is a technology that applies the concept of virtual memory to such system busses, and can be used to close this security vulnerability (as well as increase system stability). Intel brands its IOMMU as VT-d. AMD brands its IOMMU as AMD-Vi. Linux and Windows 10 supports these IOMMUs and can use them to block I/O transactions that have not been allowed. Newer operating systems may take steps to prevent DMA attacks. Recent

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

kernels include the option to disable DMA by FireWire devices while allowing other functions.

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

8.1 can prevent access to DMA ports of an unattended machine if the console is locked. But as of 2019, the major OS vendors had not taken into account the variety of ways that a malicious device could take advantage of complex interactions between multiple emulated peripherals, exposing subtle bugs and vulnerabilities. Never allowing sensitive data to be stored in RAM unencrypted is another mitigation venue against DMA attacks. However, protection against reading the RAM's content is not enough, as writing to RAM via DMA may compromise seemingly secure storage outside of RAM by

code injection Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The res ...

. An example of the latter kind of attack is TRESOR-HUNT, which exposes cryptographic keys that are never stored in RAM (but only in certain CPU registers); TRESOR-HUNT achieves this by overwriting parts of the operating system. Microsoft recommends changes to the default Windows configuration to prevent this if it is a concern.

References

{{reflist

External links

0wned by an iPod - hacking by Firewire
presentation by Maximillian Dornseif from the PacSec/core04 conference, Japan, 2004
Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update)
Side-channel attacks

Description

Uses

Mitigations

See also

References

External links