Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker

Support for Windows Vista Service Pack 1 (SP1) ended on July 12, 2011. To continue receiving security updates for Windows, make sure that you're running Windows Vista with Service Pack 2 (SP2). For more information, go to the following Microsoft website: Support is ending for some versions of Windows.

Symptoms

A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) attacks when the computer is turned on or is in the Standby power state. This includes when the desktop is locked.

BitLocker with TPM-only authentication lets a computer to enter the power-on state without any pre-boot authentication. Therefore, an attacker may be able to perform DMA attacks.

In these configurations, an attacker may be able to search for BitLocker encryption keys in system memory by spoofing the SBP-2 hardware ID by using an attacking device that is plugged into a 1394 port. Alternatively, an active Thunderbolt port also provides access to system memory to perform an attack. Note that Thunderbolt 3 on the new USB Type-C connector includes new security features which can be configured to protect against this type of attack.

This article applies to the following systems:
  • Systems that are left turned on
  • Systems that are left in the Standby power state
  • Systems that use the TPM-only BitLocker protector

Cause

1394 physical DMA

Industry standard 1394 controllers (OHCI compliant) provide functionality that allows for access to system memory. This functionality is provided as a performance improvement. It enables large amounts of data to transfer directly between a 1394 device and system memory, bypassing CPU and software. By default, 1394 Physical DMA is disabled in all versions of Windows. The following options are available to enable 1394 Physical DMA:
  • An administrator enables 1394 Kernel Debugging.
  • Someone who has physical access to the computer connects a 1394 storage device that complies with the SBP-2 specification.
1394 DMA threats to BitLocker

BitLocker system integrity checks protect against unauthorized Kernel Debugging status changes. However, an attacker could connect an attacking device to a 1394 port, and then spoof an SBP-2 hardware ID. When Windows detects an SBP-2 hardware ID, it loads the SBP-2 driver (sbp2port.sys), and then instructs the driver to allow for the SBP-2 device to perform DMA. This enables an attacker to gain access to system memory and search for BitLocker encryption keys. 

Thunderbolt physical DMA

Thunderbolt is a new external bus that has functionality that allows for direct access to system memory. This functionality is provided as a performance improvement. It enables large amounts of data to transfer directly between a Thunderbolt device and system memory, thereby bypassing the CPU and software. Thunderbolt is not supported in any version of Windows, but manufacturers might still decide to include this port type.

Thunderbolt threats to BitLocker

An attacker could connect a special purpose device to a Thunderbolt port and have full direct memory access through the PCI Express bus. This could enable an attacker to gain access to system memory and search for BitLocker encryption keys. Note that Thunderbolt 3 on the new USB Type-C connector includes new security features which can be configured to protect against this type of access.

Resolution

Some configurations of BitLocker can reduce the risk of this kind of attack. The TPM+PIN, TPM+USB, and TPM+PIN+USB protectors reduce the effect of DMA attacks when computers do not use sleep mode (suspend to RAM). If your organization allows for TPM-only protectors or supports computers in sleep mode, we recommend that you block the Windows SBP-2 driver and all Thunderbolt controllers to reduce the risk of DMA attacks.

For more information about how to do this, go to the following Microsoft website:

SBP-2 Mitigation

On the previously mentioned website, refer to the "Prevent installation of drivers matching these device setup classes" section under "Group Policy Settings for Device Installation".

The following is the Plug and Play device setup class GUID for an SBP-2 drive:


d48179be-ec20-11d1-b6b8-00c04fa372a7

Thunderbolt Mitigation

Important The following Thunderbolt mitigation only applies to Windows 8 and to Windows Server 2012. It does not apply to any of the other operating systems that are mentioned in the "Applies to" section.


On the previously mentioned website, refer to the "Prevent installation of devices that match these device IDs" section under "Group Policy Settings for Device Installation".

The following is the Plug and Play compatible ID for a Thunderbolt controller:
PCI\CC_0C0A


Notes

More Information

For more information about DMA threats to BitLocker, see the following Microsoft Security blog:
For more information about mitigations for cold attacks against BitLocker, see the following Microsoft Integrity Team blog:
Properties

Article ID: 2516445 - Last Review: Jan 21, 2017 - Revision: 3

Windows 7 Service Pack 1, Windows 7 Home Basic, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Professional, Windows 7 Ultimate, Windows 7 Ultimate, Windows 7 Enterprise, Windows 7 Enterprise, Windows 7 Home Basic, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Professional, Windows 7 Ultimate, Windows 7 Ultimate, Windows 7 Enterprise, Windows 7 Enterprise, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Datacenter, Windows Server 2008 Service Pack 2, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 Standard, Windows Web Server 2008, Windows Web Server 2008, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 Standard, Windows Web Server 2008, Windows Web Server 2008, Windows Vista Service Pack 2, Windows Vista Business, Windows Vista Business, Windows Vista Enterprise, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Home Premium, Windows Vista Starter, Windows Vista Starter, Windows Vista Ultimate, Windows Vista Ultimate, Windows Vista Enterprise 64-bit Edition, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Business 64-bit Edition, Windows Vista Business 64-bit Edition, Windows Vista Service Pack 1, Windows Vista Business, Windows Vista Business, Windows Vista Enterprise, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Home Premium, Windows Vista Starter, Windows Vista Starter, Windows Vista Ultimate, Windows Vista Ultimate, Windows Vista Enterprise 64-bit Edition, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Business 64-bit Edition, Windows Vista Business 64-bit Edition, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Microsoft Hyper-V Server 2012, Microsoft Hyper-V Server 2012, Microsoft Hyper-V Server 2012, Microsoft Hyper-V Server 2012, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows 8, Windows 8 Enterprise

Feedback