deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

intro update

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-30 10:41:26 -04:00
parent b795fb8cfa
commit 477a52dabd
1 changed files with 5 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -17,22 +17,16 @@ appliesto:
# Kernel DMA Protection
Kernel DMA Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by direct memory access (DMA) attacks, typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach classes of external peripherals, including graphics cards or other PCI devices, to their devices with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks.
Kernel DMA Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory.
Drive-by DMA attacks can lead to disclosure of sensitive information residing on a device, or injection of malware that allows attackers to bypass the lock screen or control devices remotely.
PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB.\
These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor's involvement. This capability is the reason behind the exceptional performance of PCI devices, but it also makes them susceptible to *drive-by DMA attacks*.
Drive-by DMA attacks are attacks that occur while the owner of the system isn't present and usually take just a few minutes, with simple-to-moderate attacking tools (affordable, off-the-shelf hardware and software), that don't require the disassembly of the device. For example, attackers can plug in a USB-like device while the device owner is on a break, and walk away with all the secrets on the machine, or inject a malware that allows them to have full control over the device remotely while bypassing the lock screen.
> [!NOTE]
> Kernel DMA Protection feature doesn't protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, or ExpressCard.
## Background
PCI devices are DMA-capable, which enables them to access system memory and perform read and write operations without the need for the system processor's involvement. This feature is the reason behind the exceptional performance of PCI devices.
Historically, PCI devices have primarily been found inside devices, either integrated into the motherboard or connected as a card. To access these devices, users had to turn off the system's power and disassemble the chassis.
Today, this is no longer the case with hot plug PCIe ports. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks.
Drive-by DMA attacks are attacks that occur while the owner of the system isn't present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that don't require the disassembly of the device. For example, an attacker can plug in a USB-like device while the device owner is on a break, and walk away with all the secrets on the machine, or inject a malware that allows them to have full control over the PC remotely.
## How Windows protects against DMA drive-by attacks
Windows uses the system *Input/Output Memory Management Unit (IOMMU)* to block external peripherals from starting and performing DMA, unless the drivers for these peripherals support memory isolation (such as DMA-remapping).