Protection against I/O attacks
Nowadays, most malware consists in code executed by the victim’s CPU, either with user privilege (e.g., code hidden in maliciously crafted web pages) or with supervisor privilege (e.g., rootkits). Efficient countermeasures can be developed against such malware, since they can be detected either by observing the CPU behavior or the induced modifications in main memory. More recently, a new class of attacks has appeared, which defeat such countermeasures because they do not depend on code run by the CPU. This class of attacks includes the so-called Input/Output attacks, in which attackers divert legitimate hardware features, such as I/O mechanisms, to achieve different malicious actions. We have analyzed these attacks to propose countermeasures based mainly on reliable and uncircumventable hardware components.
Our research focused on two cases: hardware components that are deliberately designed to act maliciously, in the same way as a program incorporating a Trojan; and vulnerable hardware components that have been modified by a hacker, either locally or through the network, to include malicious functions (typically a backdoor in the firmware). To identify I/O attacks, we defined an attack model that describes a computer system behavior at different abstraction levels. We studied these attacks with two complementary approaches: classical vulnerability analysis consisting in identifying a vulnerability, developing proof-of-concept and proposing counter-measures; and fuzzing-based vulnerability analysis, using IronHide, a fault injection tool we have developed, which is able to simulate a powerful malicious hardware.
IronHide architecture and prototype