BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Thunderclap: Exploring Vulnerabilities Operating System IOMMU Prot ection via DMA from Untrustworthy Peripherals - Theo Markettos\, Computer Laboratory\, University of Cambridge DTSTART:20190219T140000Z DTEND:20190219T144500Z UID:TALK119290@talks.cam.ac.uk CONTACT:Alexander Vetterl DESCRIPTION:Note: This is a practice talk for NDSS (~20min)\n\nDirect Memo ry Access (DMA) attacks have been known for many years: DMA enabled I/O pe ripherals have complete access to the state of a computer and can fully co mpromise it including reading and writing all of system memory. With the p opularity of Thunderbolt 3 over USB Type-C and smart internal devices\, op portunities for these attacks to be performed casually with only seconds o f physical access to a computer have greatly broadened. In response\, comm odity hardware and operating system (OS) vendors have incorporated support for Input-Ouptut Memory Management Units (IOMMUs)\, which impose memory p rotection on DMA \, and are widely believed to protect against DMA attacks .\n\nWe investigate the state-of-the-art in IOMMU protection across OSes u sing a novel I/O-security research platform\, and find that current protec tions fall short when faced with a functional network peripheral that uses its complex interactions with the OS for ill intent. We describe vulnerab ilities in macOS\, FreeBSD\, and Linux\, which notionally utilize IOMM Us to protect against DMA attackers. Windows uses the IOMMU only in limited c ases. and it remains vulnerable. Using Thunderclap\, an open-source FPGA r esearch platform that we built\, we explore new classes of OS vulnerabilit y arising from inadequate use of the IOMMU. The complex vulnerability spac e for IOMMU-exposed shared memory available to DMA-enabled peripherals all ows attackers to extract private data (sniffing cleartext VPN traffic) and hijack kernel control flow (launching a root shell) in seconds using devi ces such as USB-C projectors or power adapters. We have worked closely wit h OS vendors to remedy these vulnerability classes\, and they have now shi pped substantial feature improvements and mitigations as a result of our w ork. LOCATION:LT2\, Computer Laboratory\, William Gates Building END:VEVENT END:VCALENDAR