HabrFeb 25

Отражаем атаку на IOMMU

Что вы знаете об атаках на графические процессоры? Наверняка ничего приятного: они крайне распространены на мобильных устройствах, классические «песочницы» от них не защищают, и компрометация лишь одного драйвера может поставить под угрозу все ядро… Меня зовут Денис Молодяков, и я — лид команды графики в KasperskyOS. Идея этого текста возникла во время одного моего выступления на конференции по системной разработке. Тогда из зала задали вопрос, который касался безопасности работы драйверов GPU. Слушатель ссылался на кейсы с «подламыванием» механизма управления видеопамятью драйверов на Android для интегрированных ускорителей семейства ARM Mali и спросил, как наша ОС сможет этому противостоять. Поэтому в данном материале я подробно расскажу о сути этой коварной атаки, а также рассмотрю и другие типы атак через GPU. В заключение я смоделирую подобные сценарии для нашей микроядерной KasperskyOS и покажу, как мы их митигируем.

https://habr.com/ru/companies/kaspersky/articles/992032/

#IOMMU #DMA #GPU #kasperskyos #кибербезопасность #атаки #кибератаки #процессоры

Отражаем атаку на IOMMU

Что вы знаете об атаках на графические процессоры? Наверняка ничего приятного: они крайне распространены на мобильных устройствах, классические «песочницы» от них не защищают, и компрометация лишь...

Хабр
The Subliminal PressFeb 15

#QubesOS reached "EOL" for R4.2. Get R4.3.0 RPM gpg key
into Dom0 without qubes-dist-update (which never was finished).
Otherwise, you can get the #Whonix Gateway and Workstation upgrade
with a fresh install.

Also of note, the #Kicksecure download page offers a range of #CPU Architectures.
How about a #RISC-V #IOMMU with Kicksecure and a #Rust environment? Might be pretty sweet.

@Linux_Is_Best

AllAboutSecurityDec 29

Riot Games deckt kritische Motherboard-Schwachstelle auf

Die Lücke erlaubt es Angreifern mit spezieller Hardware, unerkannt Schadcode zu implementieren – selbst wenn die vorgesehenen Sicherheitsmechanismen aktiviert sind.

https://www.all-about-security.de/riot-games-deckt-kritische-motherboard-schwachstelle-auf/

#motherboard #schadcode #IOMMU #DMA #preboot

Riot Games deckt kritische Motherboard-Schwachstelle auf

Riot Games identifiziert Schwachstelle im Pre-Boot-DMA-Schutz moderner Motherboards. Vanguard fordert Nutzer betroffener Systeme zu Firmware-Updates auf.

All About Security Das Online-Magazin zu Cybersecurity (Cybersicherheit). Ransomware, Phishing, IT-Sicherheit, Netzwerksicherheit, KI, Threats, DDoS, Identity & Access, Plattformsicherheit
in ♥️ with PDA (and 🐧)Oct 26
any idea how to turn on #IOMMU protection on a #framework 12? Got this one error in the gnome security report :)
Kevin Karhan Sep 1, 2025

THIS is why "#ClientSideAnticheat" is ineffective #malware at best, because it's impossible to stop malicious #PCIe #CheatingDevices that shove data to any arbitrary address, bypassing #IOMMU and just #DMA'ing into #RAM...

Shit like #PCIleech ¹ allows for realtime ² manipulations of RAM ³ with no effective means by the OS or any Software to prevent, reliably detect or stop it.

  • Thus DMA-based cheating is rampant ⁴ and not stoppable on the device itself ⁵, with dedicaded cheating hardware ⁶ kits ⁷ being rampant.

And now you know why on any #tournament with any serious price money they'll not only split the screen signal of every player for referees to watch but also go out of their way to setup fresh gaming rigs and even buy the input devices for said players where they'll have to submit anything like "buy scripts" and "key bindings" beforehand and those get manually setup to prevent any shenanigans.

¹ https://github.com/ufrisk/pcileech
² https://raw.githubusercontent.com/ufrisk/presentations/master/CS3STHLM-2019-Ulf-Frisk-Memory-Forensics-and-DMA-Attacks-with-MemProcFS-and-PCILeech.pdf
³ https://dma.lystic.dev/anticheat-evasion/pci-configuration-space
https://dma.lystic.dev/anticheat-evasion/pci-configuration-space
https://hackaday.com/2023/03/30/pcie-for-hackers-extracting-the-most/
https://de.aliexpress.com/item/1005006302160633.html
https://de.aliexpress.com/item/1005007142280132.html

Guarding Against Physical Attacks: The Xbox One Story — Tony Chen, Microsoft

YouTube
Jarkko SakkinenJul 28, 2025

This is as done as lsiommu can ever be, or at least as far as I’m concerned so it’s a release time:

https://github.com/puavo-org/lsiommu/releases/tag/1.0.0

I.e. I spent last night making it do less from the almost nothing it was doing already ;-) That’s the point of these tools…

That enumerated to:

  • Reverted back to heap sort.
  • Carved 64 kB of data section for JSON builder.
  • Hammered STRING_BUFFER() to migrate most of the strings to stack (except JSON builder
  • Bunch of fixes…

This sums up to zero mallocs from the main application (while libudev probably does bunch of them when not compiled with make DISCOVER=sysfs).

Motivation to do was this shitty python script:

#!/usr/bin/env python3 # # Copyright (c) 2022-2023 Jarkko Sakkinen <[email protected]> import os import sys IOMMU_SYSFS = '/sys/kernel/iommu_groups' IOMMU_GROUP_MAX = 128 # an arbitrary choice def get_iommu_devices(): groups = [None for group in range(IOMMU_GROUP_MAX)] with os.scandir(IOMMU_SYSFS) as group_it: for group in group_it: devices = [] group_sysfs = IOMMU_SYSFS + '/' + group.name + '/devices' with os.scandir(group_sysfs) as device_it: for device in device_it: devices.append(device.name) index = int(group.name) if index >= IOMMU_GROUP_MAX: print('Overflow') sys.exit(1) groups[index] = devices return groups if __name__ == "__main__": groups = get_iommu_devices() for i in range(len(groups)): group = groups[i] if group == None: break print('IOMMU Group %d' % (i)) group.sort() for device in group: # FIXME: Replace with pure Python code: os.system('lspci -nns ' + device)

#linux #kernel #iommu #kvm

Release 1.0.0 · puavo-org/lsiommu

Initial release

GitHub
Jarkko SakkinenJul 21, 2025

lsiommu provides now also json output:

❯ build/lsiommu | head -10 Group 000 Address 0000:00:07.1 Class 060400 ID 8086:9a25 Revision 01 Group 001 Address 0000:00:07.0 Class 060400 ID 8086:9a23 Revision 01 Group 002 Address 0000:00:02.0 Class 030000 ID 8086:9a49 Revision 01 Group 003 Address 0000:00:00.0 Class 060000 ID 8086:9a14 Revision 01 Group 004 Address 0000:00:04.0 Class 118000 ID 8086:9a03 Revision 01 Group 005 Address 0000:00:0a.0 Class 118000 ID 8086:9a0d Revision 01 Group 006 Address 0000:00:0d.0 Class 0c0330 ID 8086:9a13 Revision 01 Group 006 Address 0000:00:0d.2 Class 0c0340 ID 8086:9a1b Revision 01 Group 007 Address 0000:00:0e.0 Class 010400 ID 8086:9a0b Revision 00 Group 008 Address 0000:00:14.0 Class 0c0330 ID 8086:a0ed Revision 20 ~/work/github.com/puavo-org/lsiommu master ❯ build/lsiommu --style json | head -10 { "iommu_groups": [{ "id": 0, "devices": [{ "address": "0000:00:07.1", "class": "060400", "vendor": "8086", "device": "9a25", "revision": "01" }]

better not to tag 1.0.0 yet to leave room for command-line interface and output formatting tweaks although now it is “feature complete”.

#linux #iommu

Jarkko SakkinenJul 19, 2025
fixing up the sort algorithm mess, adding compile time option for sysfs scan (for e.g., supporting some Buildroot configurations) and perhaps --json and lsiommu should be good enough for 1.0.

It's quite light now with deps in all situations:

deps = [
dependency('argtable2'),
dependency('libudev'),
]

#linux #iommu #buildroot
Jarkko SakkinenJul 19, 2025
https://github.com/puavo-org/lsiommu #linux #iommu
GitHub - puavo-org/lsiommu

Contribute to puavo-org/lsiommu development by creating an account on GitHub.

GitHub
Jarkko SakkinenJul 19, 2025
awesome, almost ready to ship :-)

this came out pretty nice and clean

❯ git ls-files
.tokeignore
CHANGELOG.md
LICENSE
Makefile
README.md
down.c
down.h
iommu.c
iommu.h
log.c
log.h
lsiommu.1
main.c
main.h
meson.build
meson.options
strbuf.c
strbuf.h
util.h

#linux #iommu