Technical Report PHD-2021-11

Title: Characterizing, Exploiting, Detecting and Preventing DMA Attacks in the Presence of an IOMMU
Authors: Alex Markuze
Supervisors: Dan Tsafrir, Adam Morrison
PDFCurrently accessibly only within the Technion network
Abstract: Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, however, is neither truly secure nor can it support multi-gigabit I/O operations. IOMMU provides protection at page granularity only, whereas DMA buffers can reside on the same page as other data leading to sub-page vulnerabilities, which make the system vulnerable to DMA attacks, in which I/O devices access and manipulate memory regions not intended for their use. We first categorize sub-page vulnerabilities into four categories, providing insight into the structure of DMA vulnerabilities. Then, to exploit these vulnerabilities, we identify a set of three vulnerability attributes that are sufficient to execute code injection attacks. We then build analysis tools that detect sub-page vulnerabilities and analyze the Linux kernel. We find that 72% of the device drivers expose sensitive callback pointers, which may be overwritten by a device to hijack kernel control flow. Aided by the tools’ output, we demonstrate novel code injection attacks on the Linux kernel we term compound attacks. Specifically, while all previously reported attacks are single-step, i.e., with the vulnerability attributes present in a single page, in compound attacks, the vulnerability attributes are initially incomplete. However, they can be attained by carefully exploiting standard OS behavior. In order to provide performant and secure I/O we propose that OSes utilize the IOMMU differently. Our new usage model restricts device access to a set of shadow DMA buffers that are never unmapped. The DMAed data is copied to/from these shadow buffers, thus providing subpage protection. Our key insight is that the cost of interacting with, and synchronizing access to the slow IOMMU hardware—required for zero-copy protection against devices -- make copying preferable to zero-copying. We implement our model in Linux and evaluate it with standard networking benchmarks utilizing a 40Gb/s NIC. We demonstrate that despite being more secure than the safest preexisting usage model, our approach provides up to 5× higher throughput. Additionally, whereas it is inherently less scalable than an IOMMU-less (unprotected) system, our approach incurs only 0%–25% performance degradation in comparison. Next, we observe that achieving protection at the DMA (un)map boundary is needlessly constraining, as devices must be prevented from changing the data only after the kernel reads it. So there is no real need to switch ownership of buffers between kernel and device at the DMA (un)mapping layer, as opposed to the approach taken by all existing IOMMU protection schemes. We thus eliminate the extra copy by (1) implementing a new allocator called DMA- Aware Malloc for Networking (DAMN), which (de)allocates packet buffers from a memory pool permanently mapped in the IOMMU; (2) modifying the network stack to use this allocator; and (3) copying packet data only when the kernel needs it, which usually morphs the aforementioned extra copy into the kernel’s standard copy operation performed at the user-kernel boundary. DAMN thus provides full IOMMU protection with performance comparable to that of an unprotected system.
CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the PHD technical reports of 2021
To the main CS technical reports page

Computer science department, Technion