Window 7 Support

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, 19 March 2009

Attacking SMM Memory via Intel® CPU Cache Poisoning

Posted on 09:02 by Unknown
As promised, the paper and the proof of concept code has just been posted on the ITL website here.

A quote from the paper:
In this paper we have described practical exploitation of the CPU cache poisoning in order to read or write into (otherwise protected) SMRAM memory. We have implemented two working exploits: one for dumping the content of SMRAM and the other one for arbitrary code execution in SMRAM. This is the third attack on SMM memory our team has found within the last 10 months, affecting Intel-based systems. It seems that current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying.

The potential consequence of attacks on SMM might include SMM rootkits [9], hypervisor compromises [8], or OS kernel protection bypassing [2].
Don't worry, the shellcode we use in the exploit is totally harmless (have really no idea how some people concluded we were going to release an SMM rootkit today?) — it only increases an internal counter on every SMI and jumps back to the original handler. If you want something more fancy, AKA SMM rootkits, you might want to re-read Sherri's and Shawn's last year's Black Hat paper and try writing something they describe there.

The attack presented in the paper has been fixed on some systems according to Intel. We have however found out that even the relatively new boards, like e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn't seem to be vulnerable though). The exploit attached is for DQ35 board — the offsets would have to be changed to work on other boards (please do not ask how to do this).

Keep in mind this is a different SMM attack than the one we mentioned during our last month's Black Hat presentation on TXT bypassing (the VU#127284). We are planning to present that other attack at the upcoming Black Hat Vegas. Hopefully this will not be the only one thing that ITL will entertain you with in Vegas — Alex and Rafal are already working now on something even cooler (and even lower level) for the show, so cross your fingers!

And good luck to Loic with his presentation that is about to start just now...
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in attack, exploit, smm | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Windows 7 seamless GUI integration coming to Qubes OS!
    Finally, after months of hard work, seamless mode for Windows 7 AppVMs is coming to Qubes OS! The new Windows Support Tools will be releas...
  • Converting untrusted PDFs into trusted ones: The Qubes Way
    Arguably one of the biggest challenges for desktop security is how to handle those overly complex PDFs, DOCs, and similar files, that are ...
  • Qubes 2 Beta 2 has been released!
    Qubes R2 Beta 2 with KDE 4.9 environment (click for more screenshots) We're progressing fast and today I would like to anno...
  • The MS-DOS Security Model
    Back in the '80s, there was an operating system called MS-DOS . This ancient OS, some readers might not even remember it today, had a ve...
  • Virtualization Detection vs. Blue Pill Detection
    So, it’s all over the press now, but, as usual, many people didn’t quite get the main points of our Black Hat talk . So, let’s clear things ...
  • Our Xen 0wning Trilogy Highlights
    Below you can find highlights of the three presentations, collectively referred to as "Xen 0wning Trilogy", that Alex, Rafal and I...
  • Attacking Xen: DomU vs. Dom0 consideration
    As it usually happens, there is some confusion regarding the attacks presented in our Xen 0wning Trilogy. Some people think they are possibl...
  • The Linux Security Circus: On GUI isolation
    There certainly is one thing that most Linux users don't realize about their Linux systems... this is the lack of GUI-level isolation, ...
  • Thoughts on Intel's upcoming Software Guard Extensions (Part 2)
    In the first part of this article published a few weeks ago, I have discussed the basics of Intel SGX technology, and also disc...
  • Disposable VMs
    While we're still busy with some last few tickets left for Qubes Alpha 2 milestone, Rafal has already started working on a new feature ...

Categories

  • attack
  • backdoors
  • bad guys attacking joanna
  • BIOS
  • bitlocker
  • challanges
  • chipset
  • cloud
  • company news
  • conferences
  • disk encryption
  • exploit
  • fighting for a better world
  • formal verification
  • general
  • hypervisor rootkits
  • nested virtualization
  • os security
  • personal
  • philosophical
  • qubes
  • rootkits
  • saving-the-world-afterhours
  • secure architecture
  • smm
  • tpm
  • trusted computing
  • trusted execution technology
  • usb
  • virtualization based rootkits
  • xen hacking
  • xen heap exploiting

Blog Archive

  • ►  2013 (7)
    • ►  November (1)
    • ►  September (1)
    • ►  August (1)
    • ►  June (1)
    • ►  March (1)
    • ►  February (2)
  • ►  2012 (8)
    • ►  December (1)
    • ►  September (2)
    • ►  July (1)
    • ►  June (1)
    • ►  March (1)
    • ►  February (1)
    • ►  January (1)
  • ►  2011 (17)
    • ►  December (2)
    • ►  September (3)
    • ►  August (1)
    • ►  June (2)
    • ►  May (4)
    • ►  April (3)
    • ►  March (2)
  • ►  2010 (15)
    • ►  December (1)
    • ►  October (1)
    • ►  September (4)
    • ►  August (2)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  January (1)
  • ▼  2009 (21)
    • ►  December (1)
    • ►  October (1)
    • ►  September (2)
    • ►  August (2)
    • ►  July (2)
    • ►  June (3)
    • ►  May (1)
    • ▼  March (4)
      • Trusting Hardware
      • The Sky Is Falling?
      • Attacking SMM Memory via Intel® CPU Cache Poisoning
      • Independent Attack Discoveries
    • ►  February (2)
    • ►  January (3)
  • ►  2008 (15)
    • ►  September (3)
    • ►  August (4)
    • ►  July (2)
    • ►  May (1)
    • ►  April (4)
    • ►  March (1)
  • ►  2007 (15)
    • ►  October (2)
    • ►  August (2)
    • ►  June (1)
    • ►  May (1)
    • ►  April (2)
    • ►  March (2)
    • ►  February (3)
    • ►  January (2)
  • ►  2006 (8)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
Powered by Blogger.

About Me

Unknown
View my complete profile