IOMMU protection against I/O attacks: a vulnerability and a proof of concept View Full Text


Ontology type: schema:ScholarlyArticle      Open Access: True


Article Info

DATE

2018-12

AUTHORS

Benoît Morgan, Éric Alata, Vincent Nicomette, Mohamed Kaâniche

ABSTRACT

Input/output (I/O) attacks have received increasing attention during the last decade. These attacks are performed by malicious peripherals that make read or write accesses to DRAM memory or to memory embedded in other peripherals, through DMA (Direct Memory Access) requests. Some protection mechanisms have been implemented in modern architectures to face these attacks. A typical example is the IOMMU (Input-Output Memory Management Unit). However, such mechanisms may not be properly configured and used by the firmware and the operating system. This paper describes a design weakness that we discovered in the configuration of an IOMMU and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism. The exploitation scenario is implemented for Intel architectures, with a PCI Express peripheral Field Programmable Gate Array, based on Intel specifications and Linux source code analysis. Finally, as a proof of concept, a Linux rootkit based on the attack presented in this paper is implemented. More... »

PAGES

2

References to SciGraph publications

  • 2013. Understanding DMA Malware in DETECTION OF INTRUSIONS AND MALWARE, AND VULNERABILITY ASSESSMENT
  • 2011. What If You Can’t Trust Your Network Card? in RECENT ADVANCES IN INTRUSION DETECTION
  • Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1186/s13173-017-0066-7

    DOI

    http://dx.doi.org/10.1186/s13173-017-0066-7

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1100279447


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0803", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Computer Software", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "alternateName": "Laboratory for Analysis and Architecture of Systems", 
              "id": "https://www.grid.ac/institutes/grid.462430.7", 
              "name": [
                "INSA Toulouse, 135 avenue de Rangueil, 31400, Toulouse, France", 
                "Laboratoire d\u2019Analyse et d\u2019Architecture des Syst\u00e8mes (LAAS-CNRS), 7 avenue du Colonel Roche, 31400, Toulouse, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Morgan", 
            "givenName": "Beno\u00eet", 
            "id": "sg:person.016616243513.70", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016616243513.70"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "Laboratory for Analysis and Architecture of Systems", 
              "id": "https://www.grid.ac/institutes/grid.462430.7", 
              "name": [
                "INSA Toulouse, 135 avenue de Rangueil, 31400, Toulouse, France", 
                "Laboratoire d\u2019Analyse et d\u2019Architecture des Syst\u00e8mes (LAAS-CNRS), 7 avenue du Colonel Roche, 31400, Toulouse, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Alata", 
            "givenName": "\u00c9ric", 
            "id": "sg:person.015130743333.40", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015130743333.40"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "Laboratory for Analysis and Architecture of Systems", 
              "id": "https://www.grid.ac/institutes/grid.462430.7", 
              "name": [
                "INSA Toulouse, 135 avenue de Rangueil, 31400, Toulouse, France", 
                "Laboratoire d\u2019Analyse et d\u2019Architecture des Syst\u00e8mes (LAAS-CNRS), 7 avenue du Colonel Roche, 31400, Toulouse, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Nicomette", 
            "givenName": "Vincent", 
            "id": "sg:person.013435746406.72", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013435746406.72"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "Laboratory for Analysis and Architecture of Systems", 
              "id": "https://www.grid.ac/institutes/grid.462430.7", 
              "name": [
                "Laboratoire d\u2019Analyse et d\u2019Architecture des Syst\u00e8mes (LAAS-CNRS), 7 avenue du Colonel Roche, 31400, Toulouse, France"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Ka\u00e2niche", 
            "givenName": "Mohamed", 
            "id": "sg:person.011601346047.21", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011601346047.21"
            ], 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "sg:pub.10.1007/978-3-642-23644-0_20", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1019808031", 
              "https://doi.org/10.1007/978-3-642-23644-0_20"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-37300-8_2", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1043780276", 
              "https://doi.org/10.1007/978-3-642-37300-8_2"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1145/2954680.2872379", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1063166676"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/prdc.2015.46", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1093177514"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/malware.2010.5665798", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1094783648"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/ladc.2016.31", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1095584725"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2018-12", 
        "datePublishedReg": "2018-12-01", 
        "description": "Input/output (I/O) attacks have received increasing attention during the last decade. These attacks are performed by malicious peripherals that make read or write accesses to DRAM memory or to memory embedded in other peripherals, through DMA (Direct Memory Access) requests. Some protection mechanisms have been implemented in modern architectures to face these attacks. A typical example is the IOMMU (Input-Output Memory Management Unit). However, such mechanisms may not be properly configured and used by the firmware and the operating system. This paper describes a design weakness that we discovered in the configuration of an IOMMU and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism. The exploitation scenario is implemented for Intel architectures, with a PCI Express peripheral Field Programmable Gate Array, based on Intel specifications and Linux source code analysis. Finally, as a proof of concept, a Linux rootkit based on the attack presented in this paper is implemented.", 
        "genre": "non_research_article", 
        "id": "sg:pub.10.1186/s13173-017-0066-7", 
        "inLanguage": [
          "en"
        ], 
        "isAccessibleForFree": true, 
        "isPartOf": [
          {
            "id": "sg:journal.1136200", 
            "issn": [
              "0104-6500", 
              "1678-4804"
            ], 
            "name": "Journal of the Brazilian Computer Society", 
            "type": "Periodical"
          }, 
          {
            "issueNumber": "1", 
            "type": "PublicationIssue"
          }, 
          {
            "type": "PublicationVolume", 
            "volumeNumber": "24"
          }
        ], 
        "name": "IOMMU protection against I/O attacks: a vulnerability and a proof of concept", 
        "pagination": "2", 
        "productId": [
          {
            "name": "readcube_id", 
            "type": "PropertyValue", 
            "value": [
              "d1bb04c81ff40d242648a2fbb083e318edb856e5b6b9a7b010c7303e08e13677"
            ]
          }, 
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1186/s13173-017-0066-7"
            ]
          }, 
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1100279447"
            ]
          }
        ], 
        "sameAs": [
          "https://doi.org/10.1186/s13173-017-0066-7", 
          "https://app.dimensions.ai/details/publication/pub.1100279447"
        ], 
        "sdDataset": "articles", 
        "sdDatePublished": "2019-04-10T22:27", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000001_0000000264/records_8690_00000493.jsonl", 
        "type": "ScholarlyArticle", 
        "url": "http://link.springer.com/10.1186/s13173-017-0066-7"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1186/s13173-017-0066-7'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1186/s13173-017-0066-7'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1186/s13173-017-0066-7'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1186/s13173-017-0066-7'


     

    This table displays all metadata directly associated to this object as RDF triples.

    103 TRIPLES      21 PREDICATES      33 URIs      19 LITERALS      7 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1186/s13173-017-0066-7 schema:about anzsrc-for:08
    2 anzsrc-for:0803
    3 schema:author Ne70cff41c53a42ecb5bc9d51b90e14b4
    4 schema:citation sg:pub.10.1007/978-3-642-23644-0_20
    5 sg:pub.10.1007/978-3-642-37300-8_2
    6 https://doi.org/10.1109/ladc.2016.31
    7 https://doi.org/10.1109/malware.2010.5665798
    8 https://doi.org/10.1109/prdc.2015.46
    9 https://doi.org/10.1145/2954680.2872379
    10 schema:datePublished 2018-12
    11 schema:datePublishedReg 2018-12-01
    12 schema:description Input/output (I/O) attacks have received increasing attention during the last decade. These attacks are performed by malicious peripherals that make read or write accesses to DRAM memory or to memory embedded in other peripherals, through DMA (Direct Memory Access) requests. Some protection mechanisms have been implemented in modern architectures to face these attacks. A typical example is the IOMMU (Input-Output Memory Management Unit). However, such mechanisms may not be properly configured and used by the firmware and the operating system. This paper describes a design weakness that we discovered in the configuration of an IOMMU and a possible exploitation scenario that would allow a malicious peripheral to bypass the underlying protection mechanism. The exploitation scenario is implemented for Intel architectures, with a PCI Express peripheral Field Programmable Gate Array, based on Intel specifications and Linux source code analysis. Finally, as a proof of concept, a Linux rootkit based on the attack presented in this paper is implemented.
    13 schema:genre non_research_article
    14 schema:inLanguage en
    15 schema:isAccessibleForFree true
    16 schema:isPartOf N0c467053d97746a4b869cea4420c043c
    17 N9c40fcfa7ede4c0982ae3b4f6e3557e6
    18 sg:journal.1136200
    19 schema:name IOMMU protection against I/O attacks: a vulnerability and a proof of concept
    20 schema:pagination 2
    21 schema:productId N188c06efeb6b493f974091bd0d6f4caa
    22 N687db90b77ac4d5fb586d59a43ba7c00
    23 Ne5d59092a5114c7bbde18e869939bce1
    24 schema:sameAs https://app.dimensions.ai/details/publication/pub.1100279447
    25 https://doi.org/10.1186/s13173-017-0066-7
    26 schema:sdDatePublished 2019-04-10T22:27
    27 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    28 schema:sdPublisher N5c2a27d4d7444edcac27b0d6457e2388
    29 schema:url http://link.springer.com/10.1186/s13173-017-0066-7
    30 sgo:license sg:explorer/license/
    31 sgo:sdDataset articles
    32 rdf:type schema:ScholarlyArticle
    33 N0268f31dd7254fd2a86b0835a27b5128 rdf:first sg:person.011601346047.21
    34 rdf:rest rdf:nil
    35 N0c467053d97746a4b869cea4420c043c schema:volumeNumber 24
    36 rdf:type schema:PublicationVolume
    37 N188c06efeb6b493f974091bd0d6f4caa schema:name dimensions_id
    38 schema:value pub.1100279447
    39 rdf:type schema:PropertyValue
    40 N504a07c97d2e4366a88caf2e0cfb0a93 rdf:first sg:person.013435746406.72
    41 rdf:rest N0268f31dd7254fd2a86b0835a27b5128
    42 N5c2a27d4d7444edcac27b0d6457e2388 schema:name Springer Nature - SN SciGraph project
    43 rdf:type schema:Organization
    44 N5e951178c1324f0383a5f77b7b341650 rdf:first sg:person.015130743333.40
    45 rdf:rest N504a07c97d2e4366a88caf2e0cfb0a93
    46 N687db90b77ac4d5fb586d59a43ba7c00 schema:name readcube_id
    47 schema:value d1bb04c81ff40d242648a2fbb083e318edb856e5b6b9a7b010c7303e08e13677
    48 rdf:type schema:PropertyValue
    49 N9c40fcfa7ede4c0982ae3b4f6e3557e6 schema:issueNumber 1
    50 rdf:type schema:PublicationIssue
    51 Ne5d59092a5114c7bbde18e869939bce1 schema:name doi
    52 schema:value 10.1186/s13173-017-0066-7
    53 rdf:type schema:PropertyValue
    54 Ne70cff41c53a42ecb5bc9d51b90e14b4 rdf:first sg:person.016616243513.70
    55 rdf:rest N5e951178c1324f0383a5f77b7b341650
    56 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    57 schema:name Information and Computing Sciences
    58 rdf:type schema:DefinedTerm
    59 anzsrc-for:0803 schema:inDefinedTermSet anzsrc-for:
    60 schema:name Computer Software
    61 rdf:type schema:DefinedTerm
    62 sg:journal.1136200 schema:issn 0104-6500
    63 1678-4804
    64 schema:name Journal of the Brazilian Computer Society
    65 rdf:type schema:Periodical
    66 sg:person.011601346047.21 schema:affiliation https://www.grid.ac/institutes/grid.462430.7
    67 schema:familyName Kaâniche
    68 schema:givenName Mohamed
    69 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011601346047.21
    70 rdf:type schema:Person
    71 sg:person.013435746406.72 schema:affiliation https://www.grid.ac/institutes/grid.462430.7
    72 schema:familyName Nicomette
    73 schema:givenName Vincent
    74 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013435746406.72
    75 rdf:type schema:Person
    76 sg:person.015130743333.40 schema:affiliation https://www.grid.ac/institutes/grid.462430.7
    77 schema:familyName Alata
    78 schema:givenName Éric
    79 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015130743333.40
    80 rdf:type schema:Person
    81 sg:person.016616243513.70 schema:affiliation https://www.grid.ac/institutes/grid.462430.7
    82 schema:familyName Morgan
    83 schema:givenName Benoît
    84 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.016616243513.70
    85 rdf:type schema:Person
    86 sg:pub.10.1007/978-3-642-23644-0_20 schema:sameAs https://app.dimensions.ai/details/publication/pub.1019808031
    87 https://doi.org/10.1007/978-3-642-23644-0_20
    88 rdf:type schema:CreativeWork
    89 sg:pub.10.1007/978-3-642-37300-8_2 schema:sameAs https://app.dimensions.ai/details/publication/pub.1043780276
    90 https://doi.org/10.1007/978-3-642-37300-8_2
    91 rdf:type schema:CreativeWork
    92 https://doi.org/10.1109/ladc.2016.31 schema:sameAs https://app.dimensions.ai/details/publication/pub.1095584725
    93 rdf:type schema:CreativeWork
    94 https://doi.org/10.1109/malware.2010.5665798 schema:sameAs https://app.dimensions.ai/details/publication/pub.1094783648
    95 rdf:type schema:CreativeWork
    96 https://doi.org/10.1109/prdc.2015.46 schema:sameAs https://app.dimensions.ai/details/publication/pub.1093177514
    97 rdf:type schema:CreativeWork
    98 https://doi.org/10.1145/2954680.2872379 schema:sameAs https://app.dimensions.ai/details/publication/pub.1063166676
    99 rdf:type schema:CreativeWork
    100 https://www.grid.ac/institutes/grid.462430.7 schema:alternateName Laboratory for Analysis and Architecture of Systems
    101 schema:name INSA Toulouse, 135 avenue de Rangueil, 31400, Toulouse, France
    102 Laboratoire d’Analyse et d’Architecture des Systèmes (LAAS-CNRS), 7 avenue du Colonel Roche, 31400, Toulouse, France
    103 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...