Technical Report MSC-2018-21

Title: IOMMU-resistant DMA attacks
Authors: Gil Kupfer
Supervisors: Dan Tsafrir and Nadav Amit
PDFCurrently accessibly only within the Technion network
Abstract: The direct memory access (DMA) mechanism allows I/O devices to independently access memory without CPU involvement, improving performance but exposing systems to malicious DMA attacks. To defend against such attacks, hardware vendors introduced IOMMUs (I/O memory management units), allowing operating systems to restrict DMAs to specific memory locations. When configured correctly, the latest generation of IOMMUs is considered an appropriate solution to the problem. We challenge this perception and uncover a new type of IOMMU-resistant DMA attacks, which are capable of taking over the system by exploiting the fact that IOMMU protection is provided in page granularity, which we find to be too coarse. By implementing several novel attacks against these systems, we demonstrate that the vulnerability is spread across different device drivers and kernel subsystems, making it challenging to come up with a generic, performant fix.

In addition, we also show how OS handling of the IOMMU's internal cache (aka IOTLB---I/O translation look-aside buffer) can be exploited by an attacker. Because IOTLB invalidations are expensive, OSs may batch them (Linux does it by default), causing the IOTLB to be inconsistent with the OS for a short time. This time is believed to be too short to be exploitable. We also refute this perception by using this time slot to access memory immediately after it is explicitly forbidden, enabling the attack mentioned above.

CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2018
To the main CS technical reports page

Computer science department, Technion