From 04e916d697afda27bcc91d326feecad0961c9db1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 18 Sep 2018 13:05:13 -0700 Subject: [PATCH 1/2] edit' --- .../kernel-dma-protection-for-thunderbolt.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index fc494015d5..5d4517f58c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 09/06/2018 +ms.date: 09/18/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -14,6 +14,12 @@ ms.date: 09/06/2018 **Applies to** - Windows 10 +Beginning in 2013, Intel added incremental capabilities to Thunderbolt technology to reduce DMA exposure. +When the host is properly configured with these capabilities, an end user would have to first approve the Thunderbolt peripheral when initially attached to the port, approved as either **Connect Only Once** or **Connect Always**. + +Although this methodology mitigates most physical DMA attacks from un-authorized Thunderbolt devices, if a Thunderbolt device with a PCIe slot is approved as **Connect Always**, a physical “DMA attack” might still be possible given the correct hardware and physical access to a previously approved Thunderbolt device with PCIe expandability (such as PCIe slot or ExpressCard). +Although the **Connect Only Once** option does provide additional mitigation from such attacks, it places an unwelcome burden on the end user who would be required to approve the device every time it’s connected. + In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. From f7da7763b0e7a4ce0a36c36059a511deca081165 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 19 Sep 2018 13:28:36 -0700 Subject: [PATCH 2/2] edited intro --- .../kernel-dma-protection-for-thunderbolt.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 5d4517f58c..17127719eb 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 09/18/2018 +ms.date: 09/19/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -14,17 +14,13 @@ ms.date: 09/18/2018 **Applies to** - Windows 10 -Beginning in 2013, Intel added incremental capabilities to Thunderbolt technology to reduce DMA exposure. -When the host is properly configured with these capabilities, an end user would have to first approve the Thunderbolt peripheral when initially attached to the port, approved as either **Connect Only Once** or **Connect Always**. - -Although this methodology mitigates most physical DMA attacks from un-authorized Thunderbolt devices, if a Thunderbolt device with a PCIe slot is approved as **Connect Always**, a physical “DMA attack” might still be possible given the correct hardware and physical access to a previously approved Thunderbolt device with PCIe expandability (such as PCIe slot or ExpressCard). -Although the **Connect Only Once** option does provide additional mitigation from such attacks, it places an unwelcome burden on the end user who would be required to approve the device every time it’s connected. - In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. +For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation. + ## Background PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations.