• Corpus ID: 9744689

Understanding DMA

  title={Understanding DMA},
  author={Patrick Stewin and Iurii Bystrov},
Attackers constantly explore ways to camouflage illicit activities against computer platforms. Stealthy attacks are required in industrial espionage and also by criminals stealing banking credentials. Modern computers contain dedicated hardware such as network and graphics cards. Such devices implement independent execution environments but have direct memory access (DMA) to the host runtime memory. In this work we introduce DMA malware, i. e., malware executed on dedicated hardware to launch… 

Figures from this paper



Exploiting an I/OMMU vulnerability

This paper presents different vulnerabilities the authors identified on Intel VT-d, which implements an I/OMMU, and gives some recommendations to prevent these vulnerabilities from being used for malicious purposes.

SMM rootkits: a new breed of OS independent malware

A proof of concept SMM rootkit is presented, exploring the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP.

Another Way to Circumvent Intel ® Trusted Execution Technology

A different attack is presented that allows an attacker to trick the SENTER instruction into misconfiguring the VT-d engine, so that it doesnʼt protect the newly loaded MLE.

Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology

Three software attacks that might allow for escaping from a VT-d-protected driver domain in a virtualization system are discussed, and one is focused on, and a practical and reliable code execution exploit is demonstrated against a Xen system.

VIPER: verifying the integrity of PERipherals' firmware

This work proposes software-only attestation protocols to verify the integrity of peripherals' firmware, and shows that they can detect all known software-based attacks.

SubVirt: implementing malware with virtual machines

This paper evaluates a new type of malicious software that gains qualitatively more control over a system, which is called a virtual-machine based rootkit (VMBR), and implements a defense strategy suitable for protecting systems against this threat.

Attacking Intel TXT via SINIT code execution hijacking

A software attack against Intel TXT is presented that exploits an implementation problem within a so called SINIT module, an internal part of theintel TXT infrastructure, that allows to fully bypassIntel TXT, Intel Launch Control Policy (LCP), and additionally also provides yet-another-way to compromise SMM code on the platform.

A Virtual Machine Introspection Based Architecture for Intrusion Detection

This paper presents an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance, achieved through the use of a virtual machine monitor.

Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor

Copilot is a coprocessor-based kernel integrity monitor for commodity systems. Copilot is designed to detect malicious modifications to a host's kernel and has correctly detected the presence of 12

Dynamics of a trusted platform: a building block approach

In Dynamics of a Trusted Platform David Grawrock has updated his highly popular Intel Safer Computing Initiative with new topics covering the latest developments in secure computing and the reader is introduced to the concept of Trusted Computing and the building block approach to designing security into PC platforms.