Intel’s Trusted Execution Technology hacked in the alpha stage
At the Black Hat DC 2009 conference, Joanna Rutkoswka, rootkit expert and CEO of Invisible Things Lab (ITL), plans to show how to get around Intel’s Trusted Execution Technology (TXT). She has already published a press release describing a two-stage attack on the safeguarded tboot boot loader which, however, is still only available in an alpha version.
The security hole is currently of almost no practical importance, since there is scarcely a computer in use that takes advantage of TXT, despite it's introduction nearly two years ago under the name LaGrande Technology. Still, Rutkoswka garnered much respect with her Blue Pill rootkit and her "Owning Xen" Xen attack, and the TXT hack points out fundamental vulnerabilities in Intel's highly complex Trusted Execution concept.
TXT is a component of Intel's vPro platforms for commercially used office computers and notebooks. Other vPro components include remote maintenance (Active Management Technology, AMT), as well as hardware virtualisation functions for processors (VT-x) and PCI Express devices (VT-d). vPro is intended to improve the security, maintenance, and reliability of office computers. According to the concept that Intel introduced back in 2006, but which was not fully implementable until the release of its third generation vPro chipsets (Q45, GM45), virtual machines (VMs), performing additional functions independently of the user's operating system, run parallel to the actual operating system the user is running.
The types of functions that Intel envisages the VMs performing include virus scanners and other network monitoring tools that scrutinise data traffic in the chipset-integrated network adapter. So far, such "virtual appliances" (Intel also speaks of "embedded IT") are not on the market. Development by Intel partner Symantec, has apparently been delayed by licensing problems and all Red Hat has come up with so far is a developer kit release, based on the Xen hypervisor. There is still no sign of the previously announced Parallels solution and the HyperCore integrated hypervisor, included in different versions of the Phoenix BIOS, is apparently taking its sweet time to appear.
Intel knows that a VM with network access, running parallel to the actual PC operating system, is a massive security risk, which is why part of the vPro concept is to have the VMs running in main memory address ranges that are isolated on the hardware level and that can only be launched once the Trusted Platform Module (TPM; now integrated into the chipset) has accepted their digital signatures. This is precisely the point of the tboot boot loader, which has proven not to be as reliable as Intel had hoped. But ITL says that Intel is already working on a solution.
The VM memory is isolated using a combination of TXT and Safer Machine Extensions (SMX) found in VT-x processors. The Secure Virtual Machines (SVM) by AMD (Pacifica/Presidio) perform a similar function. In this concept, VT-d is supposed to ensure secure I/O channels, giving the hypervisor direct (or exclusive) access to individual VMs on PCIe components. The PCI standardisation association is concurrently working on a PCI IOV.
These attacks on TXT and Xen show that virtualisation involves significant new security risks – the hypervisor runs on the CPU with even higher rights than Ring 0 code – you might say that the VM runs in "Ring -1". At the same time, entries on AMD and Intel processor errata lists relating to the new virtualisation commands are piling up. It is no wonder then that manufacturers are factory-disabling VT-x and AMD-V in many BIOS setups.