(1) Thunderclap: A Research Platform for I/O Security; (2) CHERI: Capability Hardware-Enhanced RISC Instructions This is a two-part talk on SRI's joint work with the UK University of Cambridge.
(1) The first part is based on a paper that is part of our CHERI hardware-software development projects
A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, and Robert N. M. Watson, Thunderclap: Exploring Vulnerabilities in Operating-System IOMMU Protection via DMA from Untrustworthy Peripherals, Network and Distributed Systems Security (NDSS 2019), San Diego CA, 24-27 February 2019.
Direct Memory Access (DMA) attacks have been known for many years: DMA-enabled I/O peripherals have complete access to the state of a computer and can fully compromise it including reading and writing all of system memory. With the popularity of Thunderbolt 3 over USB Type-C and smart internal devices, opportunities for these attacks to be performed casually with only seconds of physical access to a computer have greatly broadened. In response, commodity hardware and operating-system (OS) vendors have incorporated support for Input-Output Memory Management Units (IOMMUs), which impose memory protection on DMA, and are widely believed to protect against DMA attacks. We investigate the state-of-the-art in IOMMU protection across OSes using a novel I/O-security research platform, and find that current protections fall short when faced with a functional network peripheral that uses its complex interactions with the OS for ill intent. We describe vulnerabilities in macOS, FreeBSD, and Linux, which notionally utilize IOMMUs to protect against DMA attackers. Windows uses the IOMMU only in limited cases. and it remains vulnerable. Using Thunderclap, an open-sourced FPGA research platform that we built, we explore new classes of OS vulnerability arising from inadequate use of the IOMMU. The complex vulnerability space for IOMMU-exposed shared memory available to DMA-enabled peripherals allows attackers to extract private data (sniffing cleartext VPN traffic) and hijack kernel control flow (launching a root shell) in seconds using devices such as USB-C projectors or power adapters. We have worked closely with OS vendors to remedy these vulnerability classes, and they have now shipped substantial feature improvements and mitigations as a result of our work. The paper and subsequent developments are at http://www.thunderclap.io.
(2) The second part of this talk is a summary of the ongoing CHERI (Capability Hardware-Enhanced RISC Instructions) hardware-software developments, which began in 2010. Several hardware prototype variants exist with full operating system and compiler support. Tech transfer is ongoing.
Peter G. Neumann has been in the Computer Science Lab at SRI International since 1971, where he is now Chief Scientist, after 10 years at Bell Labs in Murray Hill NJ, included five years working on Multics. He taught courses at Darmstadt 1960, Stanford 1964, Berkeley 1970-71, and Maryland 1999. He is deeply indebted to Adele Goldberg when she was ACM President. Her foresight initiated the ACM Forum on Risks to the Public in 1985 ( http://www.risks.org ), which he created and has moderated ever since. The CACM Inside Risks series started in 1990, and is still going ( http://www.csl.sri.com/neumann/insiderisks.html ). His website is biographical and contains numerous references to papers, reports, and other efforts ( www.csl.sri.com/neumann ).