Run-DMA

9th USENIX Workshop on Offensive Technologies, WOOT 2015

Volumn , Issue , 2015, Pages

  Rushanan, Michael ^a   Checkoway, Stephen ^b  

^a JOHNS HOPKINS UNIVERSITY   (United States)

^b UNIVERSITY OF ILLINOIS AT CHICAGO   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMMODITY HARDWARE; DIRECT MEMORY ACCESS; MAIN MEMORY; MALICIOUS BEHAVIOR; PROOF OF CONCEPT;

COMPUTER HARDWARE;

EID: 85084164551     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (48)

1. Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), August 1996. Online: http://www.phrack.org/issues.html?issue=49&id=14.
2. CoreLinkTM DMA Controller DMA-330. ARM, July 2010. Online: http://infocenter.arm.com/help/topic/com.arm.doc. ddi0424c/DDI0424C_dma330_r1p1_trm. pdf.
3. Malcolm Atkinson, Franǫis Bancilhon, David DeWitt, Klaus Dittrich, David Maier, and Stanley Zdonik. The object-oriented database system manifesto. In Won Kim, Jean-Marie Nicolas, and Shojiro Nishio, editors, Proceedings of DOOD 1989, pages 223–40. Elsevier, December 1989. Online: https://www.cs.cmu.edu/~clamen/OODBMS/Manifesto/Manifesto.PS.gz.
4. Julian Bangert, Sergey Bratus, Rebecca Shapiro, and Sean W. Smith. Page-fault weird machine: Lessons in instruction-less computation. In Proceedings of WOOT 2013. USENIX, August 2013. Online: https://www.usenix. org/conference/woot13/workshopprogram/presentation/Bangert.
5. Michael Becher, Maximillian Dornseif, and Christian N. Klein. FireWire: all your memory are belong to us. Presented at CanSecWest 2005, May 2005. Online: https://cansecwest.com/core05/2005-firewire-cansecwest.pdf.
6. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, and Dan Boneh. Hacking blind. In Proceedings of IEEE Security and Privacy (“Oakland”) 2014, pages 227–42, May 2014.
7. Corrado Böhm. On a family of Turing machines and the related programming language. International Computation Centre Bulletin, 3:187–94, July 1964.
8. Corrado Böhm and Giuseppe Jacopini. Flow diagrams, Turing machines and languages with only two formation rules. Communications of the ACM, 9(5):366–71, May 1966.
9. Adam Boileau. Hit by a bus: Physical access attacks with firewire, September 2006. Online: http://www.security-assessment.com/files/presentations/ab_ firewire_rux2k6-final.pdf.
10. Sergey Bratus, Trey Darley, Michael Locasto, Meredith L. Patterson, Rebecca Shapiro, and Anna Shubina. Beyond planted bugs in “trusting trust”: The input-processing frontier. Security Privacy, IEEE, 12(1):83–87, January 2014.
11. BCM2835 ARM Peripherals. Broadcom Corporation, February 2012. Online: https://www.raspberrypi.org/wpcontent/uploads/2012/02/BCM2835-ARM-Peripherals.pdf.
12. Matthew Brocker and Stephen Checkoway. iSeeYou: Disabling the MacBook web-cam indicator LED. In Proceedings of USENIX Security 2014), pages 337–52. USENIX Association, August 2014. Online: https://www.usenix.org/conference/usenixsecurity14/technicalsessions/presentation/brocker.
13. Erik Buchanan, Ryan Roemer, Hovav Shacham, and Stefan Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In Paul Syverson and Somesh Jha, editors, Proceedings of CCS 2008, pages 27–38. ACM Press, October 2008.
14. Stephen Checkoway, Ariel J. Feldman, Brian Kantor, J. Alex Halderman, Edward W. Felten, and Hovav Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC Advantage. In David Jefferson, Joseph Lorenzo Hall, and Tal Moran, editors, Proceedings of EVT/WOTE 2009. USENIX/ACCURATE/IAVoSS, August 2009.
15. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. Return-oriented programming without returns. In Angelos Keromytis and Vitaly Shmatikov, editors, Proceedings of CCS 2010, pages 559–72. ACM Press, October 2010. Online: https://www.cs.jhu.edu/~s/papers/noret_ccs2010.html.
16. Stephen Dolan. mov is Turing-complete. July 2013. Online: http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf.
17. Loïc Duflot and Yves-Alexis Perez. Can you still trust your network card? Presented at CanSecWest 2010, March 2010. Online: http://www.ssi.gouv.fr/IMG/pdf/cswtrustnetworkcard.pdf.
18. Loïc Duflot, Yves-Alexis Perez, and Benjamin Morin. What if you can’t trust your network card? In Robin Sommer, Davide Balzarotti, and Gregor Maier, editors, Proceedings of RAID 2011, pages 378–397. Springer, September 2011. Online: http://www.ssi.gouv.fr/IMG/pdf/paper.pdf.
19. Dan Farmer. IPMI: Freight train to hell, January 2013. Online: http://fish2.com/ipmi/itrain.pdf.
20. Aurélien Francillon and Claude Castelluccia. Code injection attacks on Harvard-architecture devices. In Paul Syverson and Somesh Jha, editors, Proceedings of CCS 2008, pages 15–26. ACM Press, October 2008.
21. Todd Garrison. Firewire attacks against Mac OS Lion FileVault 2 encryption. September 2011. Online: http://www.frameloss.org/2011/09/18/firewire-attacksagainst-mac-os-lion-filevault-2-encryption/.
22. Dina Q. Goldin, Scott A. Smolka, Paul C. Attie, and Elaine L. Sonderegger. Turing machines, transition systems, and interaction. Information and Computation, 194(2): 101–28, November 2004. Online: http: //www.sciencedirect.com/science/ article/pii/S0890540104001257.
23. Ralf Hund, Thorsten Holz, and Felix Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Fabian Mon-rose, editor, Proceedings of USENIX Security 2009, pages 383–98. USENIX, August 2009.
24. Intel Platform Controller Hub EG20T: Datasheet. Intel, July 2012. Online: http://www.intel.com/content/www/us/en/intelligent-systems/queensbay/platform-controller-hub-eg20tdatasheet.html.
25. Intel Server Platform Group. Intel QuickData technology software guide for Linux, May 2008. Online: http://www.intel.com/content/dam/doc/white-paper/quickdatatechnology-software-guide-forlinux-paper.pdf.
26. Loukas Kalenderidis and Sam Collinson. Thunderbolts and lightning, very very frightening. Presented at SyScan 2014, May 2014. Online: https://www.youtube.com/watch?v=0FoVmBOdbhg.
27. Tim Kornau. Return oriented programming for the ARM architecture. http://zynamics.com/downloads/kornautim--diplomarbeit--rop.pdf, 2009. Master thesis, Ruhr-University Bochum, Germany.
28. Sebastian Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, September 2005. http://www.suse.de/~krahmer/no-nx.pdf.
29. Evangelos Ladakis, Lazaros Koromilas, Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. You can type, but you can’t hide: A stealthy GPU-based keylogger. In Thorsten Holz and Sotiris Ioannidis, editors, Proceedings of EuroSec 2013. ACM, April 2013. Online: http://www.cs.columbia.edu/~mikepo/ papers/gpukeylogger.eurosec13.pdf.
30. Felix Lidner. Developments in Cisco IOS forensics. CONFidence 2.0. http://www.recuritylabs.com/content/pub/FX_Router_ Exploitation.pdf, November 2009.
31. Charlie Miller. Battery firmware hacking: Inside the innards of a smart battery. Presented at Black Hat Briefings, August 2011. Online: http://media.blackhat.com/bh- us-11/Miller/BH_US_11_Miller_Battery_ Firmware_Public_WP.pdf.
32. HD Moore. A penetration tester’s guide to IPMI and BMCs. July 2013. Online: https://community.rapid7.com/community/ metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi.
33. James Oakley and Sergey Bratus. Exploiting the hard-working DWARF: Trojan and exploit techniques with no native executable code. In Proceedings WOOT 2011. USENIX Association, August 2011. Online: http://dl.acm.org/citation.cfm?id=2028052.2028063.
34. Peter Panholzer. Physical security attacks on Windows Vista, March 2008. Online: https://www.sec-consult.com/fxdata/seccons/prod/downloads/ vista_physical_attacks.pdf.
35. Ryan Roemer. Finding the bad in good code: Automated return-oriented programming exploit discovery. Master’s thesis, UC San Diego, March 2009. Online: https://cseweb.ucsd.edu/~rroemer/doc/thesis.pdf.
36. Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit hardening made easy. In David Wagner, editor, Proceedings of USENIX Security 2011, August 2011. Online: http://users.ece.cmu.edu/~ejschwar/papers/usenix11.pdf.
37. Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Sabrina De Capitani di Vimercati and Paul Syverson, editors, Proceedings of CCS 2007, pages 552–61. ACM Press, October 2007.
38. Rebecca Shapiro, Sergey Bratus, and Sean W. Smith. “Weird machines” in ELF: A spotlight on the underappreciated metadata. In Proceedings of WOOT 2013. USENIX, August 2013. Online: https://www.usenix.org/conference/woot13/workshopprogram/presentation/Shapiro.
39. Solar Designer. Getting around non-executable stack (and fix). Bugtraq, August 1997. Online: http://seclists.org/bugtraq/1997/Aug/0063.html.
40. Vaidyanathan Srinivasan, Anand K. Santhanam, and Madhavan Srinivasan. Cell broadband engine processor dma engines, part 1: The little engines that move data. December 2005. Online: http://www.ibm.com/developerworks/ library/pa-celldmas/.
41. Patrick Stewin. A primitive for revealing stealthy peripheral-based attacks on the computing platform’s main memory. In Proceedings of RAID 2013, pages 1–20, October 2013. Online: http://link.springer.com/chapter/10.1007%2F978-3-642-41284-4_1.
42. Patrick Stewin and Iurii Bystrov. Understanding dma malware. In Proceedings of DIMVA 2012, pages 21–41. Springer-Verlag, July 2012. Online: http://dx.doi.org/10.1007/978-3-642-37300-8_2.
43. Alexander Tereshkin and Rafal Wojtczuk. Introducing ring −3 rootkits. Presented at Black Hat Briefings, July 2009. Online: http://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf.
44. Arrigo Triulzi. Project Maux Mk.II, November 2008. Online: http://www.alchemistowl.org/arrigo/Papers/Arrigo-TriulziPACSEC08-Project-Maux-II.pdf.
45. Arrigo Triulzi. The Jedi packet trick takes over the Deathstar, 2010. Online: http://www.alchemistowl.org/arrigo/Papers/Arrigo-TriulziCANSEC10-Project-Maux-III.pdf.
46. Trusted Computing Group. TCG PC client specific implementation specification for conventional BIOS, July 2005. Online: http://www.trustedcomputinggroup.org/files/temp/64505409-1D09-3519-AD5C611FAD3F799B/ PCClientImplementationforBIOS.pdf.
47. Julien Vanegue. The weird machines in proof-carrying code. In Proceedings of SPW 2014, pages 209–13. IEEE Computer Society, May 2014. Online: http://www.ieee-security.org/TC/SPW2014/papers/5103a209.PDF.
48. Giorgos Vasiliadis, Michalis Polychronakis, and Sotiris Ioannidis. GPU-assisted malware. In Jean-Yves Marion, Noam Rathaus, and Cliff Zhou, editors, Proceedings of MAL-WARE 2010, pages 1–6. IEEE Computer Society, October 2010. Online: http://dcs.ics.forth.gr/Activities/ papers/gpumalware.malware10.pdf.