takingdma attacks to thenextlevel - black hat...completeness of the information in this...
TRANSCRIPT
![Page 1: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/1.jpg)
Taking DMA Attacks to the Next Level:How to do arbitrary reads/writes in a live and unmodified systemusing a rogue memory controller
Anna Trikalinou and Dan Lake© 2017 Intel Corporation
![Page 2: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/2.jpg)
Legal Notices and Disclaimers
o This presentation contains the general insights and opinions of Anna Trikalinou and Dan Lake (collectively “Presenters”). The views, opinions, findings, and conclusions or recommendations expressed in this presentation are strictly those of the Presenters and do not necessarily reflect the official policy or position of the Presenters’ employer. The information in this presentation is provided for information only and is not to be relied upon for any purpose other than educational. Use at your own risk! Presenters make no representations or warranties regarding the accuracy or completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information. Presenters are not liable for any damages, direct or indirect, consequential or otherwise, that may arise, directly or indirectly, from the use or misuse of the information in this presentation.o No computer system can be absolutely secure. o No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.o Intel, the Intel logo and Intel Core are trademarks of Intel Corporation in the United States and other countries. o *Other names and brands may be claimed as the property of others.
© 2017 Intel Corporation.
![Page 3: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/3.jpg)
Who are we
• Anna Trikalinou, PhDResearch ScientistIntel Labs, Intel CorporationEmail: [email protected]
• Dan LakeSystems EngineerIntel Labs, Intel CorporationEmail: [email protected]
![Page 4: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/4.jpg)
About this talk
• This talk describes early research into a physical attack on DRAM memory
• We describe hardware design and protocol limitations
• If successful, the result is full access to all physical memory
• Applicable to all memories which follow the JEDEC spec and all architectures
4
![Page 5: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/5.jpg)
Intro to DMA attacks
• Physical attack where the attacker connects to a DMA-capable port and gains full read/write access to the entire physical memory
e.g. PCI, PCI-E, FireWire, USB, etc.
• Goal:
Extract secrets (i.e. disk encryption keys)
Bypass platform’s security policies (i.e. modify page tables)
5
![Page 6: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/6.jpg)
Example of DMA attack
• Ulf Frisk demonstrated a DMA attack on a MacBook Air
• He was able to obtain the FileVault disk encryption password
• macOS Sierra 10.12.2 software update patched the security issue (Dec 2016)
6
Source: http://blog.frizk.net/2016/12/filevault-password-retrieval.html
![Page 7: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/7.jpg)
Pros & Cons of Existing Attacks from Attacker’s Perspective
• Pros:
HW, SW and tutorials are readily available
• Cons:
Require specific interface
Can be mitigated by BIOS & VT-d
Can be mitigated by blocking associated drivers and ports
7
![Page 8: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/8.jpg)
Motivation
• Pros:
HW, SW and tutorials are readily available
• Cons:
Require specific interface
Can be mitigated by BIOS & VT-d
Can be mitigated by blocking associated drivers and ports
What if we could eliminate these?8
![Page 9: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/9.jpg)
DRAM design
• A DIMM consists of a series of DRAM chips, mounted on a PCB.
• The DIMM is inserted into a DIMM socket on the motherboard, which then communicates with the processor.
9Photo credits: https://www.oempcworld.com/mm5/graphics/00000001/ddr4.jpghttp://p.globalsources.com/IMAGES/PDT/B1123866513/DIMM-Socket-Connector.jpg
![Page 10: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/10.jpg)
DRAM Placement
4 available DIMM Sockets1 DIMM inserted
Reference System: Desktop with current generation motherboard and CPU
10
![Page 11: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/11.jpg)
DRAM Placement
DIMM PCB
Empty DIMM socket
11
![Page 12: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/12.jpg)
DRAM HW Design
DIMM PCB
Empty DIMM socket
12
DIMM pins
![Page 13: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/13.jpg)
DRAM Placement on Back Side
13
Reference System: Desktop with current generation motherboard and CPU
![Page 14: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/14.jpg)
DRAM HW Design
• All 288-pins of each DIMM socket are exposed on both sides of the motherboard
• Pins are electrically connected
14
![Page 15: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/15.jpg)
How could we exploit that?
• What if we could plug into those pins and request reads/writes from the DIMM as a “memory controller”?
15
![Page 16: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/16.jpg)
DRAM Functionality
• Specified by JEDEC Standard
• Defines the set of requirements that must be satisfied by all memory modules and all architectures
16
Memory Controller
CPU
![Page 17: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/17.jpg)
DRAM Functionality: Initialization
1. CPU reads DIMM’s Serial Presence Detect (SPD) EEPROM data via SMBus
Manufacturer, module serial, supported voltage, minimum latencies, etc.
Bypass Memory Controller17
CPURead SPD
![Page 18: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/18.jpg)
DRAM Functionality: Initialization
2. CPU decides on a clock frequency and configures Memory Controller
18
Memory Controller
CPU
Configure MC
![Page 19: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/19.jpg)
DRAM Functionality: Initialization
3. Memory Controller performs memory calibration
MC is agnostic of motherboard and DIMM traces
Calculates the round-trip time between MC and DIMM
Calculates discrepancies between different traces 19
Memory Controller
CPU
Calibrate
![Page 20: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/20.jpg)
DRAM Functionality: Initialization
4. Memory Controller sets DIMM’s Mode Registers
Enable/disable features, fine tune timings
20
Memory Controller
CPU
Configure Mode
Registers
![Page 21: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/21.jpg)
DRAM Functionality: Normal Operation (S0)
• CPU requests reads & writes
• Memory Controller schedules and optimizes memory accesses
• Memory Controller schedules periodic memory refreshes21
Memory Controller
CPU
Read/write request
![Page 22: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/22.jpg)
DRAM Functionality: Normal Operation (S0)
• CPU requests reads & writes
• Memory Controller schedules and optimizes memory accesses
• Memory Controller schedules periodic memory refreshes22
Memory Controller
CPU
Read/write request
![Page 23: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/23.jpg)
DRAM Functionality: Normal Operation (S0)
• CPU requests reads & writes
• Memory Controller schedules and optimizes memory accesses
• Memory Controller schedules periodic memory refreshes23
Memory Controller
CPU
Read data
![Page 24: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/24.jpg)
DRAM Functionality: Normal Operation (S0)
• CPU requests reads & writes
• Memory Controller schedules and optimizes memory accesses
• Memory Controller schedules periodic memory refreshes24
Memory Controller
CPU
Read data
![Page 25: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/25.jpg)
DRAM Functionality: Normal Operation (S0)
• CPU requests reads & writes
• Memory Controller schedules and optimizes memory accesses
• Memory Controller schedules periodic memory refreshes25
Memory Controller
CPU
Refresh
![Page 26: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/26.jpg)
DRAM Functionality: Sleep (S3)
• CPU is powered off
• Memory controller is powered off
• Clock Enable (CKE) memory signal is 0
• The rest of the signals are in tri-state
• DIMM is in self-refresh state26
Memory Controller
CPU
CKE signal to 0
![Page 27: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/27.jpg)
DRAM Functionality: Waking up to S0
• CPU and Memory Controller are powered on
• Memory Controller pulls CKE to 1
• Read & Write requests can now be issued
27
Memory Controller
CPU
CKE signal to 1
![Page 28: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/28.jpg)
Protocol Limitation
• No state information is held on the DIMM
• e.g. calibration results, clock frequency
• No authentication between MC and DIMM
• Nothing prevents an attacker from impersonating a Memory Controller
28
Memory Controller
CPU
![Page 29: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/29.jpg)
Could we exploit that?
CPU
DDR
Victim System
RogueMC
Attacker’s System
USB
MC
• Create a device that:
Attaches to the exposed signal pins
Impersonate a MC
• Extremely difficult when system is in S0
• Possible when system is in S3 sleep
29
![Page 30: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/30.jpg)
Could we exploit that?
CPU
DDR
Victim System
RogueMC
Attacker’s System
USB
MC
• Example:
The victim goes to a conference and leaves their system in sleep
The attacker attaches their rogue MC on the exposed pins
The attacker now owns the system
30
![Page 31: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/31.jpg)
Requirements for Successful Exploitation
• Attach rogue MC to the victim system while in S3 sleep
Pull CKE to 1 to “wake up” the DIMM
Calibrate our rogue MC to the memory bus traces
Send memory read/write commands to the DIMM
Put CKE to 0 to put the DIMM to sleep
• Detach from the victim system and wake up normally
31
![Page 32: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/32.jpg)
Signal Injection: CKE signal
• CKE must be pulled up above ~0.7V (logic high threshold)
• Find RA so that DIMM sees logic high transition
• Larger values reduce current into victim MC (IA)
32
![Page 33: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/33.jpg)
Signal Injection: CKE signal
A safe value for RA was found to be ~50ohm33
![Page 34: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/34.jpg)
Rogue MC Calibration
CPU
DDR
Victim System
RogueMC
Attacker’s System
USB
MC
• Need to train our rogue MC with the new traces
• Normally happens on first boot, can be done any time
• Calibration results will be the same on the same system + DIMM models
34
![Page 35: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/35.jpg)
Adjust Clock Frequency
• Rogue MC provides a differential clock signal
• Attacker’s clock can be different than the victim clock
Lower clock frequency Better signal integrity
• DDR4 has a default minimum frequency of 800 MHz
When “DLL-off” Mode Register is enabled, clock frequency can be significantly lower (as low as ~128 MHz)
This Mode Register is accessible to the attacker!
35
![Page 36: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/36.jpg)
Issue Reads/Writes
• Follows JEDEC specification using off the shelf FPGA MC
• Iterate through reading all memory addresses
• Selectively write to memory addresses of interest
36Photo credit: JEDEC Spec DDR4 SDRAM
![Page 37: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/37.jpg)
Rogue Memory Controller Board
37
FPGA
![Page 38: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/38.jpg)
Mechanical ConnectorMotherboard DDR4 Connector Pins
Rogue Memory Controller Board
Crown Tipped Spring Probes
38
![Page 39: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/39.jpg)
Threat Model
39
• Requires a skilled HW attacker
• Physical access to the victim system
• Invasive
• Requires time to conduct
• May require prior knowledge of the victim system spec
![Page 40: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/40.jpg)
Challenges / Future Work
40
• Complete mechanical connector
• Run attack against full length bus
• We anticipate signal noise/reflection challenges
![Page 41: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/41.jpg)
Mitigations
41
• Short-term
Use hibernate (S4) instead of sleep (S3)
Focus on physical security
• Long-term
Enhance DIMM socket and motherboard design to restrict access to pins
Enhance JEDEC spec to perform authentication
![Page 42: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/42.jpg)
Conclusions
42
• Described early research into a physical attack on DRAM memory
• A skilled attacker could exploit HW design and protocol limitations
• New line of research for physical security
• Short- and long-term mitigations are possible
![Page 43: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/43.jpg)
Questions?
• Thank you!
• We are hiring!
43
![Page 44: TakingDMA Attacks to theNextLevel - Black Hat...completeness of the information in this presentation. Presenters accept no duty to update this presentation based on more current information](https://reader033.vdocuments.site/reader033/viewer/2022042004/5e6f0811a1d1036ed53f9083/html5/thumbnails/44.jpg)
Acknowledgements
We would like to thank the following current or former Intel Employees for their contributions to the work upon which this research builds:
Abhishek Basak
Rodrigo Branco
Sergej Deutsch
David Durham
Ken Grewal
Shay Gueron
Przemek Guzy
Jayson Strayer 44