PCIe Device Attacks: Beyond DMA. Exploiting PCIe Switches, Messages and Errors

Conference:  BlackHat USA 2021



PCIe is a high speed peripheral IO bus standard that is used inside systems today for connecting virtually all high-bandwidth peripherals like graphics cards, FPGAs, Thunderbolt, etc. - and is found on everything from servers to mobile and consumer electronics devices.Most prior research on PCIe has focused on custom designed malicious endpoint device mounting DMA attacks against the host system. We will present a new class of threats and attacks by targeting the capabilities and features of PCIe switches instead of endpoint devices, and will discuss attacks possible using different types of Translation Layer Packets (TLPs) from the memory and IO read/write commonly used in previously known attacks.First, we will provide a high-level threat model overview of SRIOV (Single Root IO Virtualization) Extended PCIe capability enabled devices. Next, we will share details of how we are able to exploit switch features & debug capabilities to corrupt switch EEPROMs to cause platform persistent DoS, inject crafted TLPs to target other server platform components like baseboard management controller (BMC) to escalate privilege, Inject PCIe fatal errors to cause platform DoS, and of course discuss mitigations for presented attacks. Finally, we shall demonstrate exploits targeting shipping products.We hope that you will walk away with a better understanding of the breadth of the PCIe attack surface as well as an understanding of the importance of the potential mitigations.