Detection of Intrusions and Malware, and Vulnerability Assessment

Abstract

Attackers constantly explore ways to camouflage illicit activ- ities against computer platforms. Stealthy attacks are required in indus- trial espionage and also by criminals stealing banking credentials. Mod- ern computers contain dedicated hardware such as network and graph- ics cards. Such devices implement independent execution environments but have direct memory access (DMA) to the host runtime memory. In this work we introduce DMA malware, i. e., malware executed on dedi- cated hardware to launch stealthy attacks against the host using DMA. DMA malware goes beyond the capability to control DMA hardware. We implemented DAGGER, a keylogger that attacks Linux and Windows platforms. Our evaluation confirms that DMA malware can effi- ciently attack kernel structures even if memory address randomization is in place. DMA malware is stealthy to a point where the host cannot detect its presense. We evaluate and discuss possible countermeasures and the (in)effectiveness of hardware extensions such as input/output memory management units.