MID-053: Use IOMMU to Implement DMA Access Controls

Mitigation Tier: Intermediate

Description

Many modern processors that support Direct Memory Access (DMA) also contain an Input/Output Memory Management Unit (IOMMU) that can be configured to enforce an access control policy that prevents peripherals (e.g., PCIExpress devices) from reading or writing portions of system RAM they are not authorized to. This creates a barrier for threat actors attempting to maliciously access memory directly from a compromised or untrustworthy peripheral.

IEC 62443 4-2 Mappings

• SAR / EDR / HDR / NDR 3.2 - Protection for malicious code 

• CR 2.1 – Authorization enforcement

References

[1] A. T. Markettos, C. Rothwell, B. F. Gutstein, A. Pearce, P. G. Neumann, S. W. Moore, R. N. M. Watson, “Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals,” in Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, 2019, doi: 10.14722/ndss.2019.23194.

[2] Apple. “Direct memory access protections for Mac computers.” apple.com. Accessed: Aug. 28, 2024. [Online]. Available: https://support.apple.com/guide/security/direct-memory-access-protections-seca4960c2b5/

MID-053