NorthSec 2020 (Online Edition)

IOMMU and DMA attacks
2020-05-15, 14:20–15:05, Twitch

Direct Memory Access technology allows peripherals to access RAM without relying on CPU. DMA increases performances but bring up security issues. An IOMMU was incorporated to address these concerns.

This talk presents the current knowledge on Direct Memory Access attacks aiming to unlock a user logon session. The Input Output Memory Management Unit (IOMMU)[1] functioning and its integration within the main operating systems (Windows, macOS and Linux) is firstly addressed. Then, the existing DMA attacks using an external peripheral on a switched on computer are explained with a particular focus on IOMMU bypassing on macOS until 10.12.4 version. These attacks give an access to a valid logon session even if the computer is locked. This research was performed in order to prepare the upcoming french RAPID project by Synacktiv: DMArvest.

[1] Only Intel VT-d technology will be discussed in this document


Former pentester, I used to play a lot with Microsoft Active Directory infrastructures, both on defensive and offensive aspects at Synacktiv, a french offensive security company. I am now in the Reverse Engineering team within my company, focusing on Windows and hardware topics.