Abstract (extended)

Direct Memory Access (DMA) attacks are an often overlooked security issue in various threat models. While addressed in the most recent version of one DMA-capable interconnect, Thunderbolt 4, many users are often unaware major OEMs/ODMs have not addressed DMA-related attack vectors in millions of other deprecated and in-market systems. This proposal presents Kernel DMA Protection Patcher (kdmap-patcher), a Free Software OS-agnostic UEFI (BIOS) extension created during my Master's thesis work at Eindhoven University of Technology that protects against DMA attack vectors, such as those made possible by Thunderbolt 1-3, USB4, and other modern DMA-enabled interconnects.

Kdmap-patcher was made Free Software as a matter of urgency to help users, and to help motivate vendors to backport Kernel DMA Protection to deprecated and in-market systems. Indeed, after disclosing my security research and mitigation software, Microsoft and Lenovo took steps to protect users. Unfortunately, however, the vast majority of the installed base is left unaddressed, leaving millions of systems vulnerable. For these systems, kdmap-patcher is currently the only mitigation available to help protect against DMA attacks.

As an OS-agnostic UEFI module, kdmap-patcher may be seamlessly integrated into other projects designed to help enhance the boot time security posture. Examples include several NLnet-funded projects, such as TrenchBoot and Heads-OpenPGP, open UEFI implementations such as provided by Coreboot, and FL/OSS projects aiming to harden x86-64 platform security, such as Tails.

The case study in my Master's thesis for kdmap-patcher was to protect vulnerable systems which implement Thunderbolt connectivity. The term Thunderspy is how we reference this research. Thunderspy is a set of critical security vulnerabilities we have found in Intel Thunderbolt, a PCIe-based external I/O interconnect enabling high-bandwidth, low-latency use cases, such as external graphics cards and NVMe-based storage. When exploited, Thunderspy enables malicious actors with brief physical access to read and copy all system data, even in the presence of strong threat models incorporating all current boot security practices. For more info, please refer to thunderspy.io.

This webpage accompanies kdmap-patcher's grant proposal as submitted to NLnet on 2024-12-01.

  kdmap-patcher Roadmap   kdmap-patcher on Codeberg   kdmap-patcher on GitHub (mirror)


Kdmap-patcher PoC in Action

Patching kDMAp onto victim laptop vulnerable to Thunderspy

Our PoC demo for the Thunderspy attack was a Lenovo P1 from 2019, which did not have support for kDMAp. We showed how the attack can be used to bypass screen locking and thus get access to all system data.

In our PoC video for kdmap-patcher (formerly Thunderspy 2), we show a Dell laptop from 2017, thus manufactured long before kDMAp-support became available, after installing kdmap-patcher. The operating system confirms that kDMAp is enabled and attaching a malicious device prompts the same reaction under DMA attacks as for systems that natively support kDMAp.



Full Summary

Thunderbolt is a high-bandwidth interconnect promoted by Intel and included in laptops, desktops, and other systems. Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O. One of the exploitation scenarios in Thunderspy is to use the vulnerabilities to get the host computer to accept connections from a malicious Thunderbolt device which then uses DMA to bypass the login screen and to get to the user data.

Kernel DMA Protection (kDMAp) is a term coined by Intel and used by Microsoft Windows and by Linux. It describes a mechanism by which the computer memory is partitioned so that each device gets its own region. This is meant to stop attacks such as the above as the malicious device would not be able to read data outside its range. In our Thunderspy documentation we explain that kDMAp can only partially mitigate the attacks; the Thunderspy vulnerabilities still permit attacks similar to BadUSB.

A major problem with Intel's response being restricted to recommending the use of kDMAp is that it is only available on recent hardware. No systems shipped before 2019 support it, no matter how recent the operating system. We also found the vast majority of Thunderbolt 3 laptops released between 2019 and today do not offer support, while USB4 does not mandate any mitigations to Thunderspy. This situation leaves millions of consumers with vulnerable devices.

To understand how kDMAp could work as a mitigation on supported systems, we need some details of how it works. The partitioning of memory is done by an Input–output memory management unit (IOMMU). Intel CPUs since the Haswell generation (2013) provide an IOMMU, but these were not used to control DMA via the Thunderbolt interface. Support of kDMAp was included in Windows with release 1803 in March 2019 and in Linux with Kernel 5.0. However, kDMAp also requires support in UEFI (BIOS) and we identified this as the main obstacle to providing kDMAp to more systems.

In our investigation we found out that support for kDMAp is signaled during the boot process through the ACPI DMAR table. Updating this table on older systems, which do not natively claim support for kDMAp, makes the operating system use the IOMMU features of the CPU to partition the memory. Systems booted this way behave the same way as systems that support kDMAp natively, both in terms of functionality as well as defense. We tested that Thunderbolt access continues to work for authorized devices at high speed, including for external graphics cards, and that attempting to do a DMA attack causes the system to crash / bluescreen, which is the same reaction as for systems with native kDMAp support.

As part of our on-going research, we present two options that aim to bring Kernel DMA Protection to Thunderbolt-equipped systems that do not ship Kernel DMA Protection, but do satisfy all hardware and firmware requirements. These options currently include:

  • kdmap-patcher: An experimental, OS-agnostic UEFI extension that serves as a drop-in patch requiring no changes to the operating system.
  • Upgrading ACPI tables via initrd: A guide outlining how to manually patch the ACPI DMAR table on Linux.


Roadmap

In this section, we outline a detailed list of long-term goals envisioned for kdmap-patcher. Currently, these include:

  1. Migrate to EDK stable 2022 or later: retarget kdmap-patcher to a recent EDK stable version to enable building on modern GCC versions (13.2+)
  2. Add Secure Boot support: implement support for Shim's shim_lock protocol and self-signed Machine Owner Keys (MOKs)
  3. Reproducible builds: in light of transparency and increasing user trust, refactor kdmap-patcher and EDK2 build infrastructure to 1) enable building kdmap-patcher in a containerized, state-less build environment, and 2) enable fully binary reproducible builds [2][3] across all supported build environments
  4. Reproducible builds: set up CI/CD pipeline to provide pre-built binary reproducible builds
  5. Debugging: greatly improve kdmap-patcher debugging experience by fully automating building and deploying kdmap-patcher in a QEMU/KVM instance on Linux, using distro-provided UEFI; investigate and implement similar options for Windows, if possible
  6. Installer: create a user-friendly installer for easy deployment on Windows and Linux
    7. - Target platforms:
    Windows: all Windows 10 and Windows 11 builds currently in mainstream support (10: 21H2, 22H2 [4]; 11: 23H2, 24H2 [5])
    Linux: all Ubuntu and Debian LTS versions currently in standard support (Ubuntu: 20.04, 22.04, 24.04 [6]; Debian: 11, 12 [7])
    - Windows + Linux: automate MOK-signing kdmap-patcher and enrolling corresponding MOK into shim's key store
    - Windows + Linux: provide an easy, ideally one-line (or one-click) method to uninstall kdmap-patcher
    - Windows-specific: set up shim as a first-stage bootloader, and implement a method that helps prevent Windows updates from overwriting shim and kdmap-patcher on EFI System Partition. In this context, caution will be necessary in appropriately handling BitLocker measured boot (TPM PCR7-based key escrow).
    - Linux-specific: implement a method that helps prevent GRUB2 updates from overwriting kdmap-patcher, or inadvertently dropping the latter from the UEFI boot chain
  7. Installer: create an automation-friendly installer for enterprise deployment
    8. - Target platforms: same as above
  8. Accommodate vendor-specific UEFI firmware bugs: investigate and implement quirks for the most prevalent vendor-specific UEFI firmware bugs that limit or prevent IOMMU operation. Example cases, observed during our research, include:
    9. - Incorrectly configured ACPI DMAR tables: systems may ship an incorrectly configured DMAR table, rendering DMA and interrupt remapping unreliable or completely inoperable
    - Incomplete or incorrectly configured ACPI SSDT table: systems may not declare Thunderbolt-related PCIe root ports as external ("ExternalFacingPort" ACPI property), thus preventing Kernel DMA Protection opt-in from being applied onto Thunderbolt downstream PCIe endpoints
    - DMAR table inadvertently configured for PCIe passthrough: due to firmware code re-use, firmware on non-enterprise systems might inadvertently dedicate the IOMMU to PCIe passthrough, causing unnecessary resource conflicts
  9. Provide kdmap-patcher support for 5 years: keep track of UEFI, Windows and Linux kernel/distro updates, as they might break kdmap-patcher functionality; investigate and release fixes to address these as necessary
  10. Expand protection scope: investigate possibility to expand kdmap-patcher protection scope to cover additional PCIe-based interconnects, such as internal M.2 slots, and other external DMA-capable interconnects, such as CFExpress and SDExpress.
    - Recent research on SDExpress security highlights the pressing need for kdmap-patcher's DMA attack mitigations once more [15].
If time permits, we will also pursue the following additional goals:
  1. Add Secure Boot support: submit kdmap-patcher for Microsoft 3rd Party UEFI signing [8]
    2. - Requires purchasing an EV code signing certificate [9]
    - Requires purchasing a FIPS-compliant (140-2 Level 2 or up) HSM [10]
  2. Intel-based Macs: when running any OS other than MacOS (e.g. Windows on BootCamp), Intel-based Apple Macs disable all Thunderbolt security [11]. Investigate possibility to expand kdmap-patcher protection scope to cover Apple Macs. We expect this will be particularly challenging, as Mac UEFI is generally known as shipping a stripped-down, highly restrictive and occasionally non-spec conformant (for understandable reasons) UEFI API.


References

[1] Cyber Security Next Generation (22 Nov 2023), "Best Cybersecurity Master Thesis Award in the Netherlands", https://csng.nl/index4920.html?q=node/45
[2] Reproducible Builds (10 May 2022), "When is a build reproducible?", https://reproducible-builds.org/docs/definition/
[3] VMware (12 July 2022), "What Makes a Build Reproducible", https://blogs.vmware.com/opensource/2022/07/12/what-makes-a-build-reproducible-part-1/
[4] Microsoft (8 August 2024), "Windows 10 release information", https://learn.microsoft.com/en-us/windows/release-health/release-information
[5] Microsoft (11 Dec 2024), "Windows 11 release information", https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
[6] Canonical (4 April 2024), "Ubuntu release cycle", https://ubuntu.com/about/release-cycle
[7] Debian Project (15 Aug 2024), "Debian Long Term Support", https://wiki.debian.org/LTS
[8] Microsoft Hardware Dev Center (28 Jan 2021), "UEFI Signing Requirements", https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916
[9] Comodo SSLStore (1 Dec 2024), "Comodo EV Code Signing Certificate", https://comodosslstore.com/code-signing/comodo-ev-code-signing-certificate
[10] Yubico (1 Dec 2024), "YubiKey 5C NFC FIPS", https://www.yubico.com/nl/product/yubikey-5-fips-series/yubikey-5c-nfc-fips/
[11] Thunderspy (10 May 2020), "Thunderspy Q&A: 'I have an Apple Mac. Am I affected?'", https://thunderspy.io/#affected-apple-systems
[12] Björn Ruytenberg (6 August 2020), "Kernel DMA Protection Patcher (kdmap-patcher)", https://codeberg.org/BjornRuytenberg/kdmap-patcher
[13] Björn Ruytenberg (22 Nov 2023), "When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security", Microsoft's response to Thunderspy (slide 15), https://nautilus.bjornweb.nl/files/When-Lightning-Strikes-Thrice-Breaking-Thunderbolt-3-Security-bcmt-20231122.pdf
[14] Björn Ruytenberg (22 Nov 2023), "When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security", Lenovo's response to Thunderspy (slide 22), https://nautilus.bjornweb.nl/files/When-Lightning-Strikes-Thrice-Breaking-Thunderbolt-3-Security-bcmt-20231122.pdf
[15] Positive Technologies (5 Dec 2024), "New dog, old tricks: DaMAgeCard attack targets memory directly thru SD card reader", https://swarm.ptsecurity.com/new-dog-old-tricks-damagecard-attack-targets-memory-directly-thru-sd-card-reader/