(old)Puppy Linux Discussion Forum

READ-ONLY Archive
https://oldforum.puppylinux.com/

System Management Mode attack

https://oldforum.puppylinux.com/viewtopic.php?t=71552

Page 1 of 1

System Management Mode attack

Posted: Fri 09 Sep 2011, 12:49
by Dave_G
http://www.securityfocus.com/columnists/402
SMM stands for System Management Mode. System Management mode is one of the four modes of operation of most x86 processors (Intel Xeon, Intel Pentium, or AMD Athlon for instance). Modern operating systems (such as Linux, BSD, or Windows) run in so-called protected mode. In protected mode, 4 different processor privilege levels (also called rings) are available, ring 0 being the most privileged one and ring 3 the least privileged one. Kernels of operating systems run in ring 0 whereas userspace code runs in ring 3. The set of operations available to ring 3 code is restricted by hardware-enforced security mechanisms such as segmentation, paging, and I/O privilege restrictions. A few security-critical assembly language instructions are also restricted to ring 0 operation. Most software security techniques (PaX on Linux, W^X on OpenBSD, and so on) heavily rely upon protected mode enforced mechanisms. On the contrary, System Management Mode is a 16-bit mode of operation dedicated to system maintenance. Code running in System Management Mode is running with full privileges on the system (free access to physical memory and to peripheral devices). Protected mode security mechanisms (paging, segmentation, rings, ...) are not enforced while in System Management Mode.

Posted: Fri 09 Sep 2011, 13:43
by Flash
Big deal. Puppy runs in root anyway. I just assume Puppy is allowed do anything the CPU is capable of.

I run Puppy from a multisession DVD in a computer that has no hard disk drive. If my Puppy does become the victim of an attack that gets saved to the DVD, it's relatively easy to isolate the infected session. Unlike what happens when a hard disk install is infected.

Posted: Fri 09 Sep 2011, 13:47
by Dave_G
"Big deal?"
A bit dismissive don't you think?

The fact that Puppy (or any other distro/OS) runs in root is not the point.
The point is that Linux is normally considered relatively safe from "hacks".
This article simply points out that there are potentially more ways then
first meets the eye for a malicious user/app to get full access.

What makes things worse is that SMM vulnerabilities would be completely
invisible to the OS, rather a big deal.

Posted: Fri 09 Sep 2011, 13:56
by nooby
Dave to me it is a big deal. I care about it very much.
But I know too little and have no idea how to find out.

So what do you suggest that we do now when we know?

Posted: Fri 09 Sep 2011, 14:14
by Dave_G
Nooby, I don't know exactly what could be done but at least knowing
about it is a start.

I do suspect that SMM will have more then one vulnerability.
Consider this scenario, you try load Puppy or another OS on your PC
and you get some boot problems and opt to include the boot time option
of switching off ACPI (quite common for some motherboards).

Then along comes a app that executes the following code:

Code: Select all

mov eax,101
mov ebx,00B2h
mov ecx,1
mov edx,1
int 80h

mov al, 0A0h
mov dx, 00B2h

out dx,al
So what is happening?
You have told your OS to ignore ACPI, so now when say your temperature
sensor sees that your CPU is getting too hot, it generates a ACPI interrupt,
a SMI which ACPI would normally send to your OS to switch on the fan.
But in the code above you have told ACPI that your OS would take care
of things like that but in reality it's not true so your CPU gets hotter and
hotter as the fan never comes on until your CPU goes up in smoke.

A very big deal indeed.

Posted: Fri 09 Sep 2011, 17:25
by nooby
It is that bad ... So sure it is good that we know but we have to find people that know what to do then? some clues?

Posted: Fri 09 Sep 2011, 17:38
by Dave_G
Nooby,

Don't get too scared now, get yourself a nice glass of gin/whiskey/rum/beer
(take your pick) and take a few deep breaths. :-)

Yes the threat is very real, however there are plenty of others too.
The only reason I highlighted the SMM vulnerabilities is that they are often
overlooked compared to others.

For a long time now, Linux users tend to be more lax about getting
a "nasty" thinking that it's mainly reserved for users of that "other" O.S.
Well things are changing and we all need to be more cautious but not
get too paranoid about it.

Also keep in mind that the simple code that I presented will only work
under certain conditions and the fact that it would be running under
user-space would make it rather easy to detect if you get it on time.
It does however pose a threat and shows another possible "backdoor"
to SMM.

I can hardly wait until EFI becomes more common place, :( since it will
use a platform independent byte code meaning that the threats will now
become even more O.S. independent.
Believe me back doors will be found (if they haven't already) in EFI.

Dave.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited