- Article
- 8 minutes to read
applies to
- Windows 10
- Windows11
In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs from drive-by DMA (Direct Memory Access) attacks by using PCI hot-plug devices connected to externally accessible PCIe ports (such as Thunderbolt™ 3 ports and CFexpress) are connected. In Windows 10 version 1903, Microsoft extended kernel DMA protection support to cover internal PCIe ports (e.g. M.2 slots).
Targeted DMA attacks can result in the disclosure of sensitive information on a PC or even injection of malware, allowing attackers to bypass the lock screen or control PCs remotely.
This feature does not protect against DMA attacks over 1394/FireWire, PCMCIA, CardBus, ExpressCard, etc.
background
PCI devices support DMA, which allows them to read and write to system memory at will without involving the system processor in these operations. It only existed in the PC case, either plugged in as a card or soldered onto the motherboard. Accessing these devices required the user to turn off power to the system and disassemble the case.
This is no longer the case today with hot-plug PCIe ports (e.g. Thunderbolt™ and CFexpress).
Hot-plug PCIe ports, like Thunderbolt™ technology, have given modern PCs an expandability not previously available for PCs. It allows users to connect new classes of external peripherals like graphics cards or other PCI devices to their PCs with USB-like connection experience. External and easily accessible hot-plug PCI ports leave PCs vulnerable to drive-by DMA attacks.
Drive-by DMA attacks are attacks that take place while the system owner is not present and typically last less than 10 minutes, using low-to-moderate attack tools (affordable and off-the-shelf hardware and software) that do not require disassembly of the PC. A simple example would be that a PC owner leaves the PC for a quick coffee break and during the break an attacker walks in, plugs in a USB-like device and gets away with all the secrets of the machine, or injects it with malware that allows you to get around the have full control of your PC remotely.
This is how Windows protects against DMA drive-by attacks
Windows leverages the system's input/output memory management unit (IOMMU) to prevent external peripherals from starting and running DMA unless the drivers for those peripherals support memory isolation (such as DMA remapping).DMA remapping compatible driversare automatically enumerated, started and authorized to perform DMA on their designated memory locations.
By default, peripherals with drivers that do not support DMA remapping are prevented from starting and running DMA until an authorized user logs in or unlocks the screen. IT admins can change the default behavior applied to devices with drivers that don't support DMA remappingDmaGuard MDM Policies.
user experience
By default, peripherals with device drivers that support DMA remapping are automatically enumerated and started. Peripherals with drivers that do not support DMA remapping will be prevented from starting if the peripheral is plugged in before an authorized user logs in or while the screen is locked. Once the system is unlocked, the peripheral driver will be launched by the operating system and the peripheral will continue to function normally until the system reboots or the peripheral is disconnected. The peripheral continues to function normally when the user locks the screen or exits the system.
system compatibility
Kernel DMA protection requires new UEFI firmware support. This support is only expected on newly launched Intel-based systems running Windows 10 version 1803 (not all systems). Virtualization Based Security (VBS) is not required.
To determine if a system supports kernel DMA protection, check the System Information desktop application (MSINFO32).BitLocker countermeasures.
monitoring
Kernel DMA protection is not compatible with other countermeasures for BitLocker DMA attacks. It is recommended to disable BitLocker DMA attack countermeasures if your system supports kernel DMA protection. Kernel DMA protection provides a higher level of security for the system against countermeasures against BitLocker DMA attacks, maintaining the usability of external peripherals.
monitoring
Added DMA remapping support for graphics devices in Windows 11 with the WDDM 3.0 driver model; Windows 10 does not support this feature.
How to check if kernel DMA protection is enabled
For systems running Windows 10 version 1803 that support kernel DMA protection, this security feature is automatically enabled by the operating system with no user or IT admin configuration required.
Using the Windows Security app
Starting with Windows 10 version 1809, you can use the Windows Security app to check if kernel DMA protection is enabled. clickBegin>the settings>updates and security>Windows security>Open Windows Security>device security>Core insulation details>memory access protection.
Using system information
Start MSINFO32.exe from a command prompt or the Windows search bar.
Check the value ofKernel DMA protection.
If the current status of theKernel DMA protectionis off andHyper-V - Virtualization enabled in firmwareand not:
- Reboot into BIOS settings
- Enable Intel Virtualization Technology.
- Enable Intel Virtualization Technology for I/O (VT-d). Only Intel VT-d is supported on Windows 10 version 1803. Other platforms can use DMA attack mitigations described inBitLocker countermeasures.
- Reboot the system into Windows.
monitoring
Se oHyper-VWindows feature is enabled, all Hyper-V related features are hidden andA hypervisor was detected. Resources required by Hyper-V are not displayedEntity appears at the bottom of the list. That's what it meansHyper-V - Virtualization enabled in firmwareis set to YES.
monitoring
To enable it, Hyper-V virtualization must be enabled in the firmware (IOMMU).Kernel DMA protection, even if the firmware has the ACPI Kernel DMA Protection Indicators flag described inKernel DMA Protection (Memory Access Protection) für OEMs.
If the state ofKernel DMA protectionStay off, the system does not support this function.
For systems that do not support kernel DMA protection, seeBitLocker countermeasuresorThunderbolt™ 3 and security in the Microsoft Windows® 10 operating systemfor other means of DMA protection.
Frequently Asked Questions
Do existing systems on the market support kernel DMA protection for Thunderbolt™ 3?
Marketable systems released with Windows 10 version 1709 or earlier do not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803 as this feature requires BIOS/platform firmware changes and guarantees, that cannot be backported to earlier versions devices. For these systems see theBitLocker countermeasuresorThunderbolt™ 3 and security in the Microsoft Windows® 10 operating systemfor other means of DMA protection.
Does kernel DMA protection prevent drive-by DMA attacks during boot?
No, Kernel DMA Protection only protects against drive-by DMA attacks after the operating system has loaded. It is the responsibility of the system's firmware/BIOS to protect itself from attacks via the Thunderbolt™ 3 ports during boot.
How can I check if a specific driver supports DMA remapping?
DMA remapping is supported by specific device drivers and is not universally supported by all devices and drivers on a platform. To verify whether a specific driver is enabled for DMA remapping, check the appropriate values for the DMA Remapping Policy property on a device's Details tab in Device Manager*. A value of 0 or 1 means the device driver does not support DMA remapping. A value of two means the device driver supports DMA remapping. If the property is not available, the policy has not been set by the device driver (that is, the device driver does not support DMA remapping). Check the device driver instance to be tested. Some drivers may have different values depending on the location of the device (internal vs. external).
*For Windows 10 versions 1803 and 1809, the properties panel in Device Manager uses a GUID as highlighted in the image below.
When do PCI or Thunderbolt™ 3 peripheral drivers not support DMA remapping?
If your peripherals have class drivers provided by Windows, use those drivers on your systems. If your peripherals do not have class drivers provided by Windows, contact the peripheral/driver vendor to update the driver for supportRepayment DMA.
My system's kernel DMA protection is disabled. Can DMA remapping be enabled for a specific device?
Yes. DMA remapping for a specific device can be enabled independently of kernel DMA protection. For example, if the driver supports VT-d (Virtualization Technology for Directed I/O) and is enabled, DMA remapping is enabled for the device driver even if kernel DMA protection is disabled.
Kernel DMA Protection is a policy that allows or blocks devices from performing DMA based on their status and remapping capabilities.
Do Microsoft drivers support DMA remapping?
On Windows 10 1803 and later, Microsoft Inbox drivers for USB XHCI controllers (3.x), AHCI/SATA storage controllers, and NVMe storage controllers support DMA remapping.
Do drivers for non-PCI devices need to support DMA remapping?
Do not. Devices for non-PCI peripherals, such as B. USB devices do not support DMA, so it is not necessary for the driver to support DMA remapping.
How can an organization enable the external device enumeration policy?
The external device enumeration policy controls whether external peripherals that do not support DMA remapping are enumerated. Peripherals that support DMA remapping are always listed. Peripherals that are not can be blocked, allowed, or only allowed after user login (default).
The policy can be activated with:
- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration Policy for External Devices Incompatible with Kernel DMA Protection
- Mobile Device Management (MDM):DmaGuard Policies
- BitLocker countermeasures
- DmaGuard MDM Policies