2

I've just read about this: https://www.tripwire.com/state-of-security/security-data-protection/backdoors-hardware-attacks-rakshasa-malware/

Asides from the question in the title, I'd also like to add the following question:

  • Is it possible to flash the firmware of the Sound Card so that it would load malicious code through DMA or take control of the Audio Drivers which has high privileges in a Windows machine then have it contact the C2 server?

If this is all possible then does that mean that just plugging an infected PCIe Sound card to practically any PC may it be running Windows or Linux be already compromised despite enabling and proper configuration of IOMMU such as actually setting it as ENABLED in BIOS and setting intel_iommu=on/amd_iommu=on in Linux? This is in assumption that everything else is clean except the Sound card.

Resonce
  • 78
  • 8
  • `plugging an infected PCIe Sound card to practically any PC` does it matter? If you have physical access, you have root access already. – CaffeineAddiction Dec 21 '18 at 08:30
  • @CaffeineAddiction The threat model might be tangential, for example involving a remotely compromised PCIe device's firmware, which would act like attaching a malicious device. Or perhaps an external port is exposed and is easier to get to that has equivalent capabilities (e.g. an eGPU). – forest Dec 21 '18 at 10:12

1 Answers1

3

The IOMMU will not protect against that unless combined with measured boot. While an IOMMU will protect from rogue DMA, that only applies after it has been initialized. In particular, since it would be necessary to enable measured boot, a TPM is required. There are two kinds of measured boot, called SRTM and DRTM. The former measures firmware once while the system is starting, whereas the latter measures a portion of software at runtime. In order to protect from an early DMA attack, it is necessary to use DRTM, instead of just SRTM, for measurement. This usually requires manual configuration.

The IOMMU is vulnerable during early boot because the IOMMU configuration tables (DMAR) are initialized in a region of memory that is not protected. During the brief period between loading the configuration and enabling the IOMMU, a malicious device could modify them, voiding the protection it is supposed to provide. This is explained in a research paper on bypassing IOMMU protections.

This is only a risk if you boot up the system with a malicious or compromised PCIe card already installed. If one is plugged in while the system is on, or an existing card is compromised (e.g. via JTAG) while the system is on, a properly configured IOMMU should be enough to prevent the device from issuing malicious DMA requests. This requires functional DMA Remapping tables, or DMAR, which is an ACPI table included with the BIOS. If the DMAR is broken, which is often the case with certain laptops, the system may not boot correctly with the IOMMU enabled via intel_iommu=on or amd_iommu=force.

forest
  • 65,613
  • 20
  • 208
  • 262
  • Thank you very much @forest for the sweet and juicy details. That really allowed me to understand more how these "protections" that we have actually work. I'd like to ask though, do you have any sources that help in knowing how to enable measured boot for linux? My IOMMU is working properly thanks to me running a Desktop. Also, is measured boot independent of secure boot or does it need secure boot in order to do its job? – Resonce Dec 21 '18 at 11:35
  • @Resonce Measured boot and secure boot are different. You can enable SRTM with something like Qubes' Anti-Evil Maid or Purism's Heads bootloader. You can enable DRTM by using tboot (TXT). Proper configuration is something you'd have to do yourself, but hopefully those keywords will help. Remember that those are only necessary if the system is booting with the malicious device already in place. A normal IOMMU is already enough to protect against rogue PCIe devices being inserted while the power is on. – forest Dec 21 '18 at 11:50
  • Thank you very much for the informative answers @forest! Such valuable information is indeed hard to get by. – Resonce Dec 25 '18 at 04:25