System Management Mode attack

For discussions about security.
Post Reply
Message
Author
User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

System Management Mode attack

#1 Post by Dave_G »

http://www.securityfocus.com/columnists/402
SMM stands for System Management Mode. System Management mode is one of the four modes of operation of most x86 processors (Intel Xeon, Intel Pentium, or AMD Athlon for instance). Modern operating systems (such as Linux, BSD, or Windows) run in so-called protected mode. In protected mode, 4 different processor privilege levels (also called rings) are available, ring 0 being the most privileged one and ring 3 the least privileged one. Kernels of operating systems run in ring 0 whereas userspace code runs in ring 3. The set of operations available to ring 3 code is restricted by hardware-enforced security mechanisms such as segmentation, paging, and I/O privilege restrictions. A few security-critical assembly language instructions are also restricted to ring 0 operation. Most software security techniques (PaX on Linux, W^X on OpenBSD, and so on) heavily rely upon protected mode enforced mechanisms. On the contrary, System Management Mode is a 16-bit mode of operation dedicated to system maintenance. Code running in System Management Mode is running with full privileges on the system (free access to physical memory and to peripheral devices). Protected mode security mechanisms (paging, segmentation, rings, ...) are not enforced while in System Management Mode.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

Big deal. Puppy runs in root anyway. I just assume Puppy is allowed do anything the CPU is capable of.

I run Puppy from a multisession DVD in a computer that has no hard disk drive. If my Puppy does become the victim of an attack that gets saved to the DVD, it's relatively easy to isolate the infected session. Unlike what happens when a hard disk install is infected.

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#3 Post by Dave_G »

"Big deal?"
A bit dismissive don't you think?

The fact that Puppy (or any other distro/OS) runs in root is not the point.
The point is that Linux is normally considered relatively safe from "hacks".
This article simply points out that there are potentially more ways then
first meets the eye for a malicious user/app to get full access.

What makes things worse is that SMM vulnerabilities would be completely
invisible to the OS, rather a big deal.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#4 Post by nooby »

Dave to me it is a big deal. I care about it very much.
But I know too little and have no idea how to find out.

So what do you suggest that we do now when we know?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#5 Post by Dave_G »

Nooby, I don't know exactly what could be done but at least knowing
about it is a start.

I do suspect that SMM will have more then one vulnerability.
Consider this scenario, you try load Puppy or another OS on your PC
and you get some boot problems and opt to include the boot time option
of switching off ACPI (quite common for some motherboards).

Then along comes a app that executes the following code:

Code: Select all

mov eax,101
mov ebx,00B2h
mov ecx,1
mov edx,1
int 80h

mov al, 0A0h
mov dx, 00B2h

out dx,al
So what is happening?
You have told your OS to ignore ACPI, so now when say your temperature
sensor sees that your CPU is getting too hot, it generates a ACPI interrupt,
a SMI which ACPI would normally send to your OS to switch on the fan.
But in the code above you have told ACPI that your OS would take care
of things like that but in reality it's not true so your CPU gets hotter and
hotter as the fan never comes on until your CPU goes up in smoke.

A very big deal indeed.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#6 Post by nooby »

It is that bad ... So sure it is good that we know but we have to find people that know what to do then? some clues?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Dave_G
Posts: 453
Joined: Thu 21 Jul 2011, 13:53

#7 Post by Dave_G »

Nooby,

Don't get too scared now, get yourself a nice glass of gin/whiskey/rum/beer
(take your pick) and take a few deep breaths. :-)

Yes the threat is very real, however there are plenty of others too.
The only reason I highlighted the SMM vulnerabilities is that they are often
overlooked compared to others.

For a long time now, Linux users tend to be more lax about getting
a "nasty" thinking that it's mainly reserved for users of that "other" O.S.
Well things are changing and we all need to be more cautious but not
get too paranoid about it.

Also keep in mind that the simple code that I presented will only work
under certain conditions and the fact that it would be running under
user-space would make it rather easy to detect if you get it on time.
It does however pose a threat and shows another possible "backdoor"
to SMM.

I can hardly wait until EFI becomes more common place, :( since it will
use a platform independent byte code meaning that the threats will now
become even more O.S. independent.
Believe me back doors will be found (if they haven't already) in EFI.

Dave.

Post Reply