Direct Memory, Access Everywhere

Presented at DEF CON 33 (2025), Aug. 9, 2025, 4:30 p.m. (45 minutes).

DMA vulnerabilities aren't new - but they don't seem to have gone anywhere. In the time software attacks have gone from a single bug to a multi-stage exploit chain, DMA attacks have gone from slipping some hardware into an internal slot of a computer to... plugging in an external device? Despite decades of attacks, tooling, and even mitigations, most systems are still wide open to these attacks because of their perceived difficulty, poor system configuration, and lack of effective testing mechanisms. Epic Erebus is a new tool that tries to address these issues. It's small, portable, and easy to use. It can slip through most systems unless the hardware, bios, and operating system are properly configured (a rarity). Finally, it's an entirely open PCIe implementation that gives you full control over Transaction Layer Packets - allowing you to reverse engineer the PCIe Bus and the DMA mitigations in place (Get it? RE-Bus... Erebus!) You should come away understanding what erebus is capable of, the basics of how to use it, and what to look out for when properly implementing DMA attack mitigations. References: - [link](https://grandideastudio.com/portfolio/security/tribble/) - winlockpwn, Adam Boileau - Thunderbolts and Lightning: Very Very Frightening, [link](https://www.youtube.com/watch?v=bWkMEj1hbbQ) - [link](https://github.com/NSAPlayset/SLOTSCREAMER) - [link](https://github.com/ufrisk/pcileech) - [link](https://trmm.net/Thunderstrike_FAQ/) - [link](https://github.com/picodma) - [link](https://www.ndss-symposium.org/ndss-paper/thunderclap-exploring-vulnerabilities-in-operating-system-iommu-protection-via-dma-from-untrustworthy-peripherals/) - [link](https://github.com/ECP5-PCIe/ECP5-PCIe)

Presenters:

• Joe "securelyfitz" FitzPatrick
  Joe FitzPatrick (@securelyfitz) is a Trainer and Researcher at SecuringHardware.com (@securinghw). Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent decades developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
• Grace "Baelfire" Parrish
  Grace Parrish (@BaelfireNightshd@infosec.exchange) is in her final year of a cybersecurity degree at Oregon State University. Grace has spent much of her career working with industrial control systems but has also dabbled in electrical engineering, FPGAs, microcontrollers, and a quick decade as a board level repair technician. In her spare time as a student, she has served as the team captain for a pentesting competition, has written custom Binary Ninja plugins, and has helped deliver hardware security training at Black Hat. Grace is looking forward to working in the offensive security space once she completes her degree.

Similar Presentations:

• DEF CON 33 (2025) / Shaking Out Shells with SSHamble
• DEF CON 32 (2024) / Laundering Money
• DEF CON 32 (2024) / Redefining V2G - How to use your vehicle as a game controller