Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 01 Oct 2014, 08:27
All times are UTC - 4
 Forum index » Off-Topic Area » Security
System Management Mode attack
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [7 Posts]  
Author Message
Dave_G


Joined: 21 Jul 2011
Posts: 459

PostPosted: Fri 09 Sep 2011, 08:49    Post subject:  System Management Mode attack  

http://www.securityfocus.com/columnists/402
Quote:
SMM stands for System Management Mode. System Management mode is one of the four modes of operation of most x86 processors (Intel Xeon, Intel Pentium, or AMD Athlon for instance). Modern operating systems (such as Linux, BSD, or Windows) run in so-called protected mode. In protected mode, 4 different processor privilege levels (also called rings) are available, ring 0 being the most privileged one and ring 3 the least privileged one. Kernels of operating systems run in ring 0 whereas userspace code runs in ring 3. The set of operations available to ring 3 code is restricted by hardware-enforced security mechanisms such as segmentation, paging, and I/O privilege restrictions. A few security-critical assembly language instructions are also restricted to ring 0 operation. Most software security techniques (PaX on Linux, W^X on OpenBSD, and so on) heavily rely upon protected mode enforced mechanisms. On the contrary, System Management Mode is a 16-bit mode of operation dedicated to system maintenance. Code running in System Management Mode is running with full privileges on the system (free access to physical memory and to peripheral devices). Protected mode security mechanisms (paging, segmentation, rings, ...) are not enforced while in System Management Mode.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11081
Location: Arizona USA

PostPosted: Fri 09 Sep 2011, 09:43    Post subject:  

Big deal. Puppy runs in root anyway. I just assume Puppy is allowed do anything the CPU is capable of.

I run Puppy from a multisession DVD in a computer that has no hard disk drive. If my Puppy does become the victim of an attack that gets saved to the DVD, it's relatively easy to isolate the infected session. Unlike what happens when a hard disk install is infected.
Back to top
View user's profile Send private message 
Dave_G


Joined: 21 Jul 2011
Posts: 459

PostPosted: Fri 09 Sep 2011, 09:47    Post subject:  

"Big deal?"
A bit dismissive don't you think?

The fact that Puppy (or any other distro/OS) runs in root is not the point.
The point is that Linux is normally considered relatively safe from "hacks".
This article simply points out that there are potentially more ways then
first meets the eye for a malicious user/app to get full access.

What makes things worse is that SMM vulnerabilities would be completely
invisible to the OS, rather a big deal.
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Fri 09 Sep 2011, 09:56    Post subject:  

Dave to me it is a big deal. I care about it very much.
But I know too little and have no idea how to find out.

So what do you suggest that we do now when we know?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Dave_G


Joined: 21 Jul 2011
Posts: 459

PostPosted: Fri 09 Sep 2011, 10:14    Post subject:  

Nooby, I don't know exactly what could be done but at least knowing
about it is a start.

I do suspect that SMM will have more then one vulnerability.
Consider this scenario, you try load Puppy or another OS on your PC
and you get some boot problems and opt to include the boot time option
of switching off ACPI (quite common for some motherboards).

Then along comes a app that executes the following code:

Code:

mov eax,101
mov ebx,00B2h
mov ecx,1
mov edx,1
int 80h

mov al, 0A0h
mov dx, 00B2h

out dx,al


So what is happening?
You have told your OS to ignore ACPI, so now when say your temperature
sensor sees that your CPU is getting too hot, it generates a ACPI interrupt,
a SMI which ACPI would normally send to your OS to switch on the fan.
But in the code above you have told ACPI that your OS would take care
of things like that but in reality it's not true so your CPU gets hotter and
hotter as the fan never comes on until your CPU goes up in smoke.

A very big deal indeed.
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Fri 09 Sep 2011, 13:25    Post subject:  

It is that bad ... So sure it is good that we know but we have to find people that know what to do then? some clues?
_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
Dave_G


Joined: 21 Jul 2011
Posts: 459

PostPosted: Fri 09 Sep 2011, 13:38    Post subject:  

Nooby,

Don't get too scared now, get yourself a nice glass of gin/whiskey/rum/beer
(take your pick) and take a few deep breaths. Smile

Yes the threat is very real, however there are plenty of others too.
The only reason I highlighted the SMM vulnerabilities is that they are often
overlooked compared to others.

For a long time now, Linux users tend to be more lax about getting
a "nasty" thinking that it's mainly reserved for users of that "other" O.S.
Well things are changing and we all need to be more cautious but not
get too paranoid about it.

Also keep in mind that the simple code that I presented will only work
under certain conditions and the fact that it would be running under
user-space would make it rather easy to detect if you get it on time.
It does however pose a threat and shows another possible "backdoor"
to SMM.

I can hardly wait until EFI becomes more common place, Sad since it will
use a platform independent byte code meaning that the threats will now
become even more O.S. independent.
Believe me back doors will be found (if they haven't already) in EFI.

Dave.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [7 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0690s ][ Queries: 12 (0.0073s) ][ GZIP on ]