Bypassing Kernel DMA Protection

[eljeffeg]

I'm trying to think of ways to get around Microsoft's Kernel DMA protection. I noted that they say "This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on."

I've seen you use an ExpressCard with PCIleech. If a proper adapter were found (maybe something like this), would it allow you to bypass the DMA Protection? Or can the FPGA pretend to be such a device?

Alternatively, can anything be done if the FPGA presented compatibility with DMA remapping, allowing it to be used with Thunderbolt. I'd assume that tech is designed to protect against this exact issue, but figured I'd ask in case it could provide limited access to the system that might allow other exploitation.

Finally, any thoughts of the possibility of a blue pill boot that implements a downgrade style attack on the VT-d / IOMMU protections allowing the DMA attack to function?

[ufrisk]

Apologies for my slow response. I'm trying to have some kind of vacation so things are moving a bit slowly right now.

I have not researched ExpressCard vs Kernel DMA protections.

About Thunderbolt; I guess the FPGA should (if programmed in such a way) could present itself to support DMA remapping to the OS; but that would in itself make the use case rather uninteresting since the meaning of that is that OS limits access to non device memory (which is what we want to attack in the first place). My guess is that the use case would be rather moot unless you're out to chain it with some other issue (vulnerability in device driver as an example).

And at last; unless anything changed; if you're able to compromise UEFI without triggering bitlocker/secure boot measurements you'd be able to disable DMA protections on the OS for example by corrupting the DMAR ACPI table. Last time I checked Windows booted normally even tho I corrupted it; leaving the VT-d protections disabled. But that was quite a while ago...

And I'm currently off vacation / have a few other things to take care of so I won't be able to check it out in the next few weeks. Please let me know if you get any clarity in this in your own investigations :)

[amw87]

If I'm not mistaken, windows Kernel DMA protection may be a game changer... Modern Dell OptiPlex desktops for example have Windows 10 with Kernel DMA protection enabled by default. My understanding is that this needs to be disabled in the EFI / BIOS, which can be PW protected and is no longer 'resettable' via the old tricks of a CMOS jumper / battery etc. Would welcome your thoughts. Edit: I read your article here: http://blog.frizk.net/2016/11/disable-virtualization-based-security.html which actually may address some of this

[ufrisk]

DMA protections of varying degrees on Windows and the more recent Linuxes is a game changer indeed if your use case is to gain access to locked computers (if these features are enabled). It will block this use case.

These features are sometimes disabled by the hardware vendor though. Also the user may disable these features if the use case is to use DMA on your own computer.

The blog entry is less relevant today since most vendors have restricted DMA access pre-boot since 2016.

[ufrisk]

I'm closing this issue due to old age.