Optimistic Expertise’s “offensive safety division,” PT SWARM, has developed a Raspberry Pi Pico-powered software that allows you to goal the reminiscence of a laptop computer or single-board laptop via its SD card slot — offering, that’s, it helps the brand new SD Categorical normal: the DaMAgeCard.
“The peripheral system business has as soon as once more sacrificed safety within the title of pace,” PT SWARM’s pseudonymous “gesser” claims. “Media sizes have risen dramatically, and with them the necessities for how briskly we are able to course of media. It simply takes too lengthy to repeat a whole bunch of gigabytes of RAW photographs, even with Extremely Excessive Pace 2 (UHS-II) SD playing cards. And so the SD Affiliation heard the cries of DSLR geeks, and made a transfer. They launched SD Categorical.”
The Raspberry Pi Pico-powered DaMAgeCard highlights an assault vector within the new SD Categorical normal, in opposition to programs with out a working IOMMU. (📷: PT SWARM)
Standardized in 2018 SD Categorical adapts the present SD card and microSD card normal to incorporate PCI Categorical connectivity, basically delivering a backwards-compatible interface that may work with present SD playing cards or what are successfully compact, transportable Non-Unstable Reminiscence Categorical (NVMe) playing cards. This delivers a dramatic enchancment in efficiency, however comes with a possible safety concern: entry to system reminiscence via the PCI bus, by way of direct reminiscence entry (DMA), on programs which haven’t any enter/output reminiscence administration unit (IOMMU) lively.
“After we hear ‘PCI,’ we expect ‘A-ha! Doable reminiscence entry,” “gesser” explains. Experiments proved that it might be doable to develop an adapter appropriate with PCILeech — an open-source software for attacking a system’s reminiscence over DMA. The one drawback: the hacked-together adapters had been a bit fragile, and required an unique SD Categorical card “questionably soldered on.” A want for one thing much less fiddly and extra dependable led to the DaMAgeCard.
“We determined to emulate the required mode-switching interplay,” “gesser” explains of how the ensuing system does away with the necessity for an actual SD Categorical card. “It seems we do not even want a {hardware} SD controller — a daily bit-bang method by way of [Raspberry] Pi Pico is sufficient, even with out utilizing [the] PIO [Programmable Input/Output] core. Historical past has taken us full circle, and for now, DMA assaults once more have a working entry level. We named this kind of assault as DaMAgeCard.”
Preliminary experimentation concerned a way more awkward meeting of adapters, however proved the idea. (📷: PT SWARM)
“15 years in the past there have been no overtly obtainable instruments to conduct them; not {hardware}, nor software program. As we speak, we now have a number of open supply tasks that present ready-to-use options for extracting and analyzing reminiscence photographs, bypassing authentication in fashionable OSs, and attacking encryption,” “gesser” provides. “Bleeding-edge analysis papers and convention talks exhibit yr after yr how you can bypass the only safety resolution. All of the whereas, a whole bunch of 1000’s of units nonetheless in use don’t even have this safety enabled.”
Extra info on the DaMAgeCard, and the units with which the crew was in a position to entry reminiscence over the SD Categorical slot, is out there on the PT SWARM weblog.
