SMM stands for System Management Mode. System Management mode is one of the four modes of operation of most x86 processors (Intel Xeon, Intel Pentium, or AMD Athlon for instance). Modern operating systems (such as Linux, BSD, or Windows) run in so-called protected mode. In protected mode, 4 different processor privilege levels (also called rings) are available, ring 0 being the most privileged one and ring 3 the least privileged one. Kernels of operating systems run in ring 0 whereas userspace code runs in ring 3. The set of operations available to ring 3 code is restricted by hardware-enforced security mechanisms such as segmentation, paging, and I/O privilege restrictions. A few security-critical assembly language instructions are also restricted to ring 0 operation. Most software security techniques (PaX on Linux, W^X on OpenBSD, and so on) heavily rely upon protected mode enforced mechanisms. On the contrary, System Management Mode is a 16-bit mode of operation dedicated to system maintenance. Code running in System Management Mode is running with full privileges on the system (free access to physical memory and to peripheral devices). Protected mode security mechanisms (paging, segmentation, rings, ...) are not enforced while in System Management Mode.
System Management Mode attack
System Management Mode attack
http://www.securityfocus.com/columnists/402
Big deal. Puppy runs in root anyway. I just assume Puppy is allowed do anything the CPU is capable of.
I run Puppy from a multisession DVD in a computer that has no hard disk drive. If my Puppy does become the victim of an attack that gets saved to the DVD, it's relatively easy to isolate the infected session. Unlike what happens when a hard disk install is infected.
I run Puppy from a multisession DVD in a computer that has no hard disk drive. If my Puppy does become the victim of an attack that gets saved to the DVD, it's relatively easy to isolate the infected session. Unlike what happens when a hard disk install is infected.
"Big deal?"
A bit dismissive don't you think?
The fact that Puppy (or any other distro/OS) runs in root is not the point.
The point is that Linux is normally considered relatively safe from "hacks".
This article simply points out that there are potentially more ways then
first meets the eye for a malicious user/app to get full access.
What makes things worse is that SMM vulnerabilities would be completely
invisible to the OS, rather a big deal.
A bit dismissive don't you think?
The fact that Puppy (or any other distro/OS) runs in root is not the point.
The point is that Linux is normally considered relatively safe from "hacks".
This article simply points out that there are potentially more ways then
first meets the eye for a malicious user/app to get full access.
What makes things worse is that SMM vulnerabilities would be completely
invisible to the OS, rather a big deal.
Nooby, I don't know exactly what could be done but at least knowing
about it is a start.
I do suspect that SMM will have more then one vulnerability.
Consider this scenario, you try load Puppy or another OS on your PC
and you get some boot problems and opt to include the boot time option
of switching off ACPI (quite common for some motherboards).
Then along comes a app that executes the following code:
So what is happening?
You have told your OS to ignore ACPI, so now when say your temperature
sensor sees that your CPU is getting too hot, it generates a ACPI interrupt,
a SMI which ACPI would normally send to your OS to switch on the fan.
But in the code above you have told ACPI that your OS would take care
of things like that but in reality it's not true so your CPU gets hotter and
hotter as the fan never comes on until your CPU goes up in smoke.
A very big deal indeed.
about it is a start.
I do suspect that SMM will have more then one vulnerability.
Consider this scenario, you try load Puppy or another OS on your PC
and you get some boot problems and opt to include the boot time option
of switching off ACPI (quite common for some motherboards).
Then along comes a app that executes the following code:
Code: Select all
mov eax,101
mov ebx,00B2h
mov ecx,1
mov edx,1
int 80h
mov al, 0A0h
mov dx, 00B2h
out dx,al
You have told your OS to ignore ACPI, so now when say your temperature
sensor sees that your CPU is getting too hot, it generates a ACPI interrupt,
a SMI which ACPI would normally send to your OS to switch on the fan.
But in the code above you have told ACPI that your OS would take care
of things like that but in reality it's not true so your CPU gets hotter and
hotter as the fan never comes on until your CPU goes up in smoke.
A very big deal indeed.
Nooby,
Don't get too scared now, get yourself a nice glass of gin/whiskey/rum/beer
(take your pick) and take a few deep breaths.
Yes the threat is very real, however there are plenty of others too.
The only reason I highlighted the SMM vulnerabilities is that they are often
overlooked compared to others.
For a long time now, Linux users tend to be more lax about getting
a "nasty" thinking that it's mainly reserved for users of that "other" O.S.
Well things are changing and we all need to be more cautious but not
get too paranoid about it.
Also keep in mind that the simple code that I presented will only work
under certain conditions and the fact that it would be running under
user-space would make it rather easy to detect if you get it on time.
It does however pose a threat and shows another possible "backdoor"
to SMM.
I can hardly wait until EFI becomes more common place, since it will
use a platform independent byte code meaning that the threats will now
become even more O.S. independent.
Believe me back doors will be found (if they haven't already) in EFI.
Dave.
Don't get too scared now, get yourself a nice glass of gin/whiskey/rum/beer
(take your pick) and take a few deep breaths.
Yes the threat is very real, however there are plenty of others too.
The only reason I highlighted the SMM vulnerabilities is that they are often
overlooked compared to others.
For a long time now, Linux users tend to be more lax about getting
a "nasty" thinking that it's mainly reserved for users of that "other" O.S.
Well things are changing and we all need to be more cautious but not
get too paranoid about it.
Also keep in mind that the simple code that I presented will only work
under certain conditions and the fact that it would be running under
user-space would make it rather easy to detect if you get it on time.
It does however pose a threat and shows another possible "backdoor"
to SMM.
I can hardly wait until EFI becomes more common place, since it will
use a platform independent byte code meaning that the threats will now
become even more O.S. independent.
Believe me back doors will be found (if they haven't already) in EFI.
Dave.