A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory

  • Patrick Stewin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8145)


Computer platform peripherals such as network and management controller can be used to attack the host computer via direct memory access (DMA). DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host. Therefore they present a highly critical threat to system security and integrity. Unfortunately, to date no OS implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy. We are the first to present a novel method for detecting and preventing DMA-based attacks. Our method is based on modeling the expected memory bus activity and comparing it with the actual activity. We implement BARM, a runtime monitor that permanently monitors bus activity to expose malicious memory access carried out by peripherals. Our evaluation reveals that BARM not only detects and prevents DMA-based attacks but also runs without significant overhead due to the use of commonly available CPU features of the x86 platform.


Direct Memory Access (DMA) DMA Malware Intrusion Detection Operating System Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Delugré, G.: Closer to metal: Reverse engineering the Broadcom NetExtreme’s firmware. Sogeti ESEC Lab (2010),
  2. 2.
    Delugré, G.: How to develop a rootkit for Broadcom NetExtreme network cards. Sogeti ESEC Lab (2011),
  3. 3.
    Duflot, L., Perez, Y.-A., Morin, B.: What if you can’t trust your network card? In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 378–397. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Triulzi, A.: Project Maux Mk.II. The Alchemist Owl (2008),
  6. 6.
    Triulzi, A.: The Jedi Packet Trick takes over the Deathstar. The Alchemist Owl (2010),
  7. 7.
  8. 8.
    Breuk, R., Spruyt, A.: Integrating DMA attacks in exploitation frameworks. Faculty of Science. University of Amsterdam (2012),
  9. 9.
    Duflot, L., Perez, Y., Valadon, G., Levillain, O.: Can you still trust your network card (2010),
  10. 10.
    Abramson, D., Jackson, J., Muthrasanallur, S., Neiger, G., Regnier, G., Sankaran, R., Schoinas, I., Uhlig, R., Vembu, B., Wiegert, J.: Intel Virtualization Technology for Directed I/O. Intel Technology Journal 10(3), 179–192 (2006)CrossRefGoogle Scholar
  11. 11.
    Li, Y., McCune, J., Perrig, A.: VIPER: Verifying the integrity of peripherals’ firmware. In: Proceedings of the ACM Conference on Computer and Communications Security (2011)Google Scholar
  12. 12.
    Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Malicious and Unwanted Software, pp. 7–14 (2010)Google Scholar
  13. 13.
    Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another Way to Circumvent Intel Trusted Execution Technology. ITL (2009),
  14. 14.
    Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software attacks against Intel VT-d technology. ITL (2011),
  15. 15.
    Wojtczuk, R., Rutkowska, J.: Attacking Intel TXT via SINIT code execution hijacking. ITL (2011),
  16. 16.
    Duflot, L., Perez, Y., Morin, B.: Run-time firmware integrity verification: what if you can’t trust your network card? FNISA (2011),
  17. 17.
    Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: Towards Detecting DMA Malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 857–860. ACM, New York (2011)CrossRefGoogle Scholar
  18. 18.
    Buchanan, B.: Computer Busses. Electronics & Electrical. Taylor & Francis (2010)Google Scholar
  19. 19.
    Budruk, R., Anderson, D., Shanley, T.: Pci Express System Architecture. PC System Architecture Series. Addison-Wesley (2004)Google Scholar
  20. 20.
    Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann (2005)Google Scholar
  21. 21.
    Intel Corporation. Intel 3 Series Express Chipset Family. Intel Corporation (2007),
  22. 22.
    Intel Corporation. Intel I/O Controller Hub (ICH9) Family. Intel Corporation (2008),
  23. 23.
    Abbott, D.: PCI Bus Demystified. Demystifying technology series. Elsevier (2004)Google Scholar
  24. 24.
    Anderson, D., Shanley, T.: Pci System Architecture. PC System Architecture Series. Addison-Wesley (1999)Google Scholar
  25. 25.
    Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual — Volume 3 (3A, 3B & 3C): System Programming Guide. Intel Corporation (March 2012),
  26. 26.
    Reinders, J.: VTune Performance Analyzer Essentials: Measurement and Tuning Techniques for Software Developers. Engineer to Engineer Series. Intel Press (2005)Google Scholar
  27. 27.
    Intel Corporation. Intel VTune Amplifier 2013. Intel Corporation (2013),
  28. 28.
    Intel Corporation. Universal Host Controller Interface (UHCI) Design Guide. The Slackware Linux Project (1996), Revision 1.1
  29. 29.
    Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals 6th Edition, Part 2. Microsoft Press (2012)Google Scholar
  30. 30.
    Trusted Computing Group. TCG PC Client Specific Impementation Specification For Conventional BIOS. TCG:, 2005.
  31. 31.
    Li, Y., McCune, J.M., Perrig, A.: SBAP: Software-based attestation for peripherals. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 16–29. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  32. 32.
    Nguyen, Q.: Issues in Software-based Attestation. Kaspersky Lab (2012),
  33. 33.
    Gasmi, Y., Sadeghi, A.-R., Stewin, P., Unger, M., Asokan, N.: Beyond secure channels. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 30–40. ACM, New York (2007)CrossRefGoogle Scholar
  34. 34.
    Müller, T., Dewald, A., Freiling, F.C.: Aesse: a cold-boot resistant implementation of aes. In: Proceedings of the Third European Workshop on System Security, pp. 42–47. ACM, New York (2010)CrossRefGoogle Scholar
  35. 35.
    Müller, T., Freiling, F.C., Dewald, A.: Tresor runs encryption securely outside ram. In: Proceedings of the 20th USENIX Conference on Security, p. 17. USENIX Association, Berkeley (2011)Google Scholar
  36. 36.
    Simmons, P.: Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 73–82. ACM, New York (2011)Google Scholar
  37. 37.
    Vasudevan, A., McCune, J., Newsome, J., Perrig, A., van Doorn, L.: Carma: a hardware tamper-resistant isolated execution environment on commodity x86 platforms. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 48–49. ACM, New York (2012)Google Scholar
  38. 38.
    Blass, E., Robertson, W.: Tresor-hunt: attacking cpu-bound encryption. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 71–78. ACM, New York (2012)Google Scholar
  39. 39.
    Müller, T., Taubmann, B., Freiling, F.C.: Trevisor: Os-independent software-based full disk encryption secure against main memory attacks. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 66–83. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  40. 40.
    Sang, F.L., Nicomette, V., Deswarte, Y.: I/O Attacks in Intel-PC Architectures and Countermeasures. SysSec (2011),
  41. 41.
    Wicherski, G.: Taming ROP on Sandy Bridge. SyScan (2013),
  42. 42.
    Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: Proceedings of the, 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN 2012, pp. 1–12. IEEE Computer Society, Washington, DC (2012)Google Scholar
  43. 43.
    Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the sixth ACM Workshop on Scalable Trusted Computing, STC 2011, pp. 71–76. ACM, New York (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Patrick Stewin
    • 1
  1. 1.Security in TelecommunicationsTU BerlinGermany

Personalised recommendations