6

How can I configure my linux system to be secure against DMA-attacks? Is there a way to make them impossible?

DMA Attacks

excerpt From wikipedia

In modern operating systems, non-system (i.e. user-mode) applications are prevented from accessing any memory locations not explicitly authorized by the virtual memory controller (called the MMU or Memory Mapping Unit). In addition to containing damage from inadvertent software bugs and allowing more efficient use of physical memory, this architecture forms an integral part of the security of a modern operating system. However, kernel-mode drivers, many hardware devices, and occasional user-mode vulnerabilities allow the direct, unimpeded access of the physical memory address space. The physical address space includes all of the main system memory, as well as memory-mapped buses and hardware devices (which are controlled by the operating system through reads and writes as if they were ordinary RAM).

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
student
  • 17,875
  • 31
  • 103
  • 169
  • By *DMA-attacks*, do you mean things like plugging in a rogue Firewire device that then uses DMA to read or modify the machine's RAM? – derobert Oct 04 '13 at 14:57
  • Yes. It doesnt't have to be Firewire, it may also be via PCI, Express-Card or Thunderbold (did I miss any DMA-vulnerable interface?). – student Oct 04 '13 at 15:05
  • 1
    Putting the device behind an IOMMU should prevent that, right? – ninjalj Oct 06 '13 at 21:42

3 Answers3

5

Well in a nutshell, no it's not completely possible to thwart potential attack vectors. Looking at the Wikipedia article there are essentially 4 avenues that you have to be aware of:

  1. kernel-mode drivers
  2. many hardware devices
  3. user-mode vulnerabilities
  4. Social engineering

The best way to mitigate your exposure (which is all you can do when securing something) is control your risk exposure to the above 4 things.

To stop 1, don't give anyone the ability to load kernel drivers. Additionally don't install any unneeded drivers either.

To stop 2, deny people physical access to the system. Use a secure data center which has limited physical access to only the core operators of the computer.

To stop 3, don't allow users the ability to run more applications than are absolutely needed. This goes beyond running, don't install anything beyond what's required. If it's a production server, then don't install gcc on it, for example.

To stop 4, training support staff in the art of detecting a scam.

One additional item is to make sure that updates are installed and vetted in a timely manner. Don't update the system one a year, for example.

slm
  • 363,520
  • 117
  • 767
  • 871
1

Disable thunderbolt and firewire adapters and physically lock the box so someone can't insert a PCI(e) card.

psusi
  • 17,007
  • 3
  • 40
  • 51
0

Take pliers and physically tear off ports or access points on your board, I figure if if the thief can't find a way to physically penetrate the hardware then you are about as safe as safe can get. Just be sure not to damage anything around the surroundings and you should be good. Of course doing so will also render certain points inoperable, so be sure you are absolutely certain you want to attempt that.

user481727
  • 1
  • 1
    ... a somewhat drastic way; perhaps covering the ports with a metal plate is would be less irreversible (although this goes then in the same direction as [psusi's answer](https://unix.stackexchange.com/a/93591/377345)? – AdminBee Jul 15 '21 at 13:27