Abstract
Computer platform peripherals such as network and management controller can be used to attack the host computer via direct memory access (DMA). DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host. Therefore they present a highly critical threat to system security and integrity. Unfortunately, to date no OS implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy. We are the first to present a novel method for detecting and preventing DMA-based attacks. Our method is based on modeling the expected memory bus activity and comparing it with the actual activity. We implement BARM, a runtime monitor that permanently monitors bus activity to expose malicious memory access carried out by peripherals. Our evaluation reveals that BARM not only detects and prevents DMA-based attacks but also runs without significant overhead due to the use of commonly available CPU features of the x86 platform.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Delugré, G.: Closer to metal: Reverse engineering the Broadcom NetExtreme’s firmware. Sogeti ESEC Lab (2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf
Delugré, G.: How to develop a rootkit for Broadcom NetExtreme network cards. Sogeti ESEC Lab (2011), http://esec-lab.sogeti.com/dotclear/public/publications/11-recon-nicreverse_slides.pdf
Duflot, L., Perez, Y.-A., Morin, B.: What if you can’t trust your network card? In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 378–397. Springer, Heidelberg (2011)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)
Triulzi, A.: Project Maux Mk.II. The Alchemist Owl (2008), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf
Triulzi, A.: The Jedi Packet Trick takes over the Deathstar. The Alchemist Owl (2010), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf
Breuk, R., Spruyt, A.: Integrating DMA attacks in Metasploit. Sebug (2012), http://sebug.net/paper/Meeting-Documents/hitbsecconf2012ams/D2%20SIGINT%20-%20Rory%20Breuk%20and%20Albert%20Spruyt%20-%20Integrating%20DMA%20Attacks%20in%20Metasploit.pdf
Breuk, R., Spruyt, A.: Integrating DMA attacks in exploitation frameworks. Faculty of Science. University of Amsterdam (2012), http://staff.science.uva.nl/~delaat/rp/2011-2012/p14/report.pdf
Duflot, L., Perez, Y., Valadon, G., Levillain, O.: Can you still trust your network card (2010), http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf
Abramson, D., Jackson, J., Muthrasanallur, S., Neiger, G., Regnier, G., Sankaran, R., Schoinas, I., Uhlig, R., Vembu, B., Wiegert, J.: Intel Virtualization Technology for Directed I/O. Intel Technology Journal 10(3), 179–192 (2006)
Li, Y., McCune, J., Perrig, A.: VIPER: Verifying the integrity of peripherals’ firmware. In: Proceedings of the ACM Conference on Computer and Communications Security (2011)
Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Malicious and Unwanted Software, pp. 7–14 (2010)
Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another Way to Circumvent Intel Trusted Execution Technology. ITL (2009), http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf
Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software attacks against Intel VT-d technology. ITL (2011), http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
Wojtczuk, R., Rutkowska, J.: Attacking Intel TXT via SINIT code execution hijacking. ITL (2011), http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf
Duflot, L., Perez, Y., Morin, B.: Run-time firmware integrity verification: what if you can’t trust your network card? FNISA (2011), http://www.ssi.gouv.fr/IMG/pdf/Duflot-Perez_runtime-firmware-integrity-verification.pdf
Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: Towards Detecting DMA Malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 857–860. ACM, New York (2011)
Buchanan, B.: Computer Busses. Electronics & Electrical. Taylor & Francis (2010)
Budruk, R., Anderson, D., Shanley, T.: Pci Express System Architecture. PC System Architecture Series. Addison-Wesley (2004)
Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann (2005)
Intel Corporation. Intel 3 Series Express Chipset Family. Intel Corporation (2007), http://www.intel.com/Assets/PDF/datasheet/316966.pdf
Intel Corporation. Intel I/O Controller Hub (ICH9) Family. Intel Corporation (2008), http://www.intel.com/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf
Abbott, D.: PCI Bus Demystified. Demystifying technology series. Elsevier (2004)
Anderson, D., Shanley, T.: Pci System Architecture. PC System Architecture Series. Addison-Wesley (1999)
Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual — Volume 3 (3A, 3B & 3C): System Programming Guide. Intel Corporation (March 2012), http://download.intel.com/products/processor/manual/325384.pdf
Reinders, J.: VTune Performance Analyzer Essentials: Measurement and Tuning Techniques for Software Developers. Engineer to Engineer Series. Intel Press (2005)
Intel Corporation. Intel VTune Amplifier 2013. Intel Corporation (2013), http://software.intel.com/sites/products/documentation/doclib/stdxe/2013/amplifierxe/lin/ug_docs/index.htm
Intel Corporation. Universal Host Controller Interface (UHCI) Design Guide. The Slackware Linux Project (1996), ftp://ftp.slackware.com/pub/netwinder/pub/misc/docs/29765002-usb-uhci%20design%20guide.pdf Revision 1.1
Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals 6th Edition, Part 2. Microsoft Press (2012)
Trusted Computing Group. TCG PC Client Specific Impementation Specification For Conventional BIOS. TCG: http://www.trustedcomputinggroup.org/files/temp/64505409-1D09-3519-AD5C611FAD3F799B/PCClientImplementationforBIOS.pdf , 2005.
Li, Y., McCune, J.M., Perrig, A.: SBAP: Software-based attestation for peripherals. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 16–29. Springer, Heidelberg (2010)
Nguyen, Q.: Issues in Software-based Attestation. Kaspersky Lab (2012), http://www.kaspersky.com/images/Quan%20Nguyen.pdf
Gasmi, Y., Sadeghi, A.-R., Stewin, P., Unger, M., Asokan, N.: Beyond secure channels. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 30–40. ACM, New York (2007)
Müller, T., Dewald, A., Freiling, F.C.: Aesse: a cold-boot resistant implementation of aes. In: Proceedings of the Third European Workshop on System Security, pp. 42–47. ACM, New York (2010)
Müller, T., Freiling, F.C., Dewald, A.: Tresor runs encryption securely outside ram. In: Proceedings of the 20th USENIX Conference on Security, p. 17. USENIX Association, Berkeley (2011)
Simmons, P.: Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 73–82. ACM, New York (2011)
Vasudevan, A., McCune, J., Newsome, J., Perrig, A., van Doorn, L.: Carma: a hardware tamper-resistant isolated execution environment on commodity x86 platforms. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 48–49. ACM, New York (2012)
Blass, E., Robertson, W.: Tresor-hunt: attacking cpu-bound encryption. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 71–78. ACM, New York (2012)
Müller, T., Taubmann, B., Freiling, F.C.: Trevisor: Os-independent software-based full disk encryption secure against main memory attacks. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 66–83. Springer, Heidelberg (2012)
Sang, F.L., Nicomette, V., Deswarte, Y.: I/O Attacks in Intel-PC Architectures and Countermeasures. SysSec (2011), http://www.syssec-project.eu/media/page-media/23/syssec2011-s1.4-sang.pdf
Wicherski, G.: Taming ROP on Sandy Bridge. SyScan (2013), http://www.syscan.org/index.php/download
Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: Proceedings of the, 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN 2012, pp. 1–12. IEEE Computer Society, Washington, DC (2012)
Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the sixth ACM Workshop on Scalable Trusted Computing, STC 2011, pp. 71–76. ACM, New York (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stewin, P. (2013). A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)