Direct Memory Access (DMA) attacks are typically performed in real-time by an attacker that gains physical access to a high-speed expansion port on a target device, and can be used to recover full disk encryption keys and other sensitive data from memory, bypass authentication, or modify process memory to facilitate backdoor access. To conduct the attack, an attacker connects a hardware device to a victim's Thunderbolt or ExpressCard port and reads physical memory pages from the target. Recent research has demonstrated the practicality and scope of these attacks to a general audience. Notable work includes Ulf Frisk's PCILeech framework, Trammel Hudson's Apple EFI firmware research ('Thunderstrike' I/II), the SLOTSCREAMER hardware implant by Joe Fitz, and most recently the release of the 'ThunderClap' tool and related academic research.
Continuing in this vein, this talk will present PicoDMA: a stamp sized DMA attack platform that leverages the tiny (22 x 30 x 3.8mm), affordable (~$220 USD) PicoEVB FPGA board from RHS Research, LLC. The PicoEVB is no larger than a laptop's network card but well provisioned: this M.2 2230 form-factor board includes a Xilinx Artix-7 FPGA, and supports expansion via digital and analog I/O connectors. On its own, the PicoEVB, combined with our software, facilitates DMA security research at a more affordable price point. For real-world DMA attacks, the small size makes the PicoEVB easily embeddable in space-constrained platforms like laptops and routers. We support out-of-band management and payload delivery using radio modules including 802.11, cellular, and LoRA. Adding wireless capabilities to our platform allows interesting variations of a number of existing attacks that will be discussed.
Our talk will include live demos and a public software release. Attendees will gain an enriched perspective on the risks posed by hardware implants and DMA attacks.