alt Hacker NewsThat's a solid writeup on the history of external DMA attacks! Very nicely done, and well worth a read.
This sort of thing is why QubesOS tends to put hardware controllers in isolated VMs and only pass access through. With a working IOMMU (any modern hardware has this), all you can get is DMA access into a VM that doesn't actually have much of interest in it, and no access into other VMs...
//EDIT: Though at a closer read, there's some that... isn't quite right, in how terms and examples are done. I'd expect better from someone doing low level security work - INB copies to a general purpose register, not a memory address, a DMA controller is a "discrete" bit of hardware, it's not very "discreet," etc. I'm not sure. This is starting to feel very AI-assisted to me. The overall concepts are fine, but a lot of the background section doesn't read reasonably, or goes off into weird weeds and... never explores them. The Intel Xeon is not a less exotic example of a DMA controller. The PC/AT platform did not have a PCI bus.
Eh. I remain convinced it's a decent enough overview of the matter, but a lot of the details just read really weird to me in the background sections. To the point that this could be an interview discussion question. "What does this get subtly wrong?"
Replies
Russian version of this article, published slightly earlier AFAIU ( https://habr.com/ru/companies/pt/articles/863536/ ) does not look very AI-assisted, but still contains some of the weird moments you mentioned.
"discreet" looks like translation error, in russian version word "special" is used. PC/AT is still there, as well as Xeon example (latter does not seem "not quite right" to me)
With a working IOMMU (any modern hardware has this)...
I agree with the "IOMMU" part, but my experience with the "working" part is more hit-or-miss.
> The Intel Xeon is not a less exotic example of a DMA controller.
The full context is:
> The DMA controller is just used as an “memcpy() hardware accelerator”. And this is not a joke. Sometimes those blocks are used in microcontrollers to copy large swathes of data inside RAM. A less exotic example of this we can mention are Intel Xeon platforms.
I interpreted this as a reference to the Data Streaming Accelerator (DSA) [1], which is a programmable DMA peripheral on the SoC that can be used to accelerate writes to and from I/O devices (amongst other things).
[1] : https://www.intel.com/content/www/us/en/products/docs/accele...
> all you can get is DMA access into a VM that doesn't actually have much of interest in it, and no access into other VMs...
Of course you have to ensure that you harden the interface between that VM and the host sufficiently.
Thank you for noticing (and reading at all). We'll try to fix these asap. "INB" is a genuine mistake, "PC/AT" should be "PS/2" and "discreet" is a translation error.
Some Xeon chips have additional DMA controllers "onboard".
No AI was used, each mistake here is handmade with love and 100% organic :) We wanted to give a decent (but not too deep) historical overview, however first and foremost we introduce new vector to conduct the attack.