What a surprise
PCIe the easy one. Who would have imagined DMA could ever be a problem.
The internal inter-chip communications of devices like smartphones are a “huge, mostly unaudited attack surface,” according to Gal Beniamini of Google’s Project Zero, in his promised follow-up to last week’s demonstration of how to attack Wi‑Fi chips over the air. His April 4 “part one” prompted emergency patches from Apple …
Last year I developed a PCIe add on card with a nice FPGA and assorted peripherals, and one of the proofs of concept that I did to show my boss how well it worked was using memory writes from the FPGA to the video card, as would be used by enabling a DMA from the host CPU.
Neither Linux and Windows were aware that I was reading and writing all around the video memory, IO space and the system's DDR RAM.
PCIe is really a true multi host bus without any kind of security. If the root device ennumerates you, you're free to roam and break havoc as you wish.
Ouch!
Fixing this probably requires that all DMA controllers include security restricting which memory areas each device can read/write to, possibly via temporary, time and/or access limited, unique tokens linked to a specific address range. Oh course this discovery reveals an exploit sewer for DMA controllers which can't do this!
directly.
I know, it's very complicated to make things secure. Difficult to stop gaps in protocols blah blah.
But were Broadcom thinking "Ha, this is way too complex for mere mortals to unscramble. No one in their right minds would bother"
Surprise.