Joanna Rutkowska and Loic Duflot have simultaneously disclosed details
of vulnerabilities in Intel's caching mechanisms, which permit the
injection of code into the System Management Mode and ultimately the
placing of a virtually invisible rootkit.

"System Management Mode (SMM) is a relatively obscure mode on Intel
processors used for low-level hardware control", explain Embleton,
Sparks and Zou in a paper on SMM rootkits that's well worth reading.
"It has its own private memory space [SMRAM], and execution
environment which is generally invisible to code running outside
[it.]" By poisoning the cache of the CPU, Rutkowska can successfully
inject her own code, which then runs with maximum privileges, while
remaining invisible to the operating system and applications.

She provides a harmless "proof of concept" exploit that she claims
works on Intel's DQ35 board, among others. Embleton, Sparks and Zou
demonstrate what a genuine SMM rootkit could look like. Not much more
is known about Duflot's presentation at CansecWest, other than the
title, "Getting into the SMRAM: SMM Reloaded".

Despite the far-reaching consequences of such SMM rootkits, there's no
need to panic. Fortunately, only theoretical concepts and a few
conceptual studies for laboratory environments have so far been heard
of. Nothing of the kind has yet been observed in the wild as a part of
malicious software.

Source: 
http://www.h-online.com/security/Attacks-on-Intel-s-System-Management-Mode--/news/112903

Reply via email to