Linux cache poisoning attacks easier than on Windows?
An anonymous security expert on the Microsoft Subnet blog has published sample code for a cache poisoning attack on Linux. The work was based on Joanna Rutkowska's previously announced attack on Intel's System Management Mode, explained in detail in an Invisible Things Lab paper.
The anonymous writer was surprised how easy the attack was and noted the exploit code was neither unusual or particularly complex. The aim of the attack is to obtain access to the usually well-secured are of memory used by the system management mode through modification of the Memory Type Range Registers (MTRR) and obtain space to place a rootkit, which would allow the attacker to gain control of the hypervisor or operating system. Root privileges are needed to execute the attack.
The published sample code is for a Linux operating system running on an Intel DQ35 motherboard with 2GB of RAM. It appears that the Linux root user is given amazingly easy access to the Memory Type Range Registers. The blogger admits this attack could also be performed in Windows, but that it requires much more effort and know-how.