Attacks on Intel's System Management Mode
Joanna Rutkowska and Loic Duflot have simultaneously disclosed details of vulnerabilities in Intel's caching mechanisms, which permit the injection of code into the System Management Mode and ultimately the placing of a virtually invisible rootkit.
"System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control", explain Embleton, Sparks and Zou in a paper on SMM rootkits that's well worth reading. "It has its own private memory space [SMRAM], and execution environment which is generally invisible to code running outside [it.]" By poisoning the cache of the CPU, Rutkowska can successfully inject her own code, which then runs with maximum privileges, while remaining invisible to the operating system and applications.
She provides a harmless "proof of concept" exploit that she claims works on Intel's DQ35 board, among others. Embleton, Sparks and Zou demonstrate what a genuine SMM rootkit could look like. Not much more is known about Duflot's presentation at CansecWest, other than the title, "Getting into the SMRAM: SMM Reloaded".
Despite the far-reaching consequences of such SMM rootkits, there's no need to panic. Fortunately, only theoretical concepts and a few conceptual studies for laboratory environments have so far been heard of. Nothing of the kind has yet been observed in the wild as a part of malicious software.
- Attacking SMM Memory via Intel CPU Cache Poisoning by Joanna Rutkowska.
- SMM Rootkits: A New Breed of OS Independent Malware, Shawn Embleton, Sherri Sparks und Cliff Zou of the University of Central Florida.