Understanding DMA Malware | SpringerLink
Skip to main content
Springer Nature Link
Log in

Understanding DMA Malware

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7591))

Abstract

Attackers constantly explore ways to camouflage illicit activities against computer platforms. Stealthy attacks are required in industrial espionage and also by criminals stealing banking credentials. Modern computers contain dedicated hardware such as network and graphics cards. Such devices implement independent execution environments but have direct memory access (DMA) to the host runtime memory. In this work we introduce DMA malware, i.e., malware executed on dedicated hardware to launch stealthy attacks against the host using DMA. DMA malware goes beyond the capability to control DMA hardware. We implemented DAGGER, a keylogger that attacks Linux and Windows platforms. Our evaluation confirms that DMA malware can efficiently attack kernel structures even if memory address randomization is in place. DMA malware is stealthy to a point where the host cannot detect its presense. We evaluate and discuss possible countermeasures and the (in)effectiveness of hardware extensions such as input/output memory management units.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5262
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 6578
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abramson, D., Jackson, J., Muthrasanallur, S., Neiger, G., Regnier, G., Sankaran, R., Schoinas, I., Uhlig, R., Vembu, B., Wiegert, J.: Intel Virtualization Technology for Directed I/O. Intel Technology Journal 10(3), 179–192 (2006)

    Article  Google Scholar 

  2. Aumaitre, D., Devine, C.: Subverting Windows 7 x64 Kernel with DMA attacks. Sogeti ESEC Lab (July 2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf

  3. Boileau, A.: Hit by a Bus: Physical Access Attacks with Firewire. Security-Assessment.com, Ruxcon 2006 (October 2006), http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf

  4. Budruk, R., Shanley, T., Anderson, D.: PCI Express System Architecture. The PC System Architecture Series. Addison Wesley, Pearson Education, MindShare, Inc. (July 2010)

    Google Scholar 

  5. Bulygin, Y.: Chipset based Approach to detect Virtualization Malware. TuCancUnix (2008), http://www.tucancunix.net/ceh/bhusa/BHUSA08/speakers/Bulygin_Detection_of_Rootkits/bh-us-08-bulygin_Chip_Based_Approach_to_Detect_Rootkits.pdf

  6. Corbet, J., Rubini, A., Kroah-Hartman, G.: Linux Device Drivers, 3rd edn. O’Reilly Media, Inc. (2005)

    Google Scholar 

  7. Delugré, G.: Closer to metal: Reverse engineering the Broadcom NetExtreme’s firmware. Sogeti ESEC Lab (October 2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf

  8. Dornseif, M.: 0wned by an iPod - hacking by Firewire. Laboratory for Dependable Distributed Systems University of Mannheim, PacSec 2004 (November 2004), http://pi1.informatik.uni-mannheim.de/filepool/presentations/0wned-by-an-ipod-hacking-by-firewire.pdf

  9. Dornseif, M., Becher, M., Klein, C.N.: FireWire – all your memory are belong to us. CanSecWest (May 2005), http://cansecwest.com/core05/2005-firewire-cansecwest.pdf

  10. Duflot, L., Perez, Y.-A., Morin, B.: What If You Can’t Trust Your Network Card? In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 378–397. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  11. Duflot, L., Perez, Y.-A., Valadon, G., Levillain, O.: Can you still trust your network card? French Network and Information Security Agency (FNISA) (March 2010), http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf

  12. Embleton, S., Sparks, S., Zou, C.: Smm rootkits: a new breed of os independent malware. In: Proceedings of the 4th International Conference on Security and Privacy in Communication Networks, pp. 1–12. ACM, New York (2008)

    Google Scholar 

  13. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proc. Network and Distributed Systems Security Symposium (February 2003)

    Google Scholar 

  14. Grawrock, D.: Dynamics of a Trusted Platform: A Building Block Approach. Intel Press (2009)

    Google Scholar 

  15. Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann (May 2005)

    Google Scholar 

  16. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional (2005)

    Google Scholar 

  17. Intel Corporation: Intel I/O Controller Hub (ICH9) Family. Intel Corporation (August 2008), http://www.intel.com/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf

  18. Intel Corporation: 2nd Generation Intel Core vPro Processor Family. Intel Corporation (June 2011), http://www.intel.com/content/dam/doc/white-paper/performance-2nd-generation-core-vpro-family-paper.pdf

  19. Intel Corporation: Access Accounts More Securely with Intel Identity Protection Technology. Intel Corporation (February 2011), http://ipt.intel.com/Libraries/Documents/Intel_IdentityProtect_techbrief_v7.sflb.ashx

  20. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: SubVirt: Implementing malware with virtual machines. In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 314–327. IEEE Computer Society, Washington, DC (2006)

    Google Scholar 

  21. Kumar, A., Goel, P., Saint-Hilaire, Y.: Active Platform Management Demystified. Richard Bowles, Intel Press (2009)

    Google Scholar 

  22. Li, Y., McCune, J.M., Perrig, A.: VIPER: Verifying the integrity of peripherals’ firmware. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (October 2011)

    Google Scholar 

  23. Maynor, D.: DMA: Skeleton key of computing && selected soap box rants. CanSecWest (May 2005), http://cansecwest.com/core05/DMA.ppt

  24. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13. USENIX Association, Berkeley (2004)

    Google Scholar 

  25. Russinovich, M., Solomon, D.A.: Windows Internals: Including Windows Server 2008 and Windows Vista, 5th edn. Microsoft Press (2009)

    Google Scholar 

  26. Rutkowska, J.: Red Pill... or how to detect VMM using (almost) one CPU instruction. Internet Archive (November 2004), http://web.archive.org/web/20110726182809/ , http://invisiblethings.org/papers/redpill.html

  27. Sang, F., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 7–14 (October 2010)

    Google Scholar 

  28. Tereshkin, A., Wojtczuk, R.: Introducing Ring -3 Rootkits. Black hat (July 2009), http://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf

  29. Thompson, R.B., Thompson, B.F.: PC Hardware in a Nutshell, 3rd edn. O’Reilly & Associates, Inc., Sebastopol (2003)

    Google Scholar 

  30. Triulzi, A.: Project Maux Mk.II. The Alchemist Owl (2008), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf

  31. Triulzi, A.: The Jedi Packet Trick takes over the Deathstar. The Alchemist Owl (March 2010), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf

  32. Trusted Computing Group: TCG PC Client Specific Impementation Specification for Conventional BIOS. TCG (July 2005), http://www.trustedcomputinggroup.org/files/temp/64505409-1D09-3519-AD5C611FAD3F799B/PCClientImplementationforBIOS.pdf

  33. Wojtczuk, R., Rutkowska, J.: Attacking Intel TXT via SINIT code execution hijacking. ITL (November 2011), http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf

  34. Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software attacks against Intel VT-d technology. ITL (April 2011), http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

  35. Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another Way to Circumvent Intel(R) Trusted Execution Technology. ITL (December 2009), http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf

Download references

Author information

Authors and Affiliations

  1. Security in Telecommunications, Technische Universität Berlin, Ernst-Reuter-Platz 7, 10587, Berlin, Germany

    Patrick Stewin & Iurii Bystrov

Authors
  1. Patrick Stewin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Iurii Bystrov
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department C, HFT Stuttgart, Schellingstr. 24, 70174, Stuttgart, Germany

    Ulrich Flegel

  2. Department of Computer Science, Foundation for Research and Technology – Hellas (FORTH), 100 Plastira Ave, Vassilika Vouton, 70013, Heraklion, Crete, Greece

    Evangelos Markatos

  3. College of Computer and Information Science, Northeastern University, 360 Huntington Ave, 02115, Boston, MA, USA

    William Robertson

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stewin, P., Bystrov, I. (2013). Understanding DMA Malware. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37300-8_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37299-5

  • Online ISBN: 978-3-642-37300-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation