Détail du CWE-1190

CWE-1190

DMA Device Enabled Too Early in Boot Phase
Draft
2020-02-24
00h00 +00:00
2023-06-29
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: DMA Device Enabled Too Early in Boot Phase

The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.

Description du CWE

DMA is included in a number of devices because it allows data transfer between the computer and the connected device, using direct hardware access to read or write directly to main memory without any OS interaction. An attacker could exploit this to access secrets. Several virtualization-based mitigations have been introduced to thwart DMA attacks. These are usually configured/setup during boot time. However, certain IPs that are powered up before boot is complete (known as early boot IPs) may be DMA capable. Such IPs, if not trusted, could launch DMA attacks and gain access to assets that should otherwise be protected.

Informations générales

Modes d'introduction

Architecture and Design

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Technologies

Class: System on Chip (Undetermined)

Conséquences courantes

Portée Impact Probabilité
Access ControlBypass Protection Mechanism, Modify Memory

Note: DMA devices have direct write access to main memory and due to time of attack will be able to bypass OS or Bootloader access control.
High

Mesures d’atténuation potentielles

Phases : Architecture and Design
Utilize an IOMMU to orchestrate IO access from the start of the boot process.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID Nom du modèle d'attaque
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

Références

REF-1038

DMA attack
https://en.wikipedia.org/wiki/DMA_attack

REF-1039

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals
A. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson.
https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-1_Markettos_paper.pdf

REF-1040

FireWire all your memory are belong to us
Maximillian Dornseif, Michael Becher, Christian N. Klein.
http://www.orkspace.net/secdocs/Conferences/CanSecWest/2005/0wn3d%20by%20an%20iPod%20-%20Firewire1394%20Issues.pdf

REF-1041

Integrating DMA attacks in exploitation frameworks
Rory Breuk, Albert Spruyt, Adam Boileau.
https://www.os3.nl/_media/2011-2012/courses/rp1/p14_report.pdf

REF-1042

Owned by an iPod
Maximillian Dornseif.
https://web.archive.org/web/20060505224959/https://pacsec.jp/psj04/psj04-dornseif-e.ppt

REF-1044

My aimful life
Dmytro Oleksiuk.
http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html

REF-1046

Hit by a Bus:Physical Access Attacks with Firewire
A. Theodore Markettos, Adam Boileau.
https://security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf

Soumission

Nom Organisation Date Date de publication Version
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi Intel Corporation 2019-10-15 +00:00 2020-02-24 +00:00 4.0

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2020-08-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes