|M.Sc Student||Kupfer Gil|
|Subject||IOMMU-Resistant DMA Attacks|
|Department||Department of Computer Science||Supervisors||ASSOCIATE PROF. Dan Tsafrir|
|DR. Amit Nadav|
|Full Thesis text|
The direct memory access (DMA) mechanism allows I/O devices to independently access memory without CPU involvement, improving performance but exposing systems to malicious DMA attacks. To defend against such attacks, hardware vendors introduced IOMMUs (I/O memory management units), allowing operating systems to restrict DMAs to specific memory locations. When configured correctly, the latest generation of IOMMUs is considered an appropriate solution to the problem. We challenge this perception and uncover a new type of IOMMU-resistant DMA attacks, which are capable of taking over the system by exploiting the fact that IOMMU protection is provided in page granularity, which we find to be too coarse. By implementing several novel attacks against these systems, we demonstrate that the vulnerability is spread across different device drivers and kernel subsystems, making it challenging to come up with a generic, performant fix.
In addition, we also show how OS handling of the IOMMU's internal cache (aka IOTLB|I/O translation look-aside buffer) can be exploited by an attacker. Because IOTLB invalidations are expensive, OSs may batch them (Linux does it by default), causing the IOTLB to be inconsistent with the OS for a short time. This time is believed to be too short to be exploitable. We also refute this perception by using this time slot to access memory immediately after it is explicitly forbidden, enabling the attack mentioned above.