About IOMMU/VT-d

[tobyxdd]

Does not work if the OS uses the IOMMU/VT-d. This is the default on macOS (unless disabled in recovery mode). Windows 10 with Virtualization based security features enabled does not work fully - this is however not the default setting in Windows 10 or Linux.

I'm a little curious about why exactly the virtualization affects this, and what it's the meaning of does not work fully? Many thanks!

[ufrisk]

The IOMMU is a memory management unit for devices, which basically allows for the operating system to assign "device page tables" to individual devices.

Many operating systems do not use the IOMMU to protect against DMA attacks at all. Some systems, such as Windows 10 with Virtualization Based Security will only protect their "secure kernel" fully, while leaving ordinary kernel/user-space read-only or totally unprotected. (that is what I mean with does not work fully). Some systems, such as macOS protects almost everything by default.

[tobyxdd]

Thank you for the explanation. I wonder if there is any other way to get around this protection? (Although it may be off-topic for this project) Is it possible to directly "hijack" the DRAM, for example to plug into the pins of its socket and record IO operations to get a full copy of physical memory?

[ufrisk]

About the RAM attack you mention, it's been done, but it's cutting edge research.

https://www.blackhat.com/us-17/briefings.html#taking-dma-attacks-to-the-next-level-how-to-do-arbitrary-memory-reads-writes-in-a-live-and-unmodified-system-using-a-rogue-memory-controller

[tobyxdd]

Thanks for the information! It seems not really practical yet.