قالب وردپرس درنا توس
Home / Mac / You have Thunderclap! MacOS, Windows Pwnage via peripherals are back in black • Registry

You have Thunderclap! MacOS, Windows Pwnage via peripherals are back in black • Registry

Computers have enough trouble defending sensitive data in memory from prying eyes that you might think it would be unwise to provide connected external devices with direct memory access (DMA).

Nevertheless, device manufacturers have received DMA because they allow broadcasting to read and write memory without the operating system overview improving performance. It has become common among network cards and GPUs where efficient data transfer is required.

To prevent abuse, vendors have implemented feed memory management devices (IOMMUs), which attempt to limit the CPU memory areas available to attached devices. [19659002] Unfortunately, as with the CPU architecture features designed to deliver speed, such as speculative execution, unit owners appear to be convinced in their defense. A wide variety of laptops and desktops can be damaged by malicious external devices, allowing the recovery of memory or memory access secrets, despite supposed protection.

Evidence that external devices can pwn you

A paper presented today on the network and Distributed System Security Symposium (NDSS) in San Diego, California, describes a set of security issues in MacOS, FreeBSD, and Linux, "as sensible use IOMMUs to protect against DMA attackers. "

"Notionally" here acts as a polite scholar for "fail". As the author of the paper puts it: "We are investigating the latest technology in IOMMU protection across operating systems using a new I / O security research platform, and find that today's protection falls short when faced with a functional network peripheral using its complex interactions with the poor purpose operating system. "

The aforementioned research platform, called Thunderclap, and the associated paper represent the work of various academic and thought tanks: A. Theodore Markettos, Colin Rothwell, Allison Pearce, Simon W. Moore and Robert NM Watson (University of Cambridge), Brett F. Gutstein (Rice University) and Peter G. Neumann (SRI International).

Thunderclap is an FPGA-based peripheral emulation platform. The researchers claim that it can be used to interact with the computer's operating system and device drivers, bypassing IOMMU protection. You connect it to a device and seconds later it is compromised.

"The results are catastrophic and reveal endemic vulnerability in the presence of a more sophisticated attacker despite the explicit use of IOMMU to limit I / O attacks," the paper explains. "We are able to achieve IOMMU bypass within seconds after being connected to vulnerable MacOS, FreeBSD, and Linux systems across a variety of hardware vendors."

Malicious peripherals may not be as alarming as remote code execution because local access to a target device is necessary and physical security measures may be effective. However, DMA attack scenarios should not be brushed aside too late.

"In the most available version of our story you get a VGA / Ethernet dongle, power adapter or USB-C storage device from a malicious person / organization and your device is immediately compromised," explains Robert NM Watson, associate professor of systems security and Architecture at the University of Cambridge Computer Laboratory, in an email to The Register .

"But it is worth thinking a little further: we can consider a number of supply chain and remote device attacks, such as attacks against Thunderbolt or PCI e devices themselves that allow them to be used against an end user.

Consider Supply and Demand [1
9659006] For example, Watson refers to supply chain attacks coming from a factory, in firmware development, or as a result of a vulnerability in Ethernet dongle firmware or Wi-Fi firmware that can be triggered via malicious network traffic. He also suggests the possibility of a supply chain attack involving malicious firmware on public USB charging stations.

Devices that include a Thunderbolt port (Apple laptops and desktops since 2011, some laptops and desktop Linux and Windows computers since 2016) or Thunderbolt 3 (USB-C) or older versions of Thunderbolt (Mini DisplayPort contacts) are affected by this survey. There are also devices that support PCI-e peripherals, via plug-in cards or boards on the motherboard.

Apple, Microsoft and Intel have issued patches that partially solve the revealed vulnerabilities, but additional restrictions will be needed to address issues identified by the researchers. Windows, which limits the use of IOMMU, is still vulnerable.

For example, the paper writes that macOS 10.12.4 implements a flashing code tracking feature that restricts the injection of core pointers, but fails to secure other data fields, including data points, that may cause the systems to be vulnerable.

Microsoft released Kernel DMA Protection to provide IOMMU support in devices shipped with Windows 10 1803 (updates do not count), but has not yet provided documentation for device driver manufacturers to implement such defenses.

The Linux Security Team considers peripheral security within its threat model, but considers the problem difficult to address due to a variety of driver drivers. An Intel patch in the kernel 4.21 enables the IOMMU for Thunderbolt ports and disables the ATS. The FreeBSD project does not consider malicious external devices as part of the threat model, but asks for a copy of the paper for review.

Protecting Yourself

"For systems where it is under administrative control (Linux and FreeBSD), we recommend activating IOMMU at startup," said Theodore Markettos, senior researcher at the University of Cambridge Computer Laboratory, in an email to The Register .

"This is likely to have a performance implication. Indicates that the interface between external devices capable of DMA and the core is much richer and more nuanced than previously thought."

Markettos claims that operating system kernels and device drivers should handle interactions with external devices with same security as operating systems and applications process data from the internet.

  image of binary on screen with words & # 39; exploit & # 39;

Intel Management Engine JTAG error proof-of-concept published


659028] "The system call interface between processes and the kernel has received significant investigation and cure, and the same process should be applied to the interface between external devices and the kernel, " he said.

Researchers have explored IOMMU problems since 2015 and work with vendors since 2016. They have now released Thunderclap as an open source project to help identify and correct DMA attacks.

"We began our research on this issue early in 2015 using OS tracking techniques to investigate how IOMMUs were controlled by different operating systems – the results were not encouraging," says Watson.

"This led us to a far more detailed multi-year vulnerability analysis, hardware prototyping and close multi-vendor conversations to help them understand the impact of work on their current and future products. We very much hope that our open source research platform will now be used by the suppliers to develop and test their I / O security protection in the future. "

And it seems that there is more work to be done. Markettos said DMA in broadcasting has become Han and his colleagues have not yet refurbished NVMe storage on phones, other phone equipment including Wi-Fi, GPU, audio , mobile baseband and cameras, SD card specification v7 (which supports PCIe / NVMe), NVMe over ethernet and other fabrics, and DMA in embedded systems.

"We have advised vendors to be cautious about adding new devices that support DMA before they understand the security model, "Markettos. ®

Source link