Abstract

Attackers constantly explore ways to camouflage illicit activities against computer platforms. Stealthy attacks are required in industrial espionage and also by criminals stealing banking credentials. Modern computers contain dedicated hardware such as network and graphics cards. Such devices implement independent execution environments but have direct memory access (DMA) to the host runtime memory. In this work we introduce DMA malware, i.e., malware executed on dedicated hardware to launch stealthy attacks against the host using DMA. DMA malware goes beyond the capability to control DMA hardware. We implemented DAGGER, a keylogger that attacks Linux and Windows platforms. Our evaluation confirms that DMA malware can efficiently attack kernel structures even if memory address randomization is in place. DMA malware is stealthy to a point where the host cannot detect its presense. We evaluate and discuss possible countermeasures and the (in)effectiveness of hardware extensions such as input/output memory management units.

Keywords

Dedicated Hardware Direct Memory Access I/OMMU Keylogger Malware Manageability Engine Rootkit Stealth vPro x86 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abramson, D., Jackson, J., Muthrasanallur, S., Neiger, G., Regnier, G., Sankaran, R., Schoinas, I., Uhlig, R., Vembu, B., Wiegert, J.: Intel Virtualization Technology for Directed I/O. Intel Technology Journal 10(3), 179–192 (2006)CrossRefGoogle Scholar
  2. 2.
    Aumaitre, D., Devine, C.: Subverting Windows 7 x64 Kernel with DMA attacks. Sogeti ESEC Lab (July 2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf
  3. 3.
    Boileau, A.: Hit by a Bus: Physical Access Attacks with Firewire. Security-Assessment.com, Ruxcon 2006 (October 2006), http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf
  4. 4.
    Budruk, R., Shanley, T., Anderson, D.: PCI Express System Architecture. The PC System Architecture Series. Addison Wesley, Pearson Education, MindShare, Inc. (July 2010)Google Scholar
  5. 5.
  6. 6.
    Corbet, J., Rubini, A., Kroah-Hartman, G.: Linux Device Drivers, 3rd edn. O’Reilly Media, Inc. (2005)Google Scholar
  7. 7.
    Delugré, G.: Closer to metal: Reverse engineering the Broadcom NetExtreme’s firmware. Sogeti ESEC Lab (October 2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf
  8. 8.
    Dornseif, M.: 0wned by an iPod - hacking by Firewire. Laboratory for Dependable Distributed Systems University of Mannheim, PacSec 2004 (November 2004), http://pi1.informatik.uni-mannheim.de/filepool/presentations/0wned-by-an-ipod-hacking-by-firewire.pdf
  9. 9.
    Dornseif, M., Becher, M., Klein, C.N.: FireWire – all your memory are belong to us. CanSecWest (May 2005), http://cansecwest.com/core05/2005-firewire-cansecwest.pdf
  10. 10.
    Duflot, L., Perez, Y.-A., Morin, B.: What If You Can’t Trust Your Network Card? In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 378–397. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Duflot, L., Perez, Y.-A., Valadon, G., Levillain, O.: Can you still trust your network card? French Network and Information Security Agency (FNISA) (March 2010), http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf
  12. 12.
    Embleton, S., Sparks, S., Zou, C.: Smm rootkits: a new breed of os independent malware. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp. 1–12. ACM, New York (2008)Google Scholar
  13. 13.
    Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)Google Scholar
  14. 14.
    Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press (2009)Google Scholar
  15. 15.
    Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann (May 2005)Google Scholar
  16. 16.
    Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional (2005)Google Scholar
  17. 17.
    Intel Corporation: Intel I/O Controller Hub (ICH9) Family. Intel Corporation (August 2008), http://www.intel.com/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf
  18. 18.
    Intel Corporation: 2nd Generation Intel Core vPro Processor Family. Intel Corporation (June 2011), http://www.intel.com/content/dam/doc/white-paper/performance-2nd-generation-core-vpro-family-paper.pdf
  19. 19.
    Intel Corporation: Access Accounts More Securely with Intel Identity Protection Technology. Intel Corporation (February 2011), http://ipt.intel.com/Libraries/Documents/Intel_IdentityProtect_techbrief_v7.sflb.ashx
  20. 20.
    King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 314–327. IEEE Computer Society, Washington, DC (2006)Google Scholar
  21. 21.
    Kumar, A., Goel, P., Saint-Hilaire, Y.: Active Platform Management Demystified. Richard Bowles, Intel Press (2009)Google Scholar
  22. 22.
    Li, Y., McCune, J.M., Perrig, A.: VIPER: Verifying the integrity of peripherals’ firmware. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (October 2011)Google Scholar
  23. 23.
    Maynor, D.: DMA: Skeleton key of computing && selected soap box rants. CanSecWest (May 2005), http://cansecwest.com/core05/DMA.ppt
  24. 24.
    Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13. USENIX Association, Berkeley (2004)Google Scholar
  25. 25.
    Russinovich, M., Solomon, D.A.: Windows Internals: Including Windows Server 2008 and Windows Vista, 5th edn. Microsoft Press (2009)Google Scholar
  26. 26.
    Rutkowska, J.: Red Pill... or how to detect VMM using (almost) one CPU instruction. Internet Archive (November 2004), http://web.archive.org/web/20110726182809/, http://invisiblethings.org/papers/redpill.html
  27. 27.
    Sang, F., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 7–14 (October 2010)Google Scholar
  28. 28.
    Tereshkin, A., Wojtczuk, R.: Introducing Ring -3 Rootkits. Black hat (July 2009), http://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf
  29. 29.
    Thompson, R.B., Thompson, B.F.: PC Hardware in a Nutshell, 3rd edn. O’Reilly & Associates, Inc., Sebastopol (2003)Google Scholar
  30. 30.
    Triulzi, A.: Project Maux Mk.II. The Alchemist Owl (2008), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf
  31. 31.
    Triulzi, A.: The Jedi Packet Trick takes over the Deathstar. The Alchemist Owl (March 2010), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf
  32. 32.
    Trusted Computing Group: TCG PC Client Specific Impementation Specification for Conventional BIOS. TCG (July 2005), http://www.trustedcomputinggroup.org/files/temp/64505409-1D09-3519-AD5C611FAD3F799B/PCClientImplementationforBIOS.pdf
  33. 33.
    Wojtczuk, R., Rutkowska, J.: Attacking Intel TXT via SINIT code execution hijacking. ITL (November 2011), http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf
  34. 34.
    Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software attacks against Intel VT-d technology. ITL (April 2011), http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
  35. 35.
    Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another Way to Circumvent Intel(R) Trusted Execution Technology. ITL (December 2009), http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Patrick Stewin
    • 1
  • Iurii Bystrov
    • 1
  1. 1.Security in TelecommunicationsTechnische Universität BerlinBerlinGermany

Personalised recommendations