In association with heise online

21 March 2009, 11:02

Attacks on Intel's System Management Mode

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Joanna Rutkowska and Loic Duflot have simultaneously disclosed details of vulnerabilities in Intel's caching mechanisms, which permit the injection of code into the System Management Mode and ultimately the placing of a virtually invisible rootkit.

"System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control", explain Embleton, Sparks and Zou in a paper on SMM rootkits that's well worth reading. "It has its own private memory space [SMRAM], and execution environment which is generally invisible to code running outside [it.]" By poisoning the cache of the CPU, Rutkowska can successfully inject her own code, which then runs with maximum privileges, while remaining invisible to the operating system and applications.

She provides a harmless "proof of concept" exploit that she claims works on Intel's DQ35 board, among others. Embleton, Sparks and Zou demonstrate what a genuine SMM rootkit could look like. Not much more is known about Duflot's presentation at CansecWest, other than the title, "Getting into the SMRAM: SMM Reloaded".

Despite the far-reaching consequences of such SMM rootkits, there's no need to panic. Fortunately, only theoretical concepts and a few conceptual studies for laboratory environments have so far been heard of. Nothing of the kind has yet been observed in the wild as a part of malicious software.

See also


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit