1394, DMA, and BitLocker

The IEEE 1394 spec (also called FireWire by Apple and briefly, i.Link by our friends at Sony) specifies a high-speed interface for connecting peripherals. One of the reasons 1394 offers high speeds is that it supports the use of direct memory access, or DMA. Normally, when a peripheral device is performing I/O operations, the system CPU has to be involved. For example, to read a block of data from a disk drive, the CPU sends commands to the disk controller, then stores the resulting data into a block of system memory. (This is a somewhat simplistic description, I know, but it’s good enough for now.) That means that I/O operations could end up being CPU-bound, or they could negatively affect CPU performance.

To fix this some bright stars came up with the idea of DMA, which allows the peripheral controller to read from and write to system memory without the CPU’s involvement (and, often, without its knowledge or supervision.) Sounds neat, right? It is, but it also introduces a security threat: a malicious device can read valuable data out of memory… like, say, an encryption key.

The basic attack is simple: the attacker walks up to a BitLocker-protected computer, plugs in a custom 1394 device, and steals the key. (The details of how the attacker finds the key are interesting, but unimportant here.) Key in hand, the attacker can then decrypt the protected volume.

Not all BitLocker-protected machines are vulnerable to this particular attack. If you have a TPM, but are not using an additional authentication factor like a PIN or a USB token, this attack may succeed. However, even if you do use an extra authentication factor, if you leave your machine powered up or on standby, an attacker who gets physical access may be able to steal your BitLocker key.

This isn’t a huge threat for systems that are kept in physically secure locations, but it is worrisome for mobile users. That’s why the Data Encryption Toolkit that I helped write counsels you to be very careful about leaving portable computers powered on and unattended, and it spends some time going over the different security issues with standby, sleep, and hibernate modes. You should read it. Trust me, I’ve been to the doctor

This is all a somewhat long-winded way of explaining that Microsoft has released a KB article describing how to turn off DMA for 1394 ports to reduce the threat of a DMA attack against BitLocker on TPM-only machines. The article, 2516445, describes how you can turn off the driver that provides DMA for 1394 devices. Given that very, very few Windows machines are ever connected to 1394 devices, this is probably something that you should implement if you have sensitive data on your BitLocker-protected machines.

If you’re not running BitLocker, well, why not?