research-article

True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy

Authors:
Alex Markuze

Technion---Israel Institute of Technology, Haifa, Israel

Technion---Israel Institute of Technology, Haifa, Israel
View Profile

,
Adam Morrison

Technion---Israel Institute of Technology, Haifa, Israel

Technion---Israel Institute of Technology, Haifa, Israel
View Profile

,
Dan Tsafrir

Technion---Israel Institute of Technology, Haifa, Israel

Technion---Israel Institute of Technology, Haifa, Israel
View Profile

ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating SystemsMarch 2016Pages 249–262https://doi.org/10.1145/2872362.2872379

Published:25 March 2016Publication History

ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Pages 249–262

ABSTRACT

Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, however, is not truly secure for two reasons: (1) it provides protection at page granularity only, whereas DMA buffers can reside on the same page as other data; and (2) it delays DMA buffer unmaps due to performance considerations, creating a vulnerability window in which devices can access in-use memory. We propose that OSes utilize the IOMMU differently, in a manner that eliminates these two flaws. Our new usage model restricts device access to a set of shadow DMA buffers that are never unmapped, and it copies DMAed data to/from these buffers, thus providing sub-page protection while eliminating the aforementioned vulnerability window. Our key insight is that the cost of interacting with, and synchronizing access to the slow IOMMU hardware---required for zero-copy protection against devices---make copying preferable to zero-copying.

We implement our model in Linux and evaluate it with standard networking benchmarks utilizing a 40,Gb/s NIC. We demonstrate that despite being more secure than the safest preexisting usage model, our approach provides up to 5x higher throughput. Additionally, whereas it is inherently less scalable than an IOMMU-less (unprotected) system, our approach incurs only 0%--25% performance degradation in comparison.

References

Intel TXT Overview. https://www.kernel.org/doc/Documentation/intel_txt.txt. Linux kernel documentation.Google Scholar
Dma issues, part 2. https://lwn.net/Articles/91870/. (Accessed: January 2016).Google Scholar
Inside TAO: Documents Reveal Top NSA Hacking Unit. Der Spiegel, Dec 2013. http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html. (Accessed: January 2016).Google Scholar
B. Aker. Memslap - load testing and benchmarking a server. http://docs.libmemcached.org/bin/memslap.html. libmemcached 1.1.0 documentation.Google Scholar
AMD Inc. AMD IOMMU architectural specification, rev 2.00. http://developer.amd.com/wordpress/media/2012/10/488821.pdf, Mar 2011.Google Scholar
Apple Inc. Thunderbolt device driver programming guide: Debugging VT-d I/O MMU virtualization. https://developer.apple.com/library/mac/documentation/HardwareDrivers/Conceptual/ThunderboltDevGuide/DebuggingThunderboltDrivers/DebuggingThunderboltDrivers.html, 2013. (Accessed: January 2016).Google Scholar
ARM Holdings. ARM system memory management unit architecture specification -- SMMU architecture version 2.0. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0062c/IHI0062C_system_mmu_architecture_specification.pdf, 2013.Google Scholar
D. Aumaitre and C. Devine. Subverting Windows 7 x64 Kernel with DMA attacks. In Hack In The Box Security Conference (HITB), 2010. http://esec-lab.sogeti.com/static/publications/10-hitbamsterdam-dmaattacks.pdf. (Accessed: January 2016).Google Scholar
T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In ACM EuroSys, pages 73--85, 2006.Google ScholarDigital Library
A. Basu, M. D. Hill, and M. M. Swift. I/O memory management unit providing self invalidated mapping. https://www.google.com/patents/US20150067296, 2015. US Patent App. 14/012,261.Google Scholar
M. Becher, M. Dornseif, and C. N. Klein. FireWire: all your memory are belong to us. In CanSecWest Applied Security Conference, 2005.Google Scholar
A. Boileau. Hit by a Bus: Physical Access Attacks with Firewire. In Ruxcon, 2006. http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf. (Accessed: January 2016).Google Scholar
J. Bonwick. The Slab allocator: An object-caching kernel memory allocator. In USENIX Summer Annual Technical Conference, pages 87--98, 1994.Google Scholar
J. E. Bottomley. Dynamic DMA mapping using the generic device. https://www.kernel.org/doc/Documentation/DMA-API.txt. Linux kernel documentation.Google Scholar
S. Boyd-Wickizer and N. Zeldovich. Tolerating Malicious Device Drivers in Linux. In USENIX Annual Technical Conference (ATC), pages 117--130, 2010.Google Scholar
J. Brossard. Hardware bakdooring is pratical. In Black Hat, 2012. http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf. (Accessed: January 2016).Google Scholar
B. D. Carrier and J. Grand. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation, 1 (1): 50--60, Feb 2014.Google Scholar
A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating systems errors. In ACM Symposium on Operating Systems Principles (SOSP), pages 73--88, 2001.Google ScholarDigital Library
M. Dornseif. 0wned by an iPod. In PacSec, 2004. https://pacsec.jp/psj04/psj04-dornseif-e.ppt. (Accessed: January 2016).Google Scholar
L. Duflot, Y.-A. Perez, G. Valadon, and O. Levillain. Can you still trust your network card? Technical report, French Network and Information Security Agency (FNISA), Mar 2010. http://www.ssi.gouv.fr/uploads/IMG/pdf/csw-trustnetworkcard.pdf. (Accessed: January 2016).Google Scholar
L. Duflot, Y.-A. Perez, and B. Morin. What if You Can't Trust Your Network Card? In Conference on Recent Advances in Intrusion Detection, pages 378--397, 2011.Google ScholarDigital Library
B. Fitzpatrick. Distributed caching with memcached. Linux Journal, 2004 (124), Aug 2004.Google ScholarDigital Library
J. N. Herder, H. Bos, B. Gras, P. Homburg, and A. S. Tanenbaum. Failure resilience for device drivers. In IEEE/IFIP Annual International Conference on Dependable Systems and Networks (DSN), pages 41--50, 2007.Google ScholarDigital Library
O. Horovitz, S. Rihan, S. A. Weis, and C. A. Waldspurger. Secure support for I/O in software cryptoprocessor. https://patents.google.com/patent/US20150269091A1, 2015. US Patent App. 14/663,217.Google Scholar
IBM Corporation. PowerLinux servers -- 64-bit DMA concepts. http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liabm/liabmconcepts.htm. (Accessed: January 2016).Google Scholar
IBM Corporation. AIX kernel extensions and device support programming concepts. http://public.dhe.ibm.com/systems/power/docs/aix/71/kernextc_pdf.pdf, 2013. (Accssed: July 2015).Google Scholar
Intel Corporation. Intel SSD Data Center Family Product Brief. http://www.intel.com/content/www/us/en/solid-state-drives/data-center-family.html.Google Scholar
Intel Corporation. Intel Trusted Execution Technology. http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/trusted-execution-technology-security-paper.pdf, 2012.Google Scholar
Intel Corporation. Intel 64 and IA-32 Architectures Software Developers Manual, Volume 3: System Programming Guide. http://download.intel.com/products/processor/manual/325384.pdf, 2013.Google Scholar
Intel Corporation. Intel Virtualization Technology for Directed I/O, Architecture Specification - Architecture Specification - Rev. 2.3. http://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/vt-directed-io-spec.pdf, Oct 2014.Google Scholar
M. S. Johnstone and P. R. Wilson. The memory fragmentation problem: Solved? In ACM International Symposium on Memory Management (ISMM), pages 26--36, 1998.Google ScholarDigital Library
R. A. Jones. A network performance benchmark (revision 2.0). Technical report, Hewlett Packard, 1995. http://www.netperf.org/netperf/training/Netperf.html.Google Scholar
A. Kadav, M. J. Renzelmann, and M. M. Swift. Tolerating hardware device failures in software. In ACM Symposium on Operating Systems Principles (SOSP), pages 59--72, 2009.Google ScholarDigital Library
B. H. Leitao. Tuning 10Gb network cards on Linux. In Ottawa Linux Symposium (OLS), pages 169--189, 2009.Google Scholar
J. LeVasseur, V. Uhlig, J. Stoess, and S. Götz. Unmodified device driver reuse and improved system dependability via virtual machines. In USENIX Symposium on Operating System Design and Implementation (OSDI), pages 17--30, 2004.Google ScholarDigital Library
Linux. Documentation/intel-iommu.txt, Linux 3.18 documentation file. https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt. (Accessed: January 2016).Google Scholar
M. Malka, N. Amit, M. Ben-Yehuda, and D. Tsafrir. rIOMMU: Efficient IOMMU for I/O devices that employ ring buffers. In phACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 355--368, 2015.Google Scholar
M. Malka, N. Amit, and D. Tsafrir. Efficient Intra-Operating System Protection Against Harmful DMAs. In USENIX Conference on File and Storage Technologies (FAST), pages 29--44, 2015.Google Scholar
V. Mamtani. DMA directions and Windows. http://download.microsoft.com/download/a/f/d/afdfd50d-6eb9--425e-84e1-b4085a80e34e/sys-t304_wh07.pptx, 2007. (Accessed: January 2016).Google Scholar
D. S. Miller, R. Henderson, and J. Jelinek. Dynamic DMA mapping guide. https://www.kernel.org/doc/Documentation/DMA-API-HOWTO.txt. Linux kernel documentation.Google Scholar
PCI-SIG. PCI Express 2.0 Base Specification Revision 0.9. https://www.pcisig.com/specifications/iov/ats, Sep 2006.Google Scholar
O. Peleg, A. Morrison, B. Serebrin, and D. Tsafrir. Utilizing the IOMMU Scalably. In USENIX Annual Technical Conference (ATC), pages 549--562, 2015.Google Scholar
S. Peter, J. Li, I. Zhang, D. R. K. Ports, D. Woos, A. Krishnamurthy, T. Anderson, and T. Roscoe. Arrakis: The Operating System is the Control Plane. In USENIX Symposium on Operating System Design and Implementation (OSDI), pages 1--16, 2014.Google Scholar
F. L. Sang, Éric Lacombe, V. Nicomette, and Y. Deswarte. Exploiting an I/OMMU vulnerability . In International Conference on Malicious and Unwanted Software (MALWARE), pages 7--14, 2010.Google ScholarCross Ref
P. Stewin and I. Bystrov. Understanding DMA Malware. In Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pages 21--41, 2012.Google Scholar
M. Swift, B. Bershad, and H. Levy. Improving the reliability of commodity operating systems. ACM Transactions on Computer Systems (TOCS), 23 (1): 77--110, Feb 2005.Google ScholarDigital Library
A. Triulzi. I 0wn the NIC, now I want a shell! In PacSec, 2008. http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf. (Accessed: January 2016).Google Scholar
C. Waldspurger and M. Rosenblum. I/O virtualization. Communications of the ACM (CACM), 55 (1): 66--73, Jan 2012.Google ScholarDigital Library
D. Williams, P. Reynolds, K. Walsh, E. G. Sirer, and F. B. Schneider. Device driver safety through a reference validation mechanism. In USENIX Symposium on Operating System Design and Implementation (OSDI), pages 241--254, 2008.Google ScholarDigital Library
P. Willmann, S. Rixner, and A. L. Cox. Protection strategies for direct access to virtualized I/O devices. In USENIX Annual Technical Conference (ATC), pages 15--28, 2008.Google ScholarDigital Library
R. Wojtczuk and J. Rutkowska. Following the White Rabbit: Software attacks against Intel VT-d technology. http://invisiblethingslab.com/resources/2011/Software Attacks on Intel VT-d.pdf, Apr 2011.Google Scholar
K. Zetter. How the NSA's Firmware Hacking Works and Why It's So Unsettling. Wired, Feb 2015. http://www.wired.com/2015/02/nsa-firmware-hacking/. (Accessed: July 2015).Google Scholar
Z. Zhou, V. D. Gligor, J. Newsome, and J. M. McCune. Building Verifiable Trusted Path on Commodity x86 Computers. In IEEE Symposium on Security and Privacy (S&P), pages 616--630, 2012.Google ScholarDigital Library

Index Terms

True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Characterizing, exploiting, and detecting DMA code injection vulnerabilities in the presence of an IOMMU
EuroSys '21: Proceedings of the Sixteenth European Conference on Computer Systems

Direct memory access (DMA) renders a system vulnerable to DMA attacks, in which I/O devices access memory regions not intended for their use. Hardware input-output memory management units (IOMMU) can be used to provide protection. However, an IOMMU ...
Read More
DAMN: Overhead-Free IOMMU Protection for Networking
ASPLOS '18: Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems

DMA operations can access memory buffers only if they are "mapped" in the IOMMU, so operating systems protect themselves against malicious/errant network DMAs by mapping and unmapping each packet immediately before/after it is DMAed. This approach was ...
Read More
True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy
ASPLOS'16

Malicious I/O devices might compromise the OS using DMAs. The OS therefore utilizes the IOMMU to map and unmap every target buffer right before and after its DMA is processed, thereby restricting DMAs to their designated locations. This usage model, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems
March 2016
824 pages
ISBN:9781450340915
DOI:10.1145/2872362
General Chair:
Tom Conte
Georgia Tech, USA
,
Program Chair:
Yuanyuan Zhou
University of California, San Diego, USA
ACM SIGPLAN Notices Volume 51, Issue 4
ASPLOS '16
April 2016
774 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/2954679
Editor:
Andy Gill
University of Kansas, Lawrence, KS
Issue’s Table of Contents
ACM SIGARCH Computer Architecture News Volume 44, Issue 2
ASPLOS'16
May 2016
774 pages
ISSN:0163-5964
DOI:10.1145/2980024
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 March 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
IOMMU
dma attacks
Qualifiers
- research-article
Conference

Acceptance Rates
ASPLOS '16 Paper Acceptance Rate53of232submissions,23%Overall Acceptance Rate535of2,713submissions,20%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 31
  Total Citations
  View Citations
- 1,036
  Total Downloads
- Downloads (Last 12 months)92
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy

ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Characterizing, exploiting, and detecting DMA code injection vulnerabilities in the presence of an IOMMU

DAMN: Overhead-Free IOMMU Protection for Networking

True IOMMU Protection from DMA Attacks: When Copy is Faster than Zero Copy