SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCP
Business Continuity Plan

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCP

Business Continuity Plan
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCP

Business Continuity Plan

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

DMA attack and defense against it

DMA attack and defense against it
28.04.2025

Ruslan Rakhmetov, Security Vision


Most cyberattacks are traditionally implemented remotely - attackers prefer to act from a distance without risking their physical security at the time of hacking. However, there are a number of dangerous attacks that require physical access to the attacked host - for example, a device can be compromised after connecting a seemingly harmless flash drive. Cyber ​ ​ attacks like Juice jacking (using "charging" USB ports in public places for an attack), the use of BadUSB devices (for example, USB Rubber Ducky), the introduction of mini-PCs like Raspberry Pi or Flipper Zero into attacked infrastructures - all this has become common practice for both pen testers and advanced hackers. In this article, we will discuss direct memory access (DMA) attacks, which also require physical access to the attacked device.


First, you should briefly describe what direct memory access (DMA, Direct Memory Access) is. Memory in this case refers to random access memory (also called RAM - random access memory), which stores data and code (instructions for execution in the CPU - central processing unit). Starting with the Intel 80386 processor, released in 1985, CPUs have received a number of functionalities still in use:


1)   Protection Rings security mechanism: the use of privilege sharing in the x86 architecture, in which the OS kernel and kernel-level drivers run at the most privileged level ("Ring 0," kernel mode), other drivers at the "Ring 1" and "Ring 2" levels, and user applications run at the least privileged level "Ring 3" (user mode). At the same time, modern operating systems usually use only "Ring 0" and "Ring 3," and deeper levels are added: a hypervisor of the hardware virtualization subsystem on "Ring -1," System Management Mode (SMM) on "Ring -2," chipset control subsystem with a separate microprocessor (for example, Intel Management Engine Interface or AMD Platform Security Processor) on "Ring -3." In this case, any code running at a higher priority level can access the code and data at a lower priority level, but not vice versa (for example, a hypervisor with "Ring -1" can gain unlimited access to the OS kernel on "Ring 0," and the user program cannot access the OS kernel).


2)   The use of virtual memory and its protection: all user programs from "Ring 3" work not with physical memory, but with virtual memory, which allows you to isolate the memory (data and code) of applications from each other. Translation of virtual addresses to physical addresses is performed by a special device - a memory management unit (MMU). Virtual memory protection allows you to prevent a process from accessing memory that is not allocated to it: you can completely deny the process access to a certain area of ​ ​ memory, prohibit only writing to it, or prohibit the execution of the contents of this area of ​ ​ memory. Modern CPUs and operating systems use memory protection technologies such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), Structured Exception Handling Overwrite Protection, SEHOP) and a number of others.

 

3)   The use of page memory (RAM is divided into areas - "pages" of a fixed size, and virtual addresses are related to physical ones page by page) and multitasking (different processes are executed independently of each other).

 

So, the developers of processors and operating systems have invested significant resources in protecting RAM, since it processes encryption keys, passwords and confidential information, and it is also in it that highly privileged processes store the code of executable commands and record the results of their work. Despite the presence of solutions for encrypting RAM and using secure dedicated cryptoprocessors (Trusted Platform Module, TPM), in most cases, important information that is stored and transmitted in encrypted form is still processed in RAM in clear text, which attracts the attention of cybercriminals. DMA memory access is one method of gaining direct access to RAM, not counting cold boot attack, which is based on storing information in RAM modules after power is turned off, especially at low temperatures.

 

Direct Memory Access (DMA) technology was developed for good purposes: with an increase in the amount of information stored and processed on external devices, it was required that devices quickly access RAM bypassing the CPU. Under normal conditions, the CPU controls the transfer of data between peripherals and RAM, which leads to a decrease in the speed of solving other tasks. DMA technology accelerates work with devices such as external high-speed drives, external graphics, network and audio cards - the entire periphery, which works with large amounts of information. Such peripherals can be connected via various high-speed interfaces - IEEE 1394 (FireWire), Thunderbolt, USB 3.0/4.0, PCI/PCI Express, SD Express, various adapters and controllers can also be used - for example, USB 3380 (PCI Express - USB 3.0). Sub-external devices can be equipped with their own DMA controller (Bus Mastering mode), which controls the process of data transfer between the device and RAM, interacting with the CPU only at the start and end of this process. To control the operation of the DMA controller with RAM, by analogy with the MMU described above, a special Input-Output Memory Management Unit (IOMMU) was developed. The IOMMU is an intermediary between RAM and the DMA device, telling it not real physical addresses in memory, but virtual ones. In addition, IOMMU in a virtualization environment allows guest operating systems to access host peripherals directly, bypassing the CPU. Processor manufacturers over time formed their specifications for IOMMU blocks, for example, Intel (VT-d technology), AMD (AMD-Vi technology), ARM (SMMU technology), Apple (DART technology).

 

However, the use of direct DMA memory access even with a protective IOMMU when implemented in various operating systems has its own characteristics:

 

1) The developers have put an erroneous assumption in the OS architecture about the ability to trust peripheral devices.

 

2) Due to the fact that working with DMA devices through the IOMMU slows down data exchange, not all operating systems and motherboard firmware support for IOMMU is enabled by default. In addition, not all operating systems support IOMMU in principle.

 

3) IOMMU may be subject to Spatial sub-page vulnerability: an IOMMU allocated virtual memory page may contain not only the data required by the DMA device (small I/O buffers), but also OS kernel buffers, which allows the DMA device to access them In addition, pointers to device driver functions or OS objects can reside on the same virtual memory page as the DMA device I/O buffers.

 

4) The IOMMU may be subject to Temporal deferred invalidation vulnerability: the mapping between virtual and physical memory in the IOMMU is managed by the OS, which, in order to optimize performance, can perform such a reset with some delay, which allows the DMA device to retain access to memory pages.

 

5) The PCI Express standard provides the ATS (Address Translation Service) function, which allows a compatible DMA device connected via the PCI Express bus to independently translate virtual addresses into physical ones bypassing the IOMMU.

 

More detailed information about the features of the described vulnerabilities can be obtained from the following publications:

https://thunderclap.io/wp-content/uploads/2024/01/thunderclap-paper-ndss2019.pdf

https://www.cs.tau.ac.il/~mad/publications/eurosys2021-dma.pdf

https://www.usenix.org/system/files/usenixsecurity24-wang-xingkai.pdf

 

The described features allow the DMA device to gain unlimited access to all RAM to read sensitive information (passwords, encryption keys), to unlock a working PC without a password and to run arbitrary code in the most privileged mode ("Ring 0"). Similar nuances were studied by information security researchers in the mid-2000s: for example, at the CanSecWest conference in 2005, arbitrary code was run on a Windows laptop, to which an iPod with customized Linux firmware was connected via FireWire. Similar vulnerabilities became widespread in the 2010s, for example, in 2016, an information security researcher showed the ability to extract passwords from Mac laptops using a device called PCILeech - this project is still developing to this day and supports the implementation of DMA attacks using the Screamer PCIe Squirrel device. In addition, a number of other tools are available for direct access to RAM, for example, the Inception project allows you to use hosts running Linux or Mac OS X equipped with the FireWire interface for attack. DMA access to RAM is also used for forensics (computer forensics), for example, in Rekall Memory Forensic Framework, Volatility Framework, Velociraptor DFIR solutions.


Various solutions and workarounds can be used to protect against DMA attacks:

1) Microsoft proposes to use the Kernel DMA Protection (kDMAp) function or, if this function is not supported by the CPU or the installed OS version (Windows 10 version 1709 and below), it is proposed to completely block Thunderbolt and IEEE 1394 devices, as well as not to use sleep mode (sleep mode) and, together with BitLocker, apply pre-authentication (Preboot authentication), for example, by entering a pin code when the TPM module is running.

 

2) For Linux, it is preferable to use kernel version 5.0 and higher, which added support for kDMAp technology.

 

3) It is recommended to use the current versions of UEFI firmware, include support for IOMMU and Secure Boot and Trusted Boot technologies in UEFI, as well as use modern CPUs with support for IOMMU and kDMAp.

 

4) For the Thunderbolt interface (version 3 and higher) in UEFI, you can configure the use of security levels SL2 (Secure Connection) or SL3 (DisplayPort and USB only).

 

5) Apply physical security measures: do not leave devices unattended, lock the workstation even when away for a short time, disable unnecessary interfaces in UEFI with setting a password to change UEFI settings.

 

6) Implement the use of authentication and pointer signing, for example, similar to Pointer Authentication technology in ARM architecture.

 

7) Apply full-disk encryption (although this does not apply directly to DMA attacks): when running virtual memory, most operating systems create swap files (swap file in Linux, pagefile.sys in Windows), which may contain information useful to attackers. In addition, when using hibernation mode, a special file is also created on the device's drive, into which all information from RAM is copied before switching to this mode.

Recommended

CVE (Common Vulnerabilities and Exposures) — database of information security vulnerabilities
CVE (Common Vulnerabilities and Exposures) — database of information security vulnerabilities

31.03.2025

Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1
Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

02.06.2025

Education in IS. Expectation vs Reality
Education in IS. Expectation vs Reality

19.09.2024

How regreSSHion opened a new chapter in old OpenSSH attacks
How regreSSHion opened a new chapter in old OpenSSH attacks

23.01.2025

Business continuity management
Business continuity management

23.12.2024

Cloud-based versions of information security solutions: pros and cons
Cloud-based versions of information security solutions: pros and cons

25.11.2024

Deep Packet Inspection (DPI) - what is it?
Deep Packet Inspection (DPI) - what is it?

05.05.2025

Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform
Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform

11.10.2024

Application security
Application security

10.02.2025

How hardening works and how it is integrated into information security processes
How hardening works and how it is integrated into information security processes

23.06.2025

Security Vision VS Basic features
Security Vision VS Basic features

14.05.2025

ARP spoofing (ARP spoofing, ARP poisoning): what it is
ARP spoofing (ARP spoofing, ARP poisoning): what it is

24.02.2025

Recommended

CVE (Common Vulnerabilities and Exposures) — database of information security vulnerabilities

31.03.2025

CVE (Common Vulnerabilities and Exposures) — database of information security vulnerabilities
Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

02.06.2025

Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1
Education in IS. Expectation vs Reality

19.09.2024

Education in IS. Expectation vs Reality
How regreSSHion opened a new chapter in old OpenSSH attacks

23.01.2025

How regreSSHion opened a new chapter in old OpenSSH attacks
Business continuity management

23.12.2024

Business continuity management
Cloud-based versions of information security solutions: pros and cons

25.11.2024

Cloud-based versions of information security solutions: pros and cons
Deep Packet Inspection (DPI) - what is it?

05.05.2025

Deep Packet Inspection (DPI) - what is it?
Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform

11.10.2024

Features of the new version of the Vulnerability Management (VM) product on the Security Vision 5 platform
Application security

10.02.2025

Application security
How hardening works and how it is integrated into information security processes

23.06.2025

How hardening works and how it is integrated into information security processes
Security Vision VS Basic features

14.05.2025

Security Vision VS Basic features
ARP spoofing (ARP spoofing, ARP poisoning): what it is

24.02.2025

ARP spoofing (ARP spoofing, ARP poisoning): what it is

Other articles

Mathematical risk modelling: shamanism or cybernetics?
Mathematical risk modelling: shamanism or cybernetics?

26.12.2024

New Security Vision VM Product Features
New Security Vision VM Product Features

20.05.2025

Authorization
Authorization

07.04.2025

CyBOK. Chapter 1: Introduction
CyBOK. Chapter 1: Introduction

20.02.2025

What is a cyber incident - in simple words about a complex threat
What is a cyber incident - in simple words about a complex threat

26.05.2025

Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3
Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3

10.07.2025

How hardening works and how it is integrated into information security processes
How hardening works and how it is integrated into information security processes

23.06.2025

Data-Centric Audit and Protection (DCAP)
Data-Centric Audit and Protection (DCAP)

07.10.2024

How regreSSHion opened a new chapter in old OpenSSH attacks
How regreSSHion opened a new chapter in old OpenSSH attacks

23.01.2025

Other articles

Mathematical risk modelling: shamanism or cybernetics?

26.12.2024

Mathematical risk modelling: shamanism or cybernetics?
New Security Vision VM Product Features

20.05.2025

New Security Vision VM Product Features
Authorization

07.04.2025

Authorization
CyBOK. Chapter 1: Introduction

20.02.2025

CyBOK. Chapter 1: Introduction
What is a cyber incident - in simple words about a complex threat

26.05.2025

What is a cyber incident - in simple words about a complex threat
Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3

10.07.2025

Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3
How hardening works and how it is integrated into information security processes

23.06.2025

How hardening works and how it is integrated into information security processes
Data-Centric Audit and Protection (DCAP)

07.10.2024

Data-Centric Audit and Protection (DCAP)
How regreSSHion opened a new chapter in old OpenSSH attacks

23.01.2025

How regreSSHion opened a new chapter in old OpenSSH attacks

This website uses cookies to ensure you get the best experience.