Run-DMA

By Michael Rushanan and Stephen Checkoway.

In Proceedings of WOOT 2015. USENIX, August 2015.

Abstract

Copying data from devices into main memory is a computationally-trivial, yet time-intensive, task. In order to free the CPU to perform more interesting work, computers use direct memory access (DMA) engines—a special-purpose piece of hardware—to transfer data into and out of main memory. We show that the ability to chain together such memory transfers, as provided by commodity hardware, is sufficient to perform arbitrary computation. Further, when hardware peripherals can be accessed via memory-mapped I/O, they are accessible to “DMA programs.” To demonstrate malicious behavior, we build a proof-of-concept DMA rootkit that modifies kernel objects in memory to perform privilege escalation for target processes.

Material

• Code on Github.
• Proceedings version in PDF.
• Slides from WOOT 2015 in PDF.
• Full version, local copy in PDF.

Reference

@InProceedings{rushanan-checkoway:run-dma:woot15,
  author =    {Michael Rushanan and Stephen Checkoway},
  title =     {{Run-DMA}},
  booktitle = {Proceedings of WOOT 2015},
  editor =    {Francillon, Aur{\'e}lien and Thomas Ptacek},
  publisher = {USENIX},
  year =      2015,
  month =     aug,
  url =       {https://checkoway.net/papers/rundma2015},
}