The Taub Faculty of Computer Science Events and Talks

The direct memory access (DMA) mechanism allows I/O devices to independently access the memory without CPU involvement, improving performance but exposing systems to malicious DMA attacks. Hardware vendors therefore introduced IOMMUs (I/O memory management units), allowing operating systems to defend themselves by restricting DMAs to specific memory locations. When configured correctly, the latest generation of IOMMUs is thus considered an appropriate solution to the problem. We challenge this perception and uncover a new type of IOMMU-resistant DMA attacks, which are capable of taking over the system by exploiting the fact that IOMMU protection is provided in page granularity, which we find to be too coarse. We demonstrate that the vulnerability is spread across different device drivers and kernel subsystems, making it challenging to come up with a generic, performant fix.