Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Stealthier then a MBR rootkit, more powerful then ring 0 control, it’s the soon to be developed SMM root kit. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Stealthier then a MBR rootkit, more powerful then ring 0 control, it’s the soon to be developed SMM root kit.

Joanna Rutkowska founder and CEO of Invisible Things Lab along with
Rafal Wojtczuk has released a paper on attacking SMM memory via Intel
CPU cache Poisoning. They did not release an SMM rootkit as some people
stated they would.  What was released includes “totally harmless” shell code according to Ms
Rutkowska’s blog. Here is a reference to the paper.
http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf

“System Management Mode (SMM) is the most privileged CPU operation
mode on x86/x86_64 architectures. It can be thought of as of "Ring -2"
as the code executing in SMM has more privileges than even hardware
hypervisors (VT), which are colloquially referred to as if operating in "Ring
-1". 
She goes on to explain how the protection of SMM can be trivially
circumvented in just over a half page of text ending with “And that’s it!”

A talk was given today at CanSecWest on this paper by Loic Duflot of SGDN/ Central Directorate of Information Systems Security.  http://cansecwest.com/agenda.html
 

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!