Another day arrives and, with it, another way to run code. This time, it’s executing arbitrary code in System Management Mode (SMM) memory. That sounds kind of exciting, right? A SMM rootkit? Does that mean that we need an anti-malware scanner for SMM memory now? Or will it just fade away? All this and more will be answered shortly. But first…
The technique was discovered last year by Loïc Duflot. Loïc has been researching and publishing work on SMM for several years already. The same technique was discovered this year by Joanna Rutkowska. Joanna is perhaps most famous for her Blue Pill work.
The attack is based on a well-known technique – cache poisoning – but applied to a new context. Apparently, Loïc and then Joanna contacted Intel about the technique, but interestingly, Intel engineers knew about it already. In fact, they had even documented it in the data sheet for the 5100 MCH chipset: “The chipset/platform cannot protect against processors who attempt to illegally access SMM space that is modified in another processor’s cache”. This is exactly what is being exploited.
There are lots of caches in modern hardware, and several of them can be filled under user control with arbitrary data for execution. For example, the Translation Lookaside Buffer (TLB) is perhaps the most accessible cache. An attacker can fill a TLB page with code, mark the entry as global so that it won’t be flushed by default, and then remove the corresponding page table entry. This was my “invisible code” technique. Or a defender can time filling a TLB page with data, execute an instruction that is known to cause a fault in a virtualised environment, and then time a second access to determine if a refill occurred. That was my technique to detect Blue Pill. 😉 There are other caches and other ways to play with them, but we’ll come back to that.
Yes, SMM code execution has been discussed for years already. In fact, some of us discussed using it to detect Blue Pill-style attacks, since the SMM environment exists outside of any virtualised environment. More recently, a SMM PS/2 keyboard sniffer was described, but the author of that attack was relying on the chipset not locking access to the SMM memory. The advance that was presented at CanSecWest was to bypass the locking mechanism, without requiring physical access to the system.
To read the rest of this post, see the Microsoft Malware Protection Center blog.