[conspire] (forw) [svlug] Blackhat: Intel System Management Mode (SMM) and its discontents

Rick Moen rick at linuxmafia.com
Wed May 3 23:09:30 PDT 2017 

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Wed, 3 May 2017 17:17:54 -0700
From: Rick Moen <rick at linuxmafia.com>
To: svlug at lists.svlug.org
Subject: [svlug] Blackhat: Intel System Management Mode (SMM) and its
	discontents
X-Spam-Status: No, score=-4.9 required=4.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1

Exploit inside.

A decade-plus ago, Intel started building embedded control structures
deep into its CPUs.  One, present in all Intel x86 CPUs since the
Pentium Pro in 1995, is System Management Mode (SMM), running from
firmware (as ring -2, below the layer of your hypervisor, if any) and
thus in full control of the normal machine operations that occur in ring
0.  

SMM code handles ACPI power operations (e.g., sleep/suspend), USB
emulation of legacy devices like PS/2, chipset error data, and other
housekeeping functions.  All such operations are invisible to the OS.
The SMM use a small chunk of the system memory map, and uses the memory
circuitry to block access to that RAM from anything else.

Separately, starting two years before that, Intel introduced Advanced
Programmable Interrupt Controller (APIC) circuitry, one local to each
core (a 'local APIC' chip) and usually one IO APIC to mediate traffic
to the local APICs.  The latter store their control data in system RAM,
and are programmable to move their control data to any location in
system RAM the OS developer might prefer.  Like, for example, the system
RAM locations the SMM code uses.  Oops.

1.  Get local root.
2.  Use access to the local APIC to overwrite SMM memory with a rootkit.
3.  Branch to rootkit.
4.  Profit!

Security researcher Christopher Domas showed at the recent Black Hat
conference in Las Vegas how any root process in a native OS can carry
out those steps, which are then totally invisible to the regular
hardware and OS.

Starting with Intel chips made from Jan. 2011 onwards (Sandy Bridge Core
CPUs and later), this exploit is forbidden:  The local APIC circuitry
(now integrated into CPUs) may now no longer have access to the SMM's
protected RAM area.  Also, code running from VMs have never been able to
perform this trick (another reason to run your Linux systems under a
hypervisor). 

Intel has released fix code for a couple of recent systems, but most
others of the past 16 years are screwed.  Except, of course, by running
your production systems under hypervisors.

https://www.theregister.co.uk/2015/08/11/memory_hole_roots_intel_processors/


_______________________________________________
svlug mailing list
svlug at lists.svlug.org
http://lists.svlug.org/lists/listinfo/svlug

----- End forwarded message -----

More information about the conspire mailing list