Characterizing, exploiting, and detecting DMA code injection vulnerabilities，Eurosys2021

admin管理员组

文章数量:1614159

Characterizing, exploiting, and detecting DMA code injection vulnerabilities in the presence of an IOMMU，Eurosys2021
描述、利用和检测IOMMU存在的DMA代码注入漏洞

Abstract摘要

Direct memory access (DMA) renders a system vulnerable to DMA attacks, in which I/O devices access memory regions not intended for their use. Hardware input–output memory management units (IOMMU) can be used to provide protection. However, an IOMMU cannot prevent all DMA attacks because it only restricts DMA at page-level granularity, leading to sub-page vulnerabilities.

直接内存访问(DMA)使系统容易受到DMA攻击，在DMA攻击中，I/O设备访问的内存区域不是为它们所用的。硬件输入输出内存管理单元(IOMMU)可以用来提供保护。但是，IOMMU不能阻止所有的DMA攻击，因为它只在页级粒度上限制DMA，从而导致子页漏洞。

Current DMA attacks rely on simple situations in which write access to a kernel pointer is obtained due to sub-page vulnerabilities and all other attack ingredients are available and reside on the same page. We show that DMA vulnerabilities are a deep-rooted issue and it is often the kernel design that enables complex and multistage DMA attacks. This work presents a structured top-down approach to characterize, exploit, and detect them.

当前的DMA攻击依赖于一些简单的情况，即由于子页漏洞而获得对内核指针的写访问，并且所有其他攻击成分都可用并驻留在同一页上。我们表明，DMA漏洞是一个根深蒂固的问题，通常是内核设计导致了复杂的多阶段DMA攻击。本文提出了一种结构化的自顶向下方法来描述、利用和检测它们。

To this end, we first categorize sub-page vulnerabilities into four types, providing insight into the structure of DMA vulnerabilities. We then identify a set of three vulnerability attributes that are sufficient to execute code injection attacks. We built analysis tools that detect these sub-page vulnerabilities and analyze the Linux kernel. We found that 72% of the device drivers expose callback pointers, which may be overwritten by a device to hijack the kernel control flow.

为此，我们首先将子页面漏洞分为四种类型，以便深入了解DMA漏洞的结构。然后，我们确定了一组三个漏洞属性，它们足以执行代码注入攻击。我们构建了检测这些子页面漏洞并分析Linux内核的分析工具。我们发现72%的设备驱动程序会暴露回调指针，设备可能会覆盖这些指针来劫持内核控制流。

Aided by our tools’ output, we demonstrate novel code injection attacks on the Linux kernel; we refer to these as compound attacks. All previously reported attacks are singlestep, with the vulnerability attributes present in a single page. In compound attacks, the vulnerability attributes are initially incomplete. However, we demonstrate that they can be obtained by carefully exploiting standard OS behavior.

借助我们的工具输出，我们演示了针对Linux内核的新型代码注入攻击;我们称之为复合攻击。以前报告的所有攻击都是单步攻击，漏洞属性显示在单个页面中。在复合攻击中，脆弱性属性最初是不完整的。然而，我们证明了它们可以通过仔细地利用标准操作系统行为来获得。

1 Introduction1介绍

Direct Memory Access (DMA) is a technology that allows input-output (I/O) devices to access memory without CPU involvement, thereby improving system performance. DMAcapable devices include internal devices, such as GPUs, Network Interface Cards (NICs), storage devices (e.g., NVMe), and other peripheral devices, including external devices such as FireWire and Thunderbolt.1 However, in its basic form, DMA makes the system vulnerable to DMA attacks. These are cases where malicious DMA-capable devices, such as compromised firmware [7, 25], access sensitive memory regions not intended for their use.

直接内存访问(DMA)是一种允许输入-输出(I/O)设备在不涉及CPU的情况下访问内存的技术，从而提高系统性能。DMAcapable设备包括内部设备，如gpu、网络接口卡(nic)、存储设备(如NVMe)和其他外围设备，包括外部设备，如火线(FireWire)和thunderbolt。然而，在其基本形式中，DMA使系统容易受到DMA攻击。在这种情况下，具有dma能力的恶意设备(如受威胁的固件[7,25])访问不适合它们使用的敏感内存区域。

Numerous DMA exploits are known [6, 21, 45], ranging from stealing and manipulating sensitive data to taking over the victim machine. Widespread attacks include: opening a locked computer [42, 64], executing arbitrary code on the victim machine [5, 24, 45, 67], stealing sensitive data items such as passwords [9, 13, 40, 63], and extracting a full memory dump of a victim machine [26, 42, 64, 65]. These threats are supposed to be mitigated by the Input-Output Memory Management Unit (IOMMU), which adds a layer of virtual memory to devices. The IOMMU brokers all I/O requests, translating their target I/O virtual addresses (IOVA) to physical addresses. In the process, the IOMMU provides address space isolation, allowing a device to access only permitted pages and rendering all other memory inaccessible.

[45] Thunderclap: Exploring vulnerabilities in operating system iommu protection via dma from untrustworthy peripherals. In NDSS, 2019.

已知有许多DMA漏洞[6,21,45]，从窃取和操纵敏感数据到接管受害机器。广泛的攻击包括:打开被锁定的计算机[42,64]，在受害机器上执行任意代码[5,24,45,67]，窃取敏感数据项，如密码[9,13,40,63]，以及提取受害机器的全内存转储[26,42,64,65]。输入-输出内存管理单元(IOMMU)可以缓解这些威胁，它为设备添加了一层虚拟内存。IOMMU代理所有的I/O请求，将它们的目标I/O虚拟地址(IOVA)转换为物理地址。在此过程中，IOMMU提供了地址空间隔离，允许设备只访问允许的页面，并呈现所有其他内存不可访问。

Unlike processes that operate at page granularity, I/O buffers can be significantly smaller than a page. I/O buffers and other kernel buffers can co-reside on the same physical pages, inadvertently exposing these kernel buffers to the device. For this reason, known as the sub-page vulnerability [45, 47], the IOMMU cannot fully protect the kernel from unprivileged access. Consequently, sub-page vulnerabilities were the basis for several recent DMA exploits [7, 8, 38, 45]. Nevertheless, these previously reported vulnerabilities have an ad-hoc nature rather than a structured top-down approach.

与以页面粒度操作的进程不同，I/O缓冲区可以比页面小得多。I/O缓冲区和其他内核缓冲区可以共存于相同的物理页面上，无意中将这些内核缓冲区暴露给设备。由于这个原因，称为子页漏洞[44,47]，IOMMU不能完全保护内核免受非特权访问。因此，子页面漏洞是最近几次DMA攻击的基础[7,8,38,45]。然而，以前报告的这些漏洞具有特别的性质，而不是结构化的自顶向下方法。

[44] Moshe Malka, Nadav Amit, and Dan Tsafrir. Efficient intra-operating system protection against harmful dmas. In 13th {USENIX} Conference on File and Storage Technologies ({FAST} 15), pages 29–44, 2015.
[47] Alex Markuze, Adam Morrison, and Dan Tsafrir. True IOMMU protection from DMA attacks: When copy is faster than zero copy. In
ASPLOS, pages 249–262, 2016.

1Currently, the Linux kernel (version 5.0) has as many as 700 such device drivers, of which one third are network device drivers.
目前，Linux内核(5.0版)有多达700个这样的设备驱动程序，其中三分之一是网络设备驱动程序。

Accordingly, we conducted a systematic study of sub-page vulnerabilities. To provide insight into the structure of DMA vulnerabilities, we first break down sub-page vulnerabilities into four types (Section 3.2):
因此，我们对子页面漏洞进行了系统的研究。为了深入了解DMA漏洞的结构，我们首先将子页面漏洞分解为四种类型(第3.2节):

• Exposed driver metadata • Exposed OS metadata • Mapped by multiple IOVA due to multiple co-located buffers • Randomly co-located
•暴露的驱动元数据•暴露的操作系统元数据•由于多个共处的缓冲区被多个IOVA映射•随机共置

Next, we identify the ingredients that make it possible for a malicious device to exploit these four types of sub-page vulnerabilities and execute a viable DMA attack. Focusing on code injection attacks, we introduce (Section 3.3) a set of three vulnerability attributes that can be used to execute such attacks:

接下来，我们将确定使恶意设备能够利用这四种类型的子页面漏洞并执行可行的DMA攻击的因素。针对代码注入攻击，我们将介绍(第3.3节)一组可用于执行此类攻击的漏洞属性:

• A kernel virtual address (KVA) of a buffer filled with malicious executable code (i.e., malicious buffer).
•一个内核虚拟地址(KVA)的缓冲区充满恶意可执行代码(即恶意缓冲区)。

• Write access to a function callback pointer, exposed in a data structure via one of the four sub-page vulnerability types.
•对函数回调指针的写入访问，通过四个子页面漏洞类型之一暴露在数据结构中。

• Existence of a time window such that the device can modify the callback pointer during that time window; the CPU will subsequently jump to the pointed code before the pointer gets overwritten, if it is ever overwritten.
•存在一个时间窗口，这样设备可以在该时间窗口期间修改回调指针;如果指针被覆盖，CPU将在指针被覆盖之前跳转到指定的代码。

With the characterization of the different sub-page vulnerabilities and the vulnerability attributes, we were able to build analysis tools that can detect potentially hazardous sub-page vulnerabilities:
通过描述不同的子页面漏洞和漏洞属性，我们能够构建分析工具，可以检测潜在的危险子页面漏洞:

• We built a static code analysis tool that performs a SubPage Analysis for DMA Exposure (SPADE). SPADE scans for potentially exposed callback pointers on DMAmapped pages. We used SPADE on Linux kernel 5.0 and found that as many as 72% of device drivers are potentially vulnerable to code injection attacks (Section 4.1).
•我们构建了一个静态代码分析工具，用于执行DMA暴露(SPADE)的子页面分析。SPADE扫描dmamap页面上可能暴露的回调指针。我们在Linux内核5.0上使用了SPADE，发现多达72%的设备驱动程序可能容易受到代码注入攻击(第4.1节)。

• Some sub-page vulnerabilities can only manifest dynamically at run-time, potentially exposing callback pointers and/or kernel addresses. Static analysis may not reveal vulnerabilities where a memory buffer is exposed randomly. For example, a random exposure can occur when a memory buffer is co-located on the same page as a mapped I/O buffer. Accordingly, we developed a run-time analysis tool that reports such vulnerabilities and demonstrate its use. Termed DMA-KernelAddress-SANitizer (D-KASAN), this tool reports all cases where a kernel buffer is exposed, inadvertently or otherwise (Section 4.2).

•一些子页面漏洞只能在运行时动态显示，可能会暴露回调指针和/或内核地址。静态分析可能不会揭示随机暴露内存缓冲区的漏洞。例如，当内存缓冲区与映射的I/O缓冲区位于同一页面时，可能会发生随机暴露。因此，我们开发了一个运行时分析工具，报告此类漏洞并演示其使用。这个工具被称为DMA-KernelAddress-SANitizer (D-KASAN)，它报告了所有内核缓冲区被意外或其他情况暴露的情况(第4.2节)。

We use our tools to find and demonstrate attacks on the Linux kernel. We focus on compound attacks, cases where a detected sub-page vulnerability alone is insufficient to execute a code injection attack since at least one of the three vulnerability attributes is initially missing, but can be attained via compound steps.

我们使用我们的工具来发现并演示对Linux内核的攻击。我们关注复合攻击，在这种情况下，检测到的子页面漏洞单独不足以执行代码注入攻击，因为三个漏洞属性中至少有一个最初缺失，但可以通过复合步骤实现。

We observe that unlike compound attacks, previous work has explored single-step attacks, i.e., attacks in which the three vulnerability attributes are trivially provided. Namely, a mapped I/O buffer resides on a mapped page which, due to sub-page vulnerability, also exposes a callback pointer and a kernel virtual address, and the timing is such that the CPU will not overwrite the modifications.

我们注意到，与复合攻击不同，以前的工作探索了单步攻击，即简单地提供了三个漏洞属性的攻击。也就是说，一个映射I/O缓冲区驻留在一个映射页上，由于子页的漏洞，这个映射页也暴露了一个回调指针和一个内核虚拟地址，而且这个时间是这样的，CPU不会覆盖修改。

Analysis of such single-step attacks, that can typically be blocked with localized fixes, may lead to a dangerous misconception. In particular, one may assume that buggy device drivers or poor but isolated design choices are to blame for DMA vulnerabilities [43, 44]. However, by introducing compound attacks, we demonstrate that it is often the kernel itself that supplements the missing pieces, showing that this is a deep-rooted issue rather than a collection of disjoint incidents. We identify multiple kernel APIs and data structure designs that facilitate the acquisition of the vulnerability attributes by a malicious device.

对这种单步骤攻击的分析可能会导致一个危险的误解，这种攻击通常可以被本地化的修复程序阻止。特别是，人们可能认为有缺陷的设备驱动程序或糟糕但孤立的设计选择是DMA漏洞的原因[43,44]。然而，通过引入复合攻击，我们证明了通常是内核本身补充了缺失的部分，这表明这是一个根深蒂固的问题，而不是不相交事件的集合。我们识别了多个内核api和数据结构设计，这些设计有助于恶意设备获取漏洞属性。

To summarize, we make the following contributions:
综上所述，我们做出了以下贡献:

• Provide a categorization of the four sub-page vulnerability types.
•提供四个子页面漏洞类型的分类。

• Introduce a set of three vulnerability attributes that are sufficient to execute code injection attacks.
•引入三个漏洞属性，这些属性足以执行代码注入攻击。

• Develop a static code analysis tool (SPADE) to flag code paths that may expose callback pointers.
•开发一个静态代码分析工具(SPADE)来标记可能暴露回调指针的代码路径。

• Develop a run-time tool (D-KASAN) to identify subpage vulnerabilities at run-time, including vulnerabilities caused by random exposure.
•开发一个运行时工具(D-KASAN)来识别运行时的子页面漏洞，包括随机暴露造成的漏洞。

• Demonstrate novel DMA attacks on the Linux kernel, termed compound attacks.
•演示对Linux内核的DMA攻击，称为复合攻击。

• Make our tools publicly available [46, 48].
•公开我们的工具[46,48]。

2 Background 背景

In this section, we provide background on DMA-related attacks. First, we describe classic DMA attacks and the IOMMU protection against them. Then, we discuss well-established protection practices to prevent privilege escalation (i.e., code injection) attacks and methods for their circumvention.
在本节中，我们将提供与dma相关的攻击的背景知识。首先，我们描述了典型的DMA攻击和针对它们的IOMMU保护。然后，我们将讨论防止特权升级(即代码注入)攻击的成熟保护实践和规避这些攻击的方法。

2.1 DMA Attacks

2.1 DMA攻击
DMA allows I/O devices direct access to memory [57] without CPU involvement. While DMA is essential for fast I/O, it also provides ample opportunity for unmonitored and malicious activity by DMA-capable devices, resulting in DMA attacks.
DMA允许I/O设备在没有CPU参与的情况下直接访问内存[57]。虽然DMA对于快速I/O至关重要，但它也为具有DMA能力的设备提供了大量不受监控和恶意活动的机会，从而导致DMA攻击。
An attacker can access sensitive data, overwrite the OS code and data structures, and even gain full control of the victim system. DMA attacks can be carried out using an external or internal DMA-capable device.
攻击者可以访问敏感数据，覆盖操作系统代码和数据结构，甚至完全控制受害者的系统。DMA攻击可以使用外部或内部具有DMA能力的设备进行。

Table 1. Linux kernel memory layout
表1。Linux内核内存布局

Accessible expansion ports, e.g., FireWire or Thunderbolt, allow external devices to initiate DMA transactions merely by connecting a programmable accessory [21, 42, 45, 65]. Exploiting internal devices is more challenging, but enables persistent and stealthy attacks.

可访问的扩展端口，例如FireWire或Thunderbolt，允许外部设备仅仅通过连接可编程附件来启动DMA交易[21,42,45,65]。利用内部设备更具挑战性，但可以实现持续和隐形的攻击。

Many options are available to gain control of an internal device. For example, a resourceful attacker can exploit firmware bugs [63]. These can be well-known exploits, since end-users are often slow in deploying firmware updates [22]; they may even be newly discovered zero-day vulnerabilities [8]. Alternatively, certain attackers may be able to replace the device firmware altogether with a malicious one [55, 71]. It is also possible to manufacture devices that appear to be legitimate but are, in fact, malicious at the circuitry level [69].

有许多选项可用于控制内部设备。例如，一个足智多谋的攻击者可以利用固件漏洞[63]。这些都是众所周知的漏洞，因为终端用户部署固件更新[22]的速度通常很慢;它们甚至可能是新发现的零日漏洞[8]。或者，某些攻击者可能会使用恶意的固件来替换设备固件[55,71]。也有可能制造看似合法但实际上在电路级别上是恶意的设备[69]。

Once an attacker gains control over a DMA device connected to a victim machine, various attacks are possible. These attacks can range from keyloggers [40, 63] to full control over commodity OS and hypervisor, including Windows [5, 45], Linux, OSX [24, 45], Android [8], and Xen [67]. Several software tools exist for perpetrating DMA attacks, with some of them being open source. Tools such as Volatility [65], Inception [42], GoldFish [26], and FinFireWire [64] can extract target machine memory and unlock victim machines by patching the OS code. These tools are reportedly used by government agencies, such as the NSA.

一旦攻击者获得了对连接到受害机器的DMA设备的控制，各种攻击就可能发生。这些攻击可以从键盘记录程序[40,63]到完全控制普通操作系统和hypervisor，包括Windows[5,45]、Linux、OSX[24,45]、Android[8]和Xen[67]。有一些软件工具可以进行DMA攻击，其中一些是开源的。像Volatility[65]、Inception[42]、金鱼[26]和FinFireWire[64]这样的工具可以提取目标机器内存并通过修补操作系统代码来解锁受害机器。据报道，这些工具被美国国家安全局(NSA)等政府机构使用。

2.2 IOMMU

With the lack of software protection against DMA attacks, the common practice is to restrict DMA accesses through hardware protection. The most common mechanism for this purpose is the I/O memory management unit (IOMMU). The IOMMU adds a level of indirection for DMA addresses [54, 63, 66, 70], effectively providing peripheral devices with I/O virtual addresses (IOVA). This way, the device can access only those pages explicitly allowed by the OS. Inspired by the x86 MMU, the IOMMU uses a page table for address translation and an IOTLB for caching recent accesses. The page tables are managed by the OS, and as with the MMU, have a page granularity. The common page size is 4 KB, although there exist larger page sizes, up to GBs.

由于缺乏防止DMA攻击的软件保护，常见的做法是通过硬件保护来限制DMA访问。为此目的最常见的机制是I/O内存管理单元(IOMMU)。IOMMU为DMA地址增加了一个间接级别[54,63,66,70]，有效地为外围设备提供了I/O虚拟地址(IOVA)。这样，设备只能访问OS明确允许的页面。受x86 MMU的启发，IOMMU使用页表进行地址转换，使用IOTLB缓存最近的访问。页面表由操作系统管理，并且与MMU一样，具有页面粒度。公共页面大小为4 KB，但也有更大的页面大小，最大可达gb。

The IOMMU page table also holds page access rights for each IOVA. An access right can be either READ, WRITE, or BIDIRECTIONAL. Note that WRITE access does not grant a DMA device READ access, whereas BIDIRECTIONAL access is needed to both read and write from/to the page. It is also important to note that a single physical page can be mapped by multiple IOVAs, each with possibly different access rights.

IOMMU页表还包含每个IOVA的页访问权限。访问权限可以是读、写或双向。注意，写访问不授予DMA设备读访问权，而双向访问需要从/到页面读和写。还需要注意的是，单个物理页可以由多个iova映射，每个iova可能具有不同的访问权限。

IOMMUs were not designed primarily to provide security [19]. Instead, IOMMUs were used to allow devices that did not support vectored I/O, to access contiguous virtual memory that may map non-contiguous physical memory [12, 68]. IOMMUs also enabled legacy devices that only supported a limited address width (32-bit) to access high memory (64-bit). More recently, IOMMUs were used to assign I/O devices directly to virtual machines, while maintaining their isolation properties [1, 32].

IOMMUs的设计主要不是为了提供安全[19]。相反，IOMMUs被用于允许不支持向量I/O的设备访问可能映射非连续物理内存的连续虚拟内存[12,68]。IOMMUs还启用了只支持有限地址宽度(32位)的遗留设备来访问高内存(64位)。最近，IOMMUs被用于将I/O设备直接分配给虚拟机，同时保持它们的隔离属性[1,32]。

2.3 DMA API

Device drivers must use the DMA API to manage the DMA buffers. Drivers a buf

本文标签： detectingDMACharacterizingexploitingvulnerabilities