[Воркшоп] DMA attacks in practice. Exploit through direct memory access

This Saturday February 1, 2020 in our Huxpace Neuron A master class on the practical use of DMA attacks will be held in Moscow. Together we will hack into a real computer with an encrypted file system that mimics an ATM or payment terminal.

Lead workshop ValdikSS and Maxim Goryachy. Behind the bar, Pavel Zhovner.

Direct Memory Access (DMA) – a low-level mode of operation of computer devices, involving direct access to the computer’s RAM. It is required for PCIe, Thunderbolt, and some other devices to work. Under normal conditions, DMA is used for faster access to memory so as not to occupy the processor.

With the help of a special “evil” device, an attacker can take control of the PCIe bus and gain full read and write access to the memory of a working computer, even if the system software is protected from penetration.

DMA attacks allow

  • Unnoticed by the operating system and antiviruses, read and modify data in computer memory;
  • Inject your code into OS and running programs
  • Retrieve any data from running programs: keys, passwords
  • Bypass authentication and authorization of the operating system
  • Get access to the file system
  • Disable antivirus and other software protection.

What will happen in class

Part 1 – Theory

First, we will figure out “on the fingers” how the PCIe bus works and memory access, why such attacks are possible and what modern means of protection against such attacks exist. Let’s consider what tools exist for conducting DMA attacks and how best to design secure systems.

ValdikSS will talk about its experience of using a DMA attack to crack the protection of a Japanese slot machine.

Part 2 – practical lesson

For the attack, we will use two computers: the attacker and the victim. A special “evil” device is inserted into the victim’s PCIe port, which implements the physical layer of PCIe and sends commands from the attacker. The attacking computer connects to the “evil” board via USB, and through it sends commands to the victim’s PCIe bus.

A regular X86 computer will act as a victim, and a USB3380 board as an “evil” device. The attacker will use the framework pcileech.

Let’s figure out which devices supports pcileech as attackers, and what is better to choose. We’ll set up an attacker’s stand from scratch based on the USB3380 board.

Initially, the victim computer will have a hard disk encrypted with bitlocker and locked to enter the operating system.

We will carry out such attacks:

  • Windows authentication bypass– Login to your account without resetting passwords
  • Access to victim files. Despite file system encryption, access to files is still possible from within the OS
  • We extract valuable data from memory – Bitcoin wallet keys, passwords and typed text
  • We install the imitation of a trojan immediately in memory no intermediate files on disk

For whom is this occupation

The lesson will be useful to developers of embedded systems, those who design terminals, ATMs, machines, game and gambling machines. You will need basic knowledge of computer hardware.
The pcileech framework is quite simple and has several convenient plugins for typical attacks, so any advanced computer user will be able to learn how to use it.

About Authors

ValdikSS is a security researcher and open source software enthusiast. Author of a program for bypassing DPI systems GoodbyeDPI, and JustVPN and Anti-ban. Worked in Digital security. ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Maxim Goryachy – Embedded Developer and Security Researcher at Positive Technologies. He is interested in cryptography, virtualization technologies, reverse engineering and everything related to hardware. He performed at 33C3, 34C3, Black Hat. Together with Mark Ermolov, he found vulnerabilities in Intel ME, Apple MacOS Firmware._____________________________________________________________________________________________________________________________________________________________________________________________________

Venue – Hackspace Neuron

Hackspace Neuron – A community of geeks and techno-enthusiasts in the center of Moscow. Workplaces with professional equipment and a creative atmosphere.

All the money raised will go towards paying rent and developing Huxspace. If you want to support us additionally, you can embrace and offer your help.

Attention: all information presented at the master class is for research purposes only. The test bench for vulnerability analysis is not a real-life system and was created specifically for training purposes. The author does not encourage the use of acquired knowledge to commit unlawful acts.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *