Understanding DMA Malware

Attackers constantly explore ways to camouflage illicit activities against computer platforms. Stealthy attacks are required in industrial espionage and also by criminals stealing banking credentials. Modern computers contain dedicated hardware such as network and graphics cards. Such devices implement independent execution environments but have direct memory access (DMA) to the host runtime memory. In this work we introduce DMA malware, i.e., malware executed on dedicated hardware to launch stealthy attacks against the host using DMA. DMA malware goes beyond the capability to control DMA hardware. We implemented DAGGER, a keylogger that attacks Linux and Windows platforms. Our evaluation confirms that DMA malware can efficiently attack kernel structures even if memory address randomization is in place. DMA malware is stealthy to a point where the host cannot detect its presense. We evaluate and discuss possible countermeasures and the (in)effectiveness of hardware extensions such as input/output memory management units.

[1]  Cliff Changchun Zou,et al.  SMM rootkits: a new breed of OS independent malware , 2008, SecureComm.

[2]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[3]  A. Kumar Active Platform Management Demystified: Unleashing the Power of Intel VPro (TM) Technology , 2009 .

[4]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[5]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[6]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[7]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[8]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[9]  Yves Deswarte,et al.  Exploiting an I/OMMU vulnerability , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[10]  Ed Solari,et al.  PCI Express System Architecture , 2003 .

[11]  David Grawrock,et al.  Dynamics of a trusted platform: a building block approach , 2009 .

[12]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[14]  Robert Bruce Thompson,et al.  PC hardware in a nutshell , 2000 .

[15]  Mark Russinovich,et al.  Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition , 2009 .

[16]  Benjamin Morin,et al.  What If You Can't Trust Your Network Card? , 2011, RAID.

[17]  Greg Kroah-Hartman,et al.  Linux Device Drivers, 3rd Edition , 2005 .

[18]  Greg Kroah-Hartman,et al.  Drivers En Linux/ Linux Device Drivers , 2005 .