Windows 7 open to attack via memory

Security researchers plan to demonstrate a technique that allows attackers to take over a Windows 7 system by directly modifying the system's physical memory.

The attack, which makes use of the Direct Memory Access (DMA) feature found in modern computer systems, could be highly difficult to guard against, since it bypasses the operating system and CPU entirely, the researchers said in a paper discussing their research. However, there are also evident limitations, since the attack requires physical access to the system.

Researchers Christophe Devine and Damien Aumaitre of the European Security Expertise Center (ESEC) — part of Capgemini's Sogeti subsidiary — will present their research in a presentation called Subverting Windows 7 x64 Kernel with DMA Attacks at the Hack in the Box security conference, which takes place from 29 June-2 July in Amsterdam.

Devine and Aumaitre's research used a PCMCIA card device containing a custom DMA engine running on a MIPS CPU to access Windows 7 kernel code stored in physical memory, alter it and gain control over the OS, they said in a paper on the research.

"The CPU and thus the operating system are entirely bypassed; they cannot prevent malicious DMA requests," they said.

The attack in effect gets around two major ways of ensuring program security, code signing and integrity verification, according to Devine and Aumaitre. Microsoft did not respond to ZDNet UK's request for comment on the new research.

Other researchers have in the past demonstrated how the technique can be used to gain access to Windows XP and older versions of Mac OS X, but the DMA engine had to be rewritten from scratch to deal with major changes introduced with Windows 7, they added.

While DMA attacks have previously been demonstrated using other ports — for instance, the CardBus port — the current Windows 7 attack can only be carried out via the PCMCIA port, the researchers said. Their current proof-of-concept focuses on the 64-bit version of Windows 7.

System administrators can protect against the attack by deactivating the PCMCIA driver, the researchers said. Another possible safeguard is the use of an input/output memory management unit (IOMMU), a technology included in some recent CPUs, they said. An IOMMU can, among other things, protect physical memory from interference from devices.

Other scheduled presentations at Hack in the Box include demonstrations of attacks on Mac OS X via the IOKit driver interface, attacks on the Internet Explorer 8 and Firefox 3.5 browsers, attacks on virtualisation systems and techniques for hijacking mobile data connections.

Penetration tester Niels Teusink has also promised to demonstrate a technique for hacking the wireless presenter devices used on-stage during keynotes by the likes of Steve Jobs. "You can build it for less than €40 using an Arduino (single-board microcontroller) and a cheap wireless module," Teusink said in a statement. "The result: remote code execution (and possibly public humiliation)."