Devices Still Vulnerable to DMA Attacks Despite Protections
Many devices, including ones often found in enterprise environments, are likely still vulnerable to direct memory access (DMA) attacks, despite the fact that hardware and software vendors have implemented protections that should prevent such attacks, firmware security company Eclypsium said on Thursday.
DMA is designed to allow hardware components or peripheral devices to directly access system memory, independently of the operating system and the CPU. The feature, however, can be abused for malicious purposes by an attacker who has gained access to a device’s firmware or who has physical access to the targeted machine.
DMA attacks that involve physical access can be launched by connecting a malicious device to the targeted computer via an available port — this is called a closed-chassis attack — or by physically opening the case of the targeted computer to gain access to internal hardware — this is called an open-chassis attack. DMA attacks can also be launched remotely via malware that is able to modify the targeted device’s firmware.
A successful DMA attack can allow hackers to conduct a wide range of activities, such as executing kernel code on the system, bypassing security mechanisms, stealing data, and installing backdoors.
Input–output memory management unit (IOMMU) technology, which has been implemented by both Intel and AMD, can prevent DMA attacks, but full protection requires DMA defenses in the UEFI firmware and the operating system as well. According to Eclypsium, the first devices with UEFI protections were rolled out only in 2019 and a version of Windows 10 released in the spring of 2018 was the first to allow DMA protection to remain enabled during boot.
Microsoft also announced recently that it has started designing — with help from its partners — new device security requirements designed to protect against targeted firmware attacks.
Eclypsium recently conducted tests on a couple of devices — a Dell XPS 13 7390 2-in-1 released in October 2019 and an HP ProBook 640 G4 — in an effort to show that the presence of built-in protections may not be enough to prevent DMA attacks against machines often found in enterprise environments.
In the case of the Dell laptop, the researchers conducted a closed-chassis DMA attack via Thunderbolt. They managed to perform DMA code injection during the boot process using a known DMA attack method that relies on a tool called PCILeech. The attack was possible due to the fact that the “Enable Thunderbolt pre-boot modules” setting was enabled by default.
Dell has been notified and the company has published an advisory to inform customers about the vulnerability, which it tracks as CVE-2019-18579. The company has released a BIOS update to address the issue and the company says the setting is disabled by default on other platforms that support Thunderbolt.
In the case of the HP laptop, Eclypsium conducted a successful open-chassis pre-boot DMA attack using PCILeech, despite the presence of protections such as HP Sure Start, which should protect the BIOS, and Intel’s Vt-d implementation of IOMMU. This computer was not vulnerable to closed-chassis attacks.
“We were able to successfully attack the system and gain control over the device. By using DMA to modify the system RAM during the boot process, we gained arbitrary code execution, thus bypassing the HP Sure Start protections that verify BIOS code integrity before CPU execution starts,” Eclypsium researchers said.
HP has also released a BIOS update in response to Eclypsium’s research. The tech giant has updated Sure Start to provide protection against open-chassis DMA attacks — closed-chassis attacks were covered by a previous Sure Start update — and the researchers have confirmed that their attack does not work on devices running the latest Sure Start and BIOS versions.
Eclypsium told SecurityWeek that devices from other vendors are “very likely” to be vulnerable to DMA attacks such as the ones they have conducted.
“There are different types of DMA attacks and some are more close to being solved than others as more and more vendors have been adding protections for DMA attacks,” explained Mickey Shkatov, principal researcher at Eclypsium. “There has been more progress made to prevent closed-chassis attacks such as DMA over Thunderbolt and very few have attempted to mitigate open-chassis attacks so far.”
“As far as we have observed Apple is the only vendor so far to successfully protect from DMA attacks from power on to operating system. Apple MacBooks are likely to be immune due to IOMMU use by firmware,” Shkatov added.
The expert believes that, similar to any major new security design or capability at hardware or firmware level, it will take years until defenses are widely deployed and supported.
“Boot time DMA protection is one such major security capability which requires implementation in the firmware of many OEMs and support by the operating systems. While reference implementation of DMA protection support was added to open source Tianocore in 2017, leading OEMs have just started adding it in their latest enterprise grade laptops,” Shkatov said. “The same protections will also need to be implemented in servers. It’s fair to assume that we are in the beginning of multi-year effort to add DMA protections in the firmware.”
However, the expert believes that as with any complex security capability that requires firmware support, attackers will find ways to exploit misconfigurations and code vulnerabilities to bypass DMA protections in the future.