In our talk, we will present a novel, physical, DMA attack that is undetectable, doesn’t require a particular port and takes advantage of an inherent vulnerability of standard DIMM slot hardware design. Using our custom PCB probe with an FPGA, we were able to connect to the exposed DDR4 pins of an off-the-shelf desktop system in a non-invasive manner and while the system was on (S3 sleep state). Masking ourselves as the system’s benign memory controller, we are able to read or modify memory at any physical address, and the victim system accepts our modifications when exiting from sleep.
By Anna Trikalinou & Dan Lake
Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#taking-dma-attacks-to-the-next-level-how-to-do-arbitrary-memory-reads-writes-in-a-live-and-unmodified-system-using-a-rogue-memory-controller