Kernel and pre-boot DMA Protection

Kernel Direct Memory Access (DMA) Protection is a Windows security feature that protects against external peripherals from gaining unauthorized access to memory. PCIe hot plug devices attach classes of external peripherals, including graphics cards, to their devices with the plug-and-play ease of USB. These devices are DMA-capable, and can access system memory and perform read and write operations without the need for the system processor’s involvement. This makes them susceptible to drive-by DMA attacks.

pre-boot DMA Protection enables equivalent DMA protection at the system BIOS level.

When DMA Protection is enabled
1. No devices can do DMA to the DMA protected device between BIOS POST complete and OS driver load.
2. During BIOS POST also the EFI device driver will make sure the device will work on a DMA remapped region.
3. Some OS will make sure the driver is loaded only when the system is unlocked.

Drive-by DMA attacks are attacks that occur while the owner of the system isn’t present and usually take just a few minutes, with simple-to-moderate attacking tools (affordable, off-the-shelf hardware and software), that don’t require the disassembly of the device. In supply chain the attacker can install a temporary off-the-shelf hardware and exploit the system BIOS.

Source: Kernel DMA Protection – Windows Security

About the Author

Yogi

24 years of experience in various layers of software. Primarily experienced in system side software design and development on server management software. Interested in linux development in x86 and arm architecture.