Direct Memory Access (DMA) attacks are typically performed in real-time by an attacker that gains physical access to a high-speed expansion port on a target device, and can be used to recover full disk encryption keys and other sensitive data from memory, bypass authentication, or modify process memory to facilitate backdoor access. To conduct the attack, an attacker connects a hardware device to a victim's Thunderbolt or ExpressCard port and reads physical memory pages from the target. Recent research has demonstrated the practicality and scope of these attacks to a general audience. Notable work includes Ulf Frisk's PCILeech framework, Trammel Hudson's Apple EFI firmware research ('Thunderstrike' I/II), the SLOTSCREAMER hardware implant by Joe Fitz, and most recently the release of the 'ThunderClap' tool and related academic research.
Continuing in this vein, this talk will present PicoDMA: a stamp sized DMA attack platform that leverages the tiny (22 x 30 x 3.8mm), affordable (~$220 USD) PicoEVB FPGA board from RHS Research, LLC. The PicoEVB is no larger than a laptop's network card but well provisioned: this M.2 2230 form-factor board includes a Xilinx Artix-7 FPGA, and supports expansion via digital and analog I/O connectors. On its own, the PicoEVB, combined with our software, facilitates DMA security research at a more affordable price point. For real-world DMA attacks, the small size makes the PicoEVB easily embeddable in space-constrained platforms like laptops and routers. We support out-of-band management and payload delivery using radio modules including 802.11, cellular, and LoRA. Adding wireless capabilities to our platform allows interesting variations of a number of existing attacks that will be discussed.
Our talk will include live demos and a public software release. Attendees will gain an enriched perspective on the risks posed by hardware implants and DMA attacks.
Joel Sandin is currently a Principal at Latacora, where he helps startups solve pressing application, network, and corporate security problems. Prior to Latacora, Joel was a Senior Security Consultant at Matasano (part of NCC Group), where he performed assessments of commercial and custom software, did numerous system architecture reviews, and conducted network penetration tests. Before Matasano, Joel worked as a Senior Systems Software Engineer in the Network Safety and Network Security groups at Akamai Technologies. Joel has given security talks at Black Hat USA, Toorcon, Shmoocon, and Thotcon.
Ben Blaxill is an independent security consultant. His current research is focused on hardware attacks, FPGA research and symbolic execution and analysis. Before joining Matasano and integrating into NCC Group, Ben studied mathematics in the UK. His current obsessions with FPGAs and Haskell has been described as both gratuitous and unnecessary.