Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2013: Research in Attacks, Intrusions, and Defenses pp 1–20Cite as

A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Abstract

Computer platform peripherals such as network and management controller can be used to attack the host computer via direct memory access (DMA). DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host. Therefore they present a highly critical threat to system security and integrity. Unfortunately, to date no OS implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy. We are the first to present a novel method for detecting and preventing DMA-based attacks. Our method is based on modeling the expected memory bus activity and comparing it with the actual activity. We implement BARM, a runtime monitor that permanently monitors bus activity to expose malicious memory access carried out by peripherals. Our evaluation reveals that BARM not only detects and prevents DMA-based attacks but also runs without significant overhead due to the use of commonly available CPU features of the x86 platform.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Delugré, G.: Closer to metal: Reverse engineering the Broadcom NetExtreme’s firmware. Sogeti ESEC Lab (2010), http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf

  2. Delugré, G.: How to develop a rootkit for Broadcom NetExtreme network cards. Sogeti ESEC Lab (2011), http://esec-lab.sogeti.com/dotclear/public/publications/11-recon-nicreverse_slides.pdf

  3. Duflot, L., Perez, Y.-A., Morin, B.: What if you can’t trust your network card? In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 378–397. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  4. Stewin, P., Bystrov, I.: Understanding DMA malware. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 21–41. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Triulzi, A.: Project Maux Mk.II. The Alchemist Owl (2008), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf

  6. Triulzi, A.: The Jedi Packet Trick takes over the Deathstar. The Alchemist Owl (2010), http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf

  7. Breuk, R., Spruyt, A.: Integrating DMA attacks in Metasploit. Sebug (2012), http://sebug.net/paper/Meeting-Documents/hitbsecconf2012ams/D2%20SIGINT%20-%20Rory%20Breuk%20and%20Albert%20Spruyt%20-%20Integrating%20DMA%20Attacks%20in%20Metasploit.pdf

  8. Breuk, R., Spruyt, A.: Integrating DMA attacks in exploitation frameworks. Faculty of Science. University of Amsterdam (2012), http://staff.science.uva.nl/~delaat/rp/2011-2012/p14/report.pdf

  9. Duflot, L., Perez, Y., Valadon, G., Levillain, O.: Can you still trust your network card (2010), http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf

  10. Abramson, D., Jackson, J., Muthrasanallur, S., Neiger, G., Regnier, G., Sankaran, R., Schoinas, I., Uhlig, R., Vembu, B., Wiegert, J.: Intel Virtualization Technology for Directed I/O. Intel Technology Journal 10(3), 179–192 (2006)

    Article  Google Scholar 

  11. Li, Y., McCune, J., Perrig, A.: VIPER: Verifying the integrity of peripherals’ firmware. In: Proceedings of the ACM Conference on Computer and Communications Security (2011)

    Google Scholar 

  12. Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Malicious and Unwanted Software, pp. 7–14 (2010)

    Google Scholar 

  13. Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another Way to Circumvent Intel Trusted Execution Technology. ITL (2009), http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf

  14. Wojtczuk, R., Rutkowska, J.: Following the White Rabbit: Software attacks against Intel VT-d technology. ITL (2011), http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

  15. Wojtczuk, R., Rutkowska, J.: Attacking Intel TXT via SINIT code execution hijacking. ITL (2011), http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf

  16. Duflot, L., Perez, Y., Morin, B.: Run-time firmware integrity verification: what if you can’t trust your network card? FNISA (2011), http://www.ssi.gouv.fr/IMG/pdf/Duflot-Perez_runtime-firmware-integrity-verification.pdf

  17. Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: Towards Detecting DMA Malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 857–860. ACM, New York (2011)

    Chapter  Google Scholar 

  18. Buchanan, B.: Computer Busses. Electronics & Electrical. Taylor & Francis (2010)

    Google Scholar 

  19. Budruk, R., Anderson, D., Shanley, T.: Pci Express System Architecture. PC System Architecture Series. Addison-Wesley (2004)

    Google Scholar 

  20. Hennessy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann (2005)

    Google Scholar 

  21. Intel Corporation. Intel 3 Series Express Chipset Family. Intel Corporation (2007), http://www.intel.com/Assets/PDF/datasheet/316966.pdf

  22. Intel Corporation. Intel I/O Controller Hub (ICH9) Family. Intel Corporation (2008), http://www.intel.com/content/dam/doc/datasheet/io-controller-hub-9-datasheet.pdf

  23. Abbott, D.: PCI Bus Demystified. Demystifying technology series. Elsevier (2004)

    Google Scholar 

  24. Anderson, D., Shanley, T.: Pci System Architecture. PC System Architecture Series. Addison-Wesley (1999)

    Google Scholar 

  25. Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual — Volume 3 (3A, 3B & 3C): System Programming Guide. Intel Corporation (March 2012), http://download.intel.com/products/processor/manual/325384.pdf

  26. Reinders, J.: VTune Performance Analyzer Essentials: Measurement and Tuning Techniques for Software Developers. Engineer to Engineer Series. Intel Press (2005)

    Google Scholar 

  27. Intel Corporation. Intel VTune Amplifier 2013. Intel Corporation (2013), http://software.intel.com/sites/products/documentation/doclib/stdxe/2013/amplifierxe/lin/ug_docs/index.htm

  28. Intel Corporation. Universal Host Controller Interface (UHCI) Design Guide. The Slackware Linux Project (1996), ftp://ftp.slackware.com/pub/netwinder/pub/misc/docs/29765002-usb-uhci%20design%20guide.pdf Revision 1.1

  29. Russinovich, M.E., Solomon, D.A., Ionescu, A.: Windows Internals 6th Edition, Part 2. Microsoft Press (2012)

    Google Scholar 

  30. Trusted Computing Group. TCG PC Client Specific Impementation Specification For Conventional BIOS. TCG: http://www.trustedcomputinggroup.org/files/temp/64505409-1D09-3519-AD5C611FAD3F799B/PCClientImplementationforBIOS.pdf , 2005.

  31. Li, Y., McCune, J.M., Perrig, A.: SBAP: Software-based attestation for peripherals. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 16–29. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  32. Nguyen, Q.: Issues in Software-based Attestation. Kaspersky Lab (2012), http://www.kaspersky.com/images/Quan%20Nguyen.pdf

  33. Gasmi, Y., Sadeghi, A.-R., Stewin, P., Unger, M., Asokan, N.: Beyond secure channels. In: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 30–40. ACM, New York (2007)

    Chapter  Google Scholar 

  34. Müller, T., Dewald, A., Freiling, F.C.: Aesse: a cold-boot resistant implementation of aes. In: Proceedings of the Third European Workshop on System Security, pp. 42–47. ACM, New York (2010)

    Chapter  Google Scholar 

  35. Müller, T., Freiling, F.C., Dewald, A.: Tresor runs encryption securely outside ram. In: Proceedings of the 20th USENIX Conference on Security, p. 17. USENIX Association, Berkeley (2011)

    Google Scholar 

  36. Simmons, P.: Security through amnesia: a software-based solution to the cold boot attack on disk encryption. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 73–82. ACM, New York (2011)

    Google Scholar 

  37. Vasudevan, A., McCune, J., Newsome, J., Perrig, A., van Doorn, L.: Carma: a hardware tamper-resistant isolated execution environment on commodity x86 platforms. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 48–49. ACM, New York (2012)

    Google Scholar 

  38. Blass, E., Robertson, W.: Tresor-hunt: attacking cpu-bound encryption. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 71–78. ACM, New York (2012)

    Google Scholar 

  39. Müller, T., Taubmann, B., Freiling, F.C.: Trevisor: Os-independent software-based full disk encryption secure against main memory attacks. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 66–83. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  40. Sang, F.L., Nicomette, V., Deswarte, Y.: I/O Attacks in Intel-PC Architectures and Countermeasures. SysSec (2011), http://www.syssec-project.eu/media/page-media/23/syssec2011-s1.4-sang.pdf

  41. Wicherski, G.: Taming ROP on Sandy Bridge. SyScan (2013), http://www.syscan.org/index.php/download

  42. Xia, Y., Liu, Y., Chen, H., Zang, B.: Cfimon: Detecting violation of control flow integrity using performance counters. In: Proceedings of the, 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), DSN 2012, pp. 1–12. IEEE Computer Society, Washington, DC (2012)

    Google Scholar 

  43. Malone, C., Zahran, M., Karri, R.: Are hardware performance counters a cost effective way for integrity checking of programs. In: Proceedings of the sixth ACM Workshop on Scalable Trusted Computing, STC 2011, pp. 71–76. ACM, New York (2011)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Security in Telecommunications, TU Berlin, Germany

    Patrick Stewin

Authors
  1. Patrick Stewin
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stewin, P. (2013). A Primitive for Revealing Stealthy Peripheral-Based Attacks on the Computing Platform’s Main Memory. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation