Show simple item record

dc.contributor.authorMarkettos, Theoen
dc.contributor.authorRothwell, Colinen
dc.contributor.authorGutstein, Brett Fen
dc.contributor.authorPearce, Allisonen
dc.contributor.authorNeumann, Peter Gen
dc.contributor.authorMoore, Simonen
dc.contributor.authorWatson, Roberten
dc.date.accessioned2019-01-29T16:52:45Z
dc.date.available2019-01-29T16:52:45Z
dc.date.issued2019en
dc.identifier.isbn189156255Xen
dc.identifier.urihttps://www.repository.cam.ac.uk/handle/1810/288484
dc.description.abstractDirect Memory Access (DMA) attacks have been known for many years: DMA-enabled I/O peripherals have complete access to the state of a computer and can fully compromise it including reading and writing all of system memory. With the popularity of Thunderbolt 3 over USB Type-C and smart internal devices, opportunities for these attacks to be performed casually with only seconds of physical access to a computer have greatly broadened. In response, commodity hardware and operating-system (OS) vendors have incorporated support for Input-Output Memory Management Units (IOMMUs), which impose memory protection on DMA, and are widely believed to protect against DMA attacks. We investigate the state-of-the-art in IOMMU protection across OSes using a novel I/O security research platform, and find that current protections fall short when faced with a functional network peripheral that uses its complex interactions with the OS for ill intent, and demonstrate compromises against macOS, FreeBSD, and Linux, which notionally utilize IOMMUs to protect against DMA attackers. Windows only uses the IOMMU in limited cases and remains vulnerable. Using Thunderclap, an open-source FPGA research platform we built, we explore a number of novel exploit techniques to expose new classes of OS vulnerability. The complex vulnerability space for IOMMU-exposed shared memory available to DMA-enabled peripherals allows attackers to extract private data (sniffing cleartext VPN traffic) and hijack kernel control flow (launching a root shell) in seconds using devices such as USB-C projectors or power adapters. We have worked closely with OS vendors to remedy these vulnerability classes, and they have now shipped substantial feature improvements and mitigations as a result of our work.
dc.description.sponsorshipDARPA I2O FA8750-10-C-0237 ("CTSRD") DARPA MTO HR0011- 18-C-0016 ("ECATS") Arm Ltd Google Inc This work was also supported by EPSRC EP/R012458/1 (“IOSEC”).
dc.language.isoenen
dc.publisherInternet Society
dc.titleThunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripheralsen
dc.typeConference Object
prism.publicationDate2019en
prism.publicationNameProceedings 2019 Network and Distributed System Security Symposiumen
dc.identifier.doi10.17863/CAM.35771
dcterms.dateAccepted2018-11-06en
rioxxterms.versionofrecord10.14722/ndss.2019.23194en
rioxxterms.versionVoRen
rioxxterms.licenseref.urihttp://www.rioxx.net/licenses/all-rights-reserveden
rioxxterms.licenseref.startdate2019en
dc.contributor.orcidMoore, Simon [0000-0002-2806-495X]
rioxxterms.typeConference Paper/Proceeding/Abstracten
pubs.funder-project-idEPSRC (EP/R012458/1)
pubs.conference-nameNetwork and Distributed System Security Symposiumen


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record