|This article needs additional citations for verification. (August 2012)|
In computer security a DMA attack is a type of side channel attack where the corruption of basic OS security mechanisms or theft of cryptographic keys can be conducted by an attacker who has direct access to the physical memory address space of the computer.
In modern operating systems, non-system (i.e. user-mode) applications are prevented from accessing any memory locations not explicitly authorized by the virtual memory controller (called the MMU or Memory Mapping Unit). In addition to containing damage from inadvertent software bugs and allowing more efficient use of physical memory, this architecture forms an integral part of the security of a modern operating system. However, kernel-mode drivers, many hardware devices, and occasional user-mode vulnerabilities allow the direct, unimpeded access of the physical memory address space. The physical address space includes all of the main system memory, as well as memory-mapped buses and hardware devices (which are controlled by the operating system through reads and writes as if they were ordinary RAM).
The OHCI 1394 specification allows for devices for performance reasons to bypass the operating system and access physical memory directly without any security restrictions. But SBP2 devices can easily be spoofed, allowing an operating system to be tricked into allowing an attacker to both read and write physical memory, and thereby to gain unauthorised access to sensitive cryptographic material in memory.
Systems may still be vulnerable to a DMA attack by an external device if they have a FireWire, ExpressCard, Thunderbolt, or other expansion port that, like PCI and PCI-Express in general, hooks up attached devices directly to the physical address space. Therefore systems that do not have a FireWire port may still be vulnerable if they have a PCMCIA or ExpressCard port that would allow an expansion card with a FireWire to be installed.
An attacker could, for example, use a social engineering attack and send a "lucky winner" a rogue Thunderbolt device. Upon connecting to a computer, the device, through its direct and unimpeded access to the physical address space, would be able to bypass almost all security measures of the OS and have the ability to read encryption keys, install malware, or control other system devices. The attack can also easily be executed where the attacker has physical access to the target computer.
There is a special tool called Inception for this attack, only requiring a machine with an expansion port suspectible to this attack.
Kernel-mode drivers have many powers to compromise the security of a system, and care must be taken to load trusted, bug-free drivers. For example, recent versions of Microsoft Windows require drivers to be tested and digitally signed by Microsoft, and prevent any non-signed drivers from being installed.
IOMMU and VT-d are recently introduced technologies that apply the concept of virtual memory to such system busses, and may be used to close this security vulnerability (as well as increase system stability). However they are mostly used instead to give guest virtual machines passthrough access to host hardware.
Newer operating systems may take steps to prevent DMA attacks. Recent Linux kernels include the option to disable DMA access by Firewire devices while allowing other functions. Windows 8.1 can prevent access to DMA ports of an unattended machine if the console is locked.
- Freddie Witherden (2010-09-07). Memory Forensics Over the IEEE 1394 Interface. Retrieved 2011-04-02.
- Piegdon, David Rasmus (2006-02-21). "Hacking in Physically Addressable Memory - A Proof of Concept". Seminar of Advanced Exploitation Techniques, WS 2006/2007.
- "Blocking the SBP-2 Driver to Reduce 1394 DMA Threats to BitLocker". Microsoft. 2011-03-04. Retrieved 2011-03-15.
- Tom Green. "1394 Kernel Debugging: Tips And Tricks". Microsoft. Retrieved 2011-04-02.
- Hermann, Uwe (14 August 2008). "Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation".
- "Countermeasures: Protecting BitLocker-encrypted Devices from Attacks". Microsoft. January 2014.
- 0wned by an iPod - hacking by Firewire presentation by Maximillian Dornseif from the PacSec/core04 conference, Japan, 2004
- Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation (Update)
- Paper on hacking in physically addressable memory ("SEAT1394")
- Adventures with Daisy in Thunderbolt-DMA-land: Hacking Macs through the Thunderbolt interface