Direct Memory Access (DMA) Attacks

Overview

Utilizing Direct Memory Access connections avaiable on modern computers it is possible to access main memory without any operating system supervision. This means access to Ring 0, allowing for anything from access to cryptographic information to running malware without credentials, if unmitigated.

Connections which allow DMA include:

• FireWire

• CardBus

• ExpressCard

• Thunderbolt

• USB 4.0

• PCI, PCI-X and PCI Express

Efficacy on Windows 10

Windows > 8.1 introduced protections against Thunderbolt and CFexpress ports. Win 10 v1903 introduced additional protections for other internal PCIe ports (including M.2 slots).

Kernel DMA ProtectionMicrosoftLearn

"This [current] mitigation only protects PCI-based buses, for example, ExpressCard, Thunderbolt, & some docking stations (PCIe based). Older, non-PCI buses such as 1394 and CardBus are still vulnerable," Microsoft admitted. - https://www.bleepingcomputer.com/news/security/some-windows-10-devices-still-exposed-to-dma-attacks-that-can-steal-bitlocker-keys/ Additionally it seems that currently USB4 is not covered. - https://www.usb.org/sites/default/files/D1T2-2%20-%20USB4%20on%20Windows.pdf

Tools

GitHub - carmaa/inception: Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.GitHub

INCEPTION