4

I read on the Wikipedia article on DMA attacks that a misconfigured BIOS allowed for this type of attacks. I am asking whether, given the hardware I am using, DMA attacks are possible and whether I can mitigate them by changing options in my BIOS.

In my case, I own an Asus P8P67 motherboard and a netbook. I guess on the Netbook a DMA Attack would be impossible because it has no FireWire connection port and no PCI Slots. Is that correct?

In my Asus P8P67 BIOS, I can't find an option to disable DMA. Is it possible to disable all PCI slots except the one my graphic card is plugged in to? If I do this, would it suffice to prevent DMA attacks?

Steve Dodier-Lazaro
  • 6,828
  • 29
  • 45
  • The easiest way to disable a PCI slot is to fill it with hot glue. – user253751 Jan 19 '16 at 07:43
  • Hot glue can be easily removed with chemicals. Use tamper-proof epoxy specifically designed for electronic components. It's made for this very purpose, after all. – forest Apr 08 '16 at 00:56

2 Answers2

2

You don't want to disable DMA. At best, it will cause a massive slowdown of your computer, as every memory access must be handled by the CPU; most likely, it will make your computer entirely non-functional.

The best way to prevent DMA attacks is to disable or remove FireWire ports and use a computer case with a chassis intrusion switch to shut the computer off if the case is opened.

Mark
  • 34,513
  • 9
  • 86
  • 135
1

No, there is no way to completely disable DMA. If you did that, your system would slow to a crawl. But you can protect yourself in other ways, both deterministically, and probabilistically. To do that, you'll need to be more familiar with the threat you are trying to defend against.

Devices vulnerable to DMA

If a PCI device is plugged in, it can run a DMA attack whether or not the system wants it to. PCI devices cannot be hotplugged, which means once your system is booted up, you cannot insert a device and launch a DMA attack without simply shorting out the whole system. PCIe devices can however be hotplugged, but you can often disable this feature. On Linux systems, you can do this by removing the shpchp module. If you do this, then a malicious PCIe device will have to be already inserted as you boot up for it to do anything bad.

Cardbus uses the pcmcia driver, Firewire uses ohci1394, and Thunderbolt simply uses thunderbolt. Note that on some systems, Firewire will instead use the newer firewire-ohci driver, which is not vulnerable to DMA attacks. Disabling the drivers (using the rmmod utility) should prevent them from launching DMA.

USB 3.1 can emulate Thunderbolt devices. This requires user intervention however, so it is not a big risk. You can't just plug in a USB 3.1 device and have it automatically perform a DMA attack.

Disabling vulnerable drivers

You should be able to defeat the majority of trivial DMA attacks with the following commands:

# rmmod pcmcia
# rmmod ohci1394
# rmmod thunderbolt
# rmmod shpchp

This is a temporary solution, and only lasts until reboot. Additionally, some of them come under different names. You will have to blacklist the modules using a dedicated configuration file. There are many guides online for blacklisting Firewire modules, so I won't link them here. This is only meant as an example stop-gap solution to quickly remove low-hanging fruit for DMA attacks.

If any of these drivers are built into your kernel, they can't be disabled with rmmod, or by blacklisting them. You can check if they are by looking in /lib/modules/$(uname -r)/modules.builtin for their names.

Protecting from DMA using the IOMMU

Most modern CPUs have what's called an IOMMU, or In/Out Memory Management Unit. It acts sort of like a firewall for all memory requests, including direct memory access (note that IOMMUs which do not support "interrupt remapping" do not provide adequate protection and can be broken out of). On Intel chips, it is a featured called VT-d. On AMD, it is called AMD-Vi. By default, it does not provide protection from DMA attacks, but with clever configuration, it can. Some specialized operating systems take advantage of this, such as Qubes, which uses the Xen hypervisor to specifically protect from DMA attacks. There's also BitVisor and TreVisor which use the IOMMU to protect encryption keys from being stolen with DMA. You can also use a feature in newer kernels called VFIO which allows you to bind "root PCI devices" to virtual machines, so that if that PCI device gets compromised, the DMA attack is only able to read the memory of the virtual machine, and not of the host. You can extend that in clever ways to protect the host, such as having a headless (non-graphical) virtual machine for each at-risk peripheral, which forwards data to the host when it is received. IOMMUs are a very flexible solution against DMA attacks, but also very complex.

Physical protection

Depending on your adversary, you may simply want to provide tamper resistance. You can buy inexpensive but high quality epoxy resin and apply it to vulnerable ports and unused PCI slots. Especially if used in combination with removing vulnerable drivers, this will significantly increase your security against any adversary who does not have a lot of time on their hands alone with your system.

You can also protect your system by locking it in a locked computer enclosure, or with chassis intrusion detection. You could seal it off in a room where any unauthorized access to the room causes the entire system to shut down. There are many clever ways to do this, with efficacy depending on your budget. It can range from putting it in a blast-proof bank vault, where any access to the vault shuts the system down automatically (almost perfect protection against DMA and, well, all physical access to the running system), to something fairly cheap, such as using the internal chassis intrusion detector and having the system shut down if anyone opens the chassis up (which would protect against anyone who doesn't drill a hole in it, or carefully remove the resin from any exposed DMA-capable ports) outside the chassis.

Using alternative hardware with a low DMA risk

If you are worried about exploits, you may be thinking that it is a bad idea to even have an Ethernet or Wifi card connected to PCI, because even if those devices do not willingly hand out DMA, if they get hacked, the attacker will have all the abilities the card does, including DMA. Luckily, almost everything can be done over USB now days, which has a much lower chance of being compromised and forced to perform a DMA attack. You can read Cardbus over USB, have Ethernet and Wifi over USB, Bluetooth over USB, you name it. You can additionally reduce your attack surface area by disabling the 3.x USB driver, xhci-hcd. Note that while it is not possible to launch a DMA attack over USB by default, it is not impossible, it's simply much, much harder.

forest
  • 65,613
  • 20
  • 208
  • 262