Taking DMA Attacks to the Next Level: How to do Arbitrary Memory Reads/Writes in a Live and Unmodified System Using a Rogue Memory Controller

Presented at Black Hat USA 2017, July 26, 2017, 11:15 a.m. (50 minutes).

Physical DMA attacks on devices and the ability to read and modify memory contents can be a serious security threat, especially for mobile devices, which can be easily lost or stolen, and for government and remote enterprise data centers, where entry of an untrusted entity can be easily overlooked. In particular, the ability to read memory can expose secrets (i.e. disk encryption keys) that reside thereon, and the ability to actively modify memory can be used to bypass the platform's security policies/mechanisms. However, those types of attacks typically require a specific interface (e.g. Thunderboltâ„¢) to operate and can also be mitigated by blocking associated drivers and ports.

In our talk, we will present a novel, physical, DMA attack that is undetectable, doesn't require a particular port and takes advantage of an inherent vulnerability of standard DIMM slot hardware design. Using our custom PCB probe with an FPGA, we were able to connect to the exposed DDR4 pins of an off-the-shelf desktop system in a non-invasive manner and while the system was on (S3 sleep state). Masking ourselves as the system's benign memory controller, we are able to read or modify memory at any physical address, and the victim system accepts our modifications when exiting from sleep.

We will focus on how we reverse engineered the memory controller and DIMM circuitry to inject our signals in the victim system's memory bus while the system was in S3 sleep state, the JEDEC standard DDR4 commands our memory controller issued to perform each operation, the timing constraints, mapping between physical addresses to DDR4 addresses, and finally the design of our PCB and FPGA.


Presenters:

  • Anna Trikalinou - Research Scientist, Intel Corporation
    Anna Trikalinou is a Research Scientist in Intel defining the new set of security features for future Intel processors. Prior to that Anna worked as a Security Researcher and performed product security for Intel's integrated GPU. She holds a PhD in Computer Security from Wright State University.
  • Dan Lake - Systems Engineer, Intel Corporation
    Dan Lake has been a systems engineer in Intel Labs for the past 10 years. He designs hardware and software prototypes to accelerate research and prove out technologies prior to product introduction. Before joining Intel, he spent 10 years at Mentor Graphics, developing PCB and IC modeling and simulation EDA software and started his career in Tektronix' Test and Measurement division. Dan has BSEE and MSCS degrees from Portland State University.

Links:

Similar Presentations: