ProTIP: You Should Know What To Expect From Your Peripherals
Rogue peripherals are not reserved to elite attackers with physical access to the machine anymore: practical tools are regularly published and virtualization has led to widespread use of remote services provided by third-parties.
In this paper, we advocate for a new more systematic approach in analyzing PCIe device security. Related works comprise attacks, from proof of concepts to more systematic tools, and the IronHide fuzzing device. But to our knowledge, no formalization or methodical analysis has yet been published. To fill this gap in, we introduce ProTIP, a Prolog Tester of Information Flow in PCIe networks. This open-source tool implements a model comprising all PCIe components, the CPU, I/OMMU and system RAM. It uses the constraint solving ability of the Prolog engine to enumerate all possible transactions between components.
ProTIP naturally rediscovers all problems listed previously in the litterature, including the need for Access Control Services in switches and their limits. It also highlights two subtleties: firstly, a race condition enabling an attacker to arbitrarily answer read requests and secondly, that I/OMMUs base their access right check on an ID that can change. While the tool currently models specification conformant behaviors and rogue endpoints, it is meant to be extended, e.g. with potential specific defects of given hardware, to evaluate the severity of their security impact. Thus, we believe ProTIP can quite efficiently be combined with other tools such as IronHide.