Attackers can exploit vulnerabilities in how laptops use memory to force the machine to execute unauthorized code while it is booting up, giving them unauthorized privileges and access to information, researchers said.
Direct Memory Access (DMA) is a processing-efficiency approach built into many modern laptops to speed up how it handles data. Instead of forcing all read/write operations through the laptop CPU, some operations can use DMA to read and write directly into the laptop memory. This is highly efficient, especially for hardware components and peripherals such as PCI cards and network interface cards, but also riskier, since it exposes more of the memory to attack.
Think of a Firewire device that needs to be able to read and write data quickly—it will be slow and cumbersome to do this through normal operating system processes, so the device may read and write system memory directly via DMA.
Manufacturers have integrated hardware-of-trust and chain-of-trust protections such as Unified Extensible Firmware Interface (UEFI) Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security to block unauthorized attempts to read memory, but the protections are not yet comprehensive or widespread enough, said a team of researchers from firmware security company Eclypsium. The team abused DMA in two laptops—a HP ProBook 640 G4 and Dell XPS 13—to illustrate how attackers could still bypass the protections to take control of the kernel and execute malicious code.
“DMA attacks are a particularly powerful class of attacks for any adversary who has compromised firmware locally or remotely on peripheral hardware such as network cards, or who has physical access to a system,” Eclypsium researchers wrote in a report of their findings.
An attacker can “extend control over the execution of the kernel itself,” which could mean anything from executing kernel code on the system, inserting kernel implants, and performing actions, such as spawning system shells, suspending password requirements, installing backdoors, and stealing data.
The point of the research is not to specifically call out two models from two manufacturers, but to illustrate that it was possible to manipulate memory and target the pre-boot process.
DMA attacks can be as simple as physically connecting a malicious device (such as that Firewire drive) to the targeted computer, or by physically opening the case and modifying the internal hardware. Remote attacks are also possible with malware designed to modify the device firmware, but Eclypsium’s team focused on attacks that required physical access.
Built-in hardware-of-trust and chain-of-trust protections are intended to block attempts to tamper with the boot process—to ensure that unauthenticated code does not get executed during the boot process before the operating system loads. But they do no good if DMA attacks bypass the protections. In the case of the Dell laptop, the researchers took advantage of an insecure default BIOS configuration in the laptop’s firmware settings (CVE-2019-18579) that enabled modules for Thunderbolt (a USB-type interface) by default. This allowed the researchers to connect a device to the laptop over Thunderbolt and use a tool called PCILeech to inject malicious code into the boot process.
“An attacker could simply connect to the exposed port of the device without otherwise having to modify the device,” Eclypsium said.
A new BIOS update is now available to correct the issue, and the setting is disabled by default on other platforms that support Thunderbolt, Dell said in its advisory.
There are many components, from hardware to firmware to the operating system, that all need to work together to prevent pre-boot DMA attacks.
With the HP laptop, Eclypsium researchers had to open up the machine because the ProBook had HP Sure Start, which could block attempts to inject unauthorized code into the boot process. While opening up the machine increases the attacker’s risk of being discovered because it is more time-consuming and more obvious that something untoward is happening, it is still a plausible method for a dedicated adversary.
The researchers replaced the M.2 wireless card inside the laptop with a Xilinx SP605 FPGA development platform, which was then connected to an attack machine. The attack involved using a DMA attack technique to target the laptop’s UEFI and modify the system memory during the boot process. This way, it didn’t matter that HP Sure Start verifies BIOS code integrity before CPU execution starts, because the attack code was already in memory.
HP has also released a BIOS update.
Beyond Dell, HP
Laptops from manufacturers other than Dell and HP, and other models other than the XPS and ProBook are likely to also be impacted. The point of the research is not to specifically call out two models from two manufacturers, but to illustrate that it was possible to manipulate memory and target the pre-boot process.
“[P]re-boot processes are an area of weakness across all laptops and servers from many manufacturers,” Eclypsium wrote. “There are many components, from hardware to firmware to the operating system, that all need to work together to prevent pre-boot DMA attacks.”
It will take some time before these protections and capabilities become more mainstream. Intel and AMD have implemented input–output memory management unit (IOMMU) technology to block DMA attacks. However, full protection means building in defenses for DMA within the UEFI firmware as well as the operating system, and there simply aren’t many machines on the market with that level of protection. The first devices with UEFI protections arrived in 2019, according to Eclypsium. Windows 10 didn’t allow DMA protection to remain enabled during the boot process until spring 2018.
It would be easy to underestimate the impact of these attacks by focusing on the fact that these attacks required physical access to the laptops. However, past research has shown that DMA attacks can be possible with malware, which makes having comprehensive built-in protections even more imperative.