Select Page

As mentioned earlier today, Rafal Wojtczuk and Joanna Rutkowska have published a new paper on using cache poisoning to exploit the Systems Management Mode (SMM) in Intel 386 and above chipsets.

Some interesting snippets:

System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of “Ring -2”, as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in “Ring -1”.

…Interestingly the very same cache poisoning problem we abuse in our attack against SMM has been identified a few years ago by Intel employees, who even decided to describe it in at least two different patent applications [3] [1]. We haven’t been aware of the patents before we discovered the attack — we never thought a vendor might describe weaknesses in its own products and apply for a patent on how to fix them, and still not implement those fixes for a few years2… The patents turned out, however, to be easily “googlable” and it would be surprising that nobody else before us, and Loic Duflot, have created working exploits for this vulnerability.

…We assume that the attacker has access to certain platform MSR registers. In practice this is equivalent to the attacker having administrator privileges on the target system, and on some systems, like e.g. Windows, also the ability to load and execute arbitrary kernel code3.

and finally:

Intel has informed us that they have been working on a solution to prevent caching attacks on SMM memory for quite a while and have also engaged with OEMs/BIOS vendors to implement certain new mechanisms that are supposed to prevent the attack. According to Intel, many new systems are protected against the attack. We have found out, however, that some of the Intel ‘s recent motherboards, like e.g. the popular DQ35, are still vulnerable to the attack. Additionally the workarounds that Intel has mentioned to us are not yet officially documented, but Intel told us that they will be updating the CPU documentation shortly (In particular the vol. 3a of [4]).

The paper is here (pdf).

Alex Eckelberry