But this isolation still depends on Xen not having bugs... And we know that Xen has bugs, and will likely continue to have more going forward.
So, instead of VT-D, why not just switch off DMA altogether..?
In Debian, you can edit "/etc/hdparms.conf", and do stuff like this:
/dev/hdc {
dma = on
}
Why not just do this for WiFi and Ethernet chips in Qubes, and thus, not have to rely on Xen for isolation?
We know this option exists for hard drives for a facts.
So I see no reason you couldn't get Ethernet + WiFi chips without DMA.
Not all devices support switching off DMA, so I can see why Qubes decided to use VT-D + Xen instead.
But certainly, I think there are devices out there without DMA. I think you just need to search the market for a Ethernet/WiFi that supports non-DMA.
With a Xen bug, couldn't a hacked WiFi device just break out of sys-net..?
Or not..?
That seems to say that DMA is in fact used in the NE2000.
By the way, will these cards support modern Ethernet cables, like cat5e...?
Do they support Ethernet crossover?
Thanks
Are DMA attacks on Ethernet are even plausible....?
WiFi seems much more vulnerable than Ethernet, due to more complexity.
So you are now saying that you can't do a DMA attack over the web..?
If I had one computer connected to another via Ethernet crossover, could one computer infect the other via DMA by sending the DMA attack over the crossover cable..?
Or can a computer only launch a DMA attack on itself?
Also, would USB Ethernet make this attack any easier..? Something like a USB Ethernet dongle?
This is written by the French intelligence agency, "ANSSI - French Network and Information Security Agency"
http://www.ssi.gouv.fr/uploads/IMG/pdf/paper.pdf
"
In [8], we demonstrated how it is possible for an attacker to take full control of a computer by exploiting a vulnerability in the network adapter. This proof of concept shows how it is possible for an attacker to take full control of the adapter and to add a backdoor in the OS kernel using DMA accesses. The vulnerability was unconditionally exploitable when the ASF function was enabled on the network card to any attacker that would be able to send UDP packets to the victim.
"
Some of them would indicate that DMA can be switched off entirely, and PIO used instead.
For example:
b43.ko
modinfo -F parm /lib/modules/4.4.14-11.pvops.qubes.x86_64/kernel/drivers/net/wireless/b43/b43.ko
pio:Use PIO accesses by default: 0=DMA, 1=PIO (int)
---
so.. PIO here would suggest that it's possible to use non-DMA.
---
I guess my real question is... would switching off DMA make you safer anyway..?
For example, PIO is just going to transfer it to the CPU.
At this point, couldn't the CPU just infect your device rather than DMA..?
So I'm not even entirely convinced that uaing PIO would make you safer anyway.
What do people think..?
DMA attack allows one already-compromised VM to read the RAM of another VM, thus breaching Qubes isolation... unless you use VT-D, although flaws in VT-D have been shown.
Remote DMA attack allows packets sent to the network card directly over the web, not even having to compromise your VM first... as demonstrated in the paper by the French intel agency.
That is what I understand so far. Hence, why I am asking if using PIO rather than DMA would prevent such attacks.
A device which can do PIO and PIO only.
Would this then be more secure..? Or would the attack just be carried out by the CPU rather than RAM..?