TID-107: Unauthorized Direct Memory Access (DMA)
Threat Description
If separate discrete chips/peripherals that have access to the same physical memory, a threat actor with access to one peripheral could perform a Direct Memory Access (DMA) attack to maliciously read/write memory from a connected chip or peripheral. This threat is especially relevant if there is insufficient hardware or software restrictions on what memory can be accessed/manipulated. A DMA attack can be used to extract cryptographic keys or other sensitive data, and also to manipulate the operation of the chip.
Threat Maturity and Evidence
Proof of Concept
High-Speed DMA Attacks Bypass Built-in Hardware Protections on Enterprise Devices
“Eclypsium’s latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.”
Exploiting an I/OMMU vulnerability
In the 2010 5th International Conference on Malicious and Unwanted Software, researchers demonstrated how vulnerabilities on Intel’s VT-d could be exploited via a DMA attack.
Thunderspy
“The attack involved opening the device’s back cover, connecting a hacking device called a Bus Pirate to the SPI flash interface associated with the Thunderbolt controller firmware, connecting the Bus Pirate to the attacker’s laptop, copying the Thunderbolt firmware using a tool called Flashrom, modifying the Thunderbolt firmware to disable all Thunderbolt security, and writing it back to the targeted device. The attacker then connects a Thunderbolt-based direct memory access (DMA) attack device running PCILeech to the targeted PC, and uses it to load a kernel module that allows them to bypass the Windows login screen.”
CWE
CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges (Base)
“The product allows address regions to overlap, which can result in the bypassing of intended memory protection.”
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
“The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.”
CWE-284: Improper Access Control
“The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.”