Virtualization Based Security vs. Thunderbolt DMA attacks

Direct memory Access (DMA) attack


Allows I/O devices to transfer data directly to or from memory without having the data handled by the CPU


DMA controller (DMAC)

  • Defines the operational mode interactions with CPU (system bus)
  • DMAC does not control access to memory areas
  • First party DMA
    • Peripherals can have their own DMAC, so the device takes control of system bus
  • Third party DMA
    • Central system DMAC (part of the chipset)

DMA capable devices can access all host memory

DMA attack

Since no instance is between the DMAC and the memory, DMA based malware can place malware in the memory, manipulate configurations or crawl through the memory to find cryptographic secrets w/o been detected.
DMA attacks are easy to execute and require little technical skills.
Tools can be loaded from the web and devices pre-loaded with malware can be bought in scale, anyone can use DMA attack tools to read confidential data from a running PC’s memory.
A system open to DMA devices cannot be defended.
Hibernation file attacks use the same technology.
Since Thunderbolt is a DMA technology, it opens by design a DMA attack vector.

DMA Protection

Prior to Windows 10 disabling DMA devices (IEEE1394, Thunderbolt) was the only protection (s. Microsoft KB2516445), but the OEMs are bringing more and more models to market, that are useless pieces of hardware with Thunderbolt disabled.
Windows 10 Enterprise now brings a new line of defense: Support for the CPU feature Input / Output Memory Management Unit (I/OMMU) e.g. Intel VT-D.
Based on DMA Remapping (DMAR) provided by the I/OMMU, isolated subsets of physical memory (Memory Domains) are created. The Memory Domains are assigned to virtual machines and to device drivers.
An device not assigned to a Memory Domain has no access to physical memory of that domain.
These access restrictions are realized using address translation tables. I/OMMU can block a memory request, if the device is not assigned to the Memory Domain.
The I/OMMU enforces Third party DMA.


The CPU needs to support I/OMMU. Not all CPUs support this feature, but most of the modern 64-bit do so. Check the CPU specification (e.g. Intel) for new devices.
The I/OMMU needs to be enabled in the firmware of the device and the Operating System needs to activate the usage of I/OMMU.
Windows 10 Enterprise is the only Windows 10 that supports I/OMMU. Virtualization Based Security (VBS) needs to be activated with “Secure Boot and DMA protection”.


If the OS is not activating the usage of I/OMMU the system is not protected and no Memory Domains are created.


Running Windows 10 Enterprise on devices supporting I/OMMU and having VBS activated with “Secure Boot and DMA protection” is an effective way to defend systems against DMA attacks, so even Thunderbolt can be allowed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s