Skip to main content
SpringerLink
Log in

DMA’n’Play: Practical Remote Attestation Based on Direct Memory Access

  • Conference paper
  • First Online:
Book cover Applied Cryptography and Network Security (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13906))

Included in the following conference series:

  • 705 Accesses

Abstract

Remote attestation allows validating the trustworthiness of a remote device. Existing attestation schemes either require hardware changes, trusted computing components, or rely on strict timing constraints. In this paper, we present a novel remote attestation approach, called DMA’n’Play, that tackles these practical limitations by leveraging DMA (direct memory access). Since DMA does not require CPU time, DMA’n’Play even allows attestation of devices with real-time constraints. To prevent the exploitation of side-channels which potentially could determine if the attestation is running, we developed DMA’n’Play To-Go, a small, mobile attestation device that can be plugged into the attested device. We evaluated DMA’n’Play on two real-world devices, namely a syringe pump and a drone. Our evaluation shows that DMA’n’Play adds negligible performance overhead and prevents data-only attacks, by validating critical data in memory.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/pyserial/pyserial.

  2. 2.

    https://github.com/eliben/pyelftools.

References

  1. Abera, T., et al.: C-flat: control-flow attestation for embedded systems software. In: 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2016)

    Google Scholar 

  2. Abera, T., Bahmani, R., Brasser, F., Ibrahim, A., Sadeghi, A.-R., Schunter, M.: Diat: data integrity attestation for resilient collaboration of autonomous systems. In: 2019 Network and Distributed Systems Security Symposium (NDSS). Internet Society (2019)

    Google Scholar 

  3. Abramson, D., et al.: Intel virtualization technology for directed i/o. Intel Technol. J. 10(3) (2006)

    Google Scholar 

  4. Airbus: Operating life. online (2022). https://www.airbus.com/en/products-services/commercial-aircraft/the-life-cycle-of-an-aircraft/operating-life

  5. Aivaliotis, P., Arkouli, Z., Georgoulias, K., Makris, S.: Degradation curves integration in physics-based models: towards the predictive maintenance of industrial robots. Robot. Comput. Integr. Manuf. 71 (2021)

    Google Scholar 

  6. Alrawi, O., Lever, C., Antonakakis, M., Monrose, F.: SoK: security evaluation of home-based IoT deployments. In: IEEE Symposium on Security and Privacy (SP). IEEE (2019)

    Google Scholar 

  7. Altawy, R., Youssef, A.M.: Security, privacy, and safety aspects of civilian drones: a survey. ACM Trans. Cyber-Phys. Syst. 1(2) (2016)

    Google Scholar 

  8. AMD: Amd i/o virtualization technology (iommu) specification. Online (2021). https://www.amd.com/system/files/TechDocs/48882_IOMMU.pdf

  9. ARM: Amba 3 ahb-lite protocol specification. Online (2020). https://www.eecs.umich.edu/courses/eecs373/readings/ARM_IHI0033A_AMBA_AHB-Lite_SPEC.pdf

  10. ARM: Arm cortex-m4 processor technical reference manual. Online (2020). https://developer.arm.com/documentation/100166/0001

  11. ARM: Arm system memory management unit architecture specification. Online (2016). https://documentation-service.arm.com/static/5f900d34f86e16515cdc08fb

  12. ARM: Trustzone technology for armv8-m architecture. Online (2018). https://developer.arm.com/documentation/100690/latest/

  13. ARM: Configuring and enabling the mmu. Online (2022). https://developer.arm.com/documentation/den0024/a/The-Memory-Management-Unit/Translating-a-Virtual-Address-to-a-Physical-Address/Configuring-and-enabling-the-MMU

  14. ARM: Trustzone for armv8-a. Online (2019). https://documentation-service.arm.com/static/602167b6873dd96c4deaf49b

  15. Atmel Corporation: Atmega328p 8-bit avr microcontroller with 32k bytes in-system programmable flash datasheet. Online (2015). https://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-7810-Automotive-Microcontrollers-ATmega328P_Datasheet.pdf

  16. Bai, J.-J., Li, T., Lu, K., Hu, S.-M.: Static detection of unsafe DMA accesses in device drivers. In: 30th USENIX Security Symposium (2021)

    Google Scholar 

  17. Bartlett, G.: Extending the industrial robot life cycle. Online (2021). https://www.swri.org/industry/industrial-robotics-automation/blog/extending-the-industrial-robot-life-cycle

  18. Becher, M., Dornseif, M., Klein, C.N.: Firewire: all your memory are belong to us. In: Proceedings of CanSecWest (2005)

    Google Scholar 

  19. Bitcraze, A.B.: Datasheet crazyflie 2.1 - rev 3. Online (2021). https://www.bitcraze.io/documentation/hardware/crazyflie_2_1/crazyflie_2_1-datasheet.pdf

  20. Böck, B., Austria, S.B.: Firewire-based physical security attacks on windows 7, efs and bitlocker. Secure Business Austria Research Lab (2009)

    Google Scholar 

  21. Brasser, F., Mahjoub, B.E., Sadeghi, A., Wachsmann, C., Koeberl, P.: Tytan: tiny trust anchor for tiny devices. In: 52nd Annual Design Automation Conference. ACM (2015)

    Google Scholar 

  22. Campau, T.: Average age of vehicles in the us increases to 12.2 years, according to s &p global mobility. Online (2022). https://ihsmarkit.com/research-analysis/average-age-of-vehicles-in-the-us-increases-to-122-years.html

  23. Castelluccia, C., Francillon, A., Perito, D., Soriente, C.: On the difficulty of software-based attestation of embedded devices. In: 2009 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2009)

    Google Scholar 

  24. Clements, A.A., et al.: Protecting bare-metal embedded systems with privilege overlays. In: IEEE Symposium on Security and Privacy (SP) (2017)

    Google Scholar 

  25. Coker, G., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10(2) (2011)

    Google Scholar 

  26. Corteggiani, N., Camurati, G., Francillon, A.: Inception: system-wide security testing of real-world embedded systems software. In: 27th USENIX Security Symposium (2018)

    Google Scholar 

  27. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: 23rd USENIX Security Symposium (2014)

    Google Scholar 

  28. Das, S., Zhang, W., Liu, Y.: A fine-grained control flow integrity approach against runtime memory attacks for embedded systems. IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 24(11) (2016)

    Google Scholar 

  29. Dawoud, D.S., Dawoud, P.: Serial Communication Protocols and Standards RS232/485, UART/USART, SPI, USB, INSTEON. River Publishers, Wi-Fi and WiMAX (2020)

    Google Scholar 

  30. De Oliveira Nunes, I., Jakkamsetti, S., Rattanavipanon, N., Tsudik, G.: On the toctou problem in remote attestation. In: 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2021)

    Google Scholar 

  31. Dessouky, G., Abera, T., Ibrahim, A., Sadeghi, A.-R.: Litehax: lightweight hardware-assisted attestation of program execution. In: 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE (2018)

    Google Scholar 

  32. Dessouky, G., et al.: Lo-fat: low-overhead control flow attestation in hardware. In: 54th Annual Design Automation Conference (DAC). ACM (2017)

    Google Scholar 

  33. Dornseif, M.: Owned by an ipod: Firewire/1394 issues. In: CanSecWest Security Conference CORE05 (2005)

    Google Scholar 

  34. elm-tech: Gd25q32 datasheet. Online (2014). https://datasheetspdf.com/pdf-file/861582/ELM/GD25Q32/1

  35. elm-tech: Gd25q32c datasheet. Online (2020). http://www.elm-tech.com/en/products/spi-flash-memory/gd25q32/gd25q32.pdf

  36. Espressif Systems: Esp32 technical reference manual. Online (2020). https://www.espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf

  37. Espressif Systems: Esp32-c3 technical reference manual. Online (2022). https://www.espressif.com/sites/default/files/documentation/esp32-c3_technical_reference_manual_en.pdf

  38. Espressif Systems: Esp8266 technical reference manual. Online (2020). https://www.espressif.com/sites/default/files/documentation/esp8266-technical_reference_en.pdf

  39. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, symantec corp., security response, vol. 5, no. 6 (2011)

    Google Scholar 

  40. Farwell, J.P., Rohozinski, R.: Stuxnet and the future of cyber war. Survival 53(1) (2011)

    Google Scholar 

  41. Feng, B., Mera, A., Lu, L.: P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In: 29th USENIX Security Symposium. USENIX Association (2020)

    Google Scholar 

  42. Frisk, U.: Direct memory attack the kernel. In: Proceedings of DEFCON, vol. 24 (2016)

    Google Scholar 

  43. Gemalto: The state of IoT security. Online (2018). https://www.infopoint-security.de/media/gemalto-state-of-iot-security-report.pdf

  44. GNU Project - GNU Compiler Collection: Specifying attributes of variables. Online (2022). https://gcc.gnu.org/onlinedocs/gcc-11.3.0/gcc/Variable-Attributes.html#Variable-Attributes

  45. Infineon: How to use direct memory access (DMA) controller in traveo ii family. Online (2021). https://www.infineon.com/dgdl/Infineon-AN220191_How_to_Use_Direct_Memory_Access_(DMA)_Controller_in_Traveo_II_Family-ApplicationNotes-v07_00-EN.pdf

  46. Infineon: Mpu_memory_protection for kit_aurix_tc297_tft. Online (2020). https://www.infineon.com/dgdl/?fileId=5546d46274cf54d50174da37dc1d222e

  47. Infineon: Mpu_memory_protection for kit_aurix_tc297_tft. Online (2017). https://www.nxp.com/docs/en/supporting-information/BL-Micro-NXP-Microcontroller-Overview-James-Huang.pdf

  48. Kim, Y., et al.: Flipping bits in memory without accessing them: an experimental study of dram disturbance errors. ACM SIGARCH Comput. Archit. News 42(3) (2014)

    Google Scholar 

  49. Koscher, K., et al.: Experimental security analysis of a modern automobile. In: IEEE Symposium on Security and Privacy (SP). IEEE (2010)

    Google Scholar 

  50. Kurth, M., Gras, B., Andriesse, D., Giuffrida, C., Bos, H., Razavi, K.: Netcat: practical cache attacks from the network. In: IEEE Symposium on Security and Privacy (SP). IEEE (2020)

    Google Scholar 

  51. Kwon, D., Shin, J., Kim, G., Lee, B., Cho, Y., Paek, Y.: uxom: Efficient execute-only memory on arm cortex-m. In: 28th USENIX Security Symposium. USENIX Association (2019)

    Google Scholar 

  52. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Privacy 9(3) (2011)

    Google Scholar 

  53. Lee, D., Kohlbrenner, D., Shinde, S., Asanović, K., Song, D.: Keystone: an open framework for architecting trusted execution environments. In: 15th European Conference on Computer Systems (EuroSys ’20). ACM (2020)

    Google Scholar 

  54. Leens, F.: An introduction to I2C and SPI protocols. IEEE Instrum. Meas. Mag. 12(1) (2009)

    Google Scholar 

  55. Levy, A., et al.: Multiprogramming a 64kb computer safely and efficiently. In: 26th Symposium on Operating Systems Principles, SOSP ’17. ACM (2017)

    Google Scholar 

  56. Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy (SP). IEEE (2015)

    Google Scholar 

  57. Markettos, T., et al.:: Thunderclap: exploring vulnerabilities in operating system IOMMU protection via DMA from untrustworthy peripherals (2019)

    Google Scholar 

  58. Mera, A., Feng, B., Lu, L., Kirda, E.: Dice: automatic emulation of DMA input channels for dynamic firmware analysis. In: IEEE Symposium on Security and Privacy (SP). IEEE (2021)

    Google Scholar 

  59. Mera, A., Chen, Y.H., Sun, R., Kirda, E., Lu, L.: D-box: DMA-enabled compartmentalization for embedded applications. In: 2022 Network and Distributed Systems Security Symposium (NDSS). Internet Society (2022)

    Google Scholar 

  60. Microchip Technology Inc: Atmega48a/pa/88a/pa/168a/pa/328/p. Online (2018). https://ww1.microchip.com/downloads/en/DeviceDoc/ATmega48A-PA-88A-PA-168A-PA-328-P-DS-DS40002061A.pdf

  61. Motorola Inc: SPI block guide v03.06. Document number S12SPIV3/D (2003)

    Google Scholar 

  62. Nunes, I.D.O., Eldefrawy, K., Rattanavipanon, N., Steiner, M., Tsudik, G.: Vrased: a verified hardware/software co-design for remote attestation. In: 28th USENIX Security Symposium (2019)

    Google Scholar 

  63. Nunes, I.D.O., Eldefrawy, K., Rattanavipanon, N., Tsudik, G.: Apex: a verified architecture for proofs of execution on remote devices under full software compromise. In: 29th USENIX Security Symposium (2020)

    Google Scholar 

  64. Nunes, I.D.O., Jakkamsetti, S., Tsudik, G.: Dialed: data integrity attestation for low-end embedded devices. In: 58th ACM/IEEE Design Automation Conference (DAC). IEEE (2021)

    Google Scholar 

  65. Nunes, I.D.O., Jakkamsetti, S., Tsudik, G.: Tiny-CFA: minimalistic control-flow attestation using verified proofs of execution. In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE (2021)

    Google Scholar 

  66. NXP: Examples of setting the DMA controller on the power architecture mpc5675k family of microcontrollers. Online (2012). https://www.nxp.com/docs/en/application-note/AN4522.pdf

  67. Osborne, A.: Introductions to Microcomputers:, vol. 1. Basic Concepts, McGraw-Hill Osborne Media (1980)

    Google Scholar 

  68. OWASP: Internet of things (IoT) top 10 2018 (2018). https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf

  69. Quarta, D., Pogliani, M., Polino, M., Maggi, F., Zanchettin, A.M., Zanero, S.: An experimental security analysis of an industrial robot controller. In: IEEE Symposium on Security and Privacy (SP). IEEE (2017)

    Google Scholar 

  70. Reilly, E.D.: Memory-Mapped I/O. Wiley, Hoboken (2003). ISBN 0470864125

    Google Scholar 

  71. RISC-V: The RISC-V instruction set manual volume ii: privileged architecture. Online (2017). https://riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf

  72. Ruytenberg, B.: Breaking thunderbolt protocol security: vulnerability report. Online (2020). https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf

  73. Sabt, M., Achemlal, M., Bouabdallah, A.: Trusted execution environment: what it is, and what it is not. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1. IEEE (2015)

    Google Scholar 

  74. Seshadri, A., Perrig, A., van Doorn, L., Khosla, P.K.: Swatt: software-based attestation for embedded devices. In: IEEE Symposium on Security and Privacy (SP). IEEE (2004)

    Google Scholar 

  75. Song, D., et al.: Periscope: an effective probing and fuzzing framework for the hardware-OS boundary. In: 2019 Network and Distributed Systems Security Symposium (NDSS). Internet Society (2019)

    Google Scholar 

  76. Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37300-8_2

    Chapter  Google Scholar 

  77. STMicroelectronics: Managing memory protection unit in stm32 mcus. Online (2021). https://www.st.com/resource/en/application_note/dm00272912-managing-memory-protection-unit-in-stm32-mcus-stmicroelectronics.pdf

  78. STMicroelectronics: Using the stm32f0/f1/f3/gx/lx series DMA controller. Online (2020). https://www.st.com/resource/en/application_note/cd00160362-using-the-stm32f0f1f3gxlx-series-dma-controller-stmicroelectronics.pdf

  79. STMicroelectronics: Using the stm32f2, stm32f4 and stm32f7 series DMA controller. Online (2016). https://www.st.com/resource/en/application_note/dm00046011-using-the-stm32f2-stm32f4-and-stm32f7-series-dma-controller-stmicroelectronics.pdf

  80. Sun, Z., Feng, B., Lu, L., Jha, S.: Oat: attesting operation integrity of embedded devices. In: IEEE Symposium on Security and Privacy (SP). IEEE (2020)

    Google Scholar 

  81. Surminski, S., Niesler, C., Brasser, F., Davi, L., Sadeghi, A.-R.: Realswatt: remote software-based attestation for embedded devices under realtime constraints. In: 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2021)

    Google Scholar 

  82. Tatar, A., Konoth, R.K., Athanasopoulos, E., Giuffrida, C., Bos, H., Razavi, K.: Throwhammer: rowhammer attacks over the network and defenses. In: 2018 USENIX Annual Technical Conference (USENIX ATC 18) (2018)

    Google Scholar 

  83. Texas Instruments Incorporated: Direct memory access (DMA) controller module. Online (2018). https://www.ti.com/lit/ug/slau395f/slau395f.pdf

  84. The LLVM Compiler Infrastructure Project: Attributes in clang. Online (2022). https://clang.llvm.org/docs/AttributeReference.html#variable-attributes

  85. Valmari, A.: The state explosion problem. In: Reisig, W., Rozenberg, G. (eds.) ACPN 1996. LNCS, vol. 1491, pp. 429–528. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-65306-6_21

    Chapter  Google Scholar 

  86. Van der Veen, V., et al.: Practical context-sensitive CFI. In: 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM (2015)

    Google Scholar 

  87. Wenzl, M., Merzdovnik, G., Ullrich, J., Weippl, E.: From hack to elaborate technique–a survey on binary rewriting. ACM Comput. Surv. (CSUR) 52(3) (2019)

    Google Scholar 

  88. Wetzels, J.: The RTOS exploit mitigation blues. Online (2017). https://hardwear.io/document/rtos-exploit-mitigation-blues-hardwear-io.pdf

  89. Wijnen, B., Hunt, E.J., Anzalone, G.C., Pearce, J.M.: Open-source syringe pump library. PloS ONE 9(9) (2014)

    Google Scholar 

Download references

Acknowledgements

This work has been partially funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation)—SFB 1119—236615297 within project S2. This work was supported by the DFG Priority Program SPP 2253 Nano Security (Project RAINCOAT—Number: 440059533).

Author information

Authors and Affiliations

  1. University of Duisburg-Essen, Essen, Germany

    Sebastian Surminski, Christian Niesler & Lucas Davi

  2. Technical University Darmstadt, Darmstadt, Germany

    Ahmad-Reza Sadeghi

Authors
  1. Sebastian Surminski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Niesler
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lucas Davi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sebastian Surminski .

Editor information

Editors and Affiliations

  1. NTT Social Informatics Laboratories, Tokyo, Japan

    Mehdi Tibouchi

  2. Indiana University at Bloomington, Bloomington, IN, USA

    XiaoFeng Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Surminski, S., Niesler, C., Davi, L., Sadeghi, AR. (2023). DMA’n’Play: Practical Remote Attestation Based on Direct Memory Access. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13906. Springer, Cham. https://doi.org/10.1007/978-3-031-33491-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-33491-7_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-33490-0

  • Online ISBN: 978-3-031-33491-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation