Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Exploits 18-Year-Old Design Flaw To Compromise X86 Chips

Posted by samzenpus on from the protect-ya-neck dept.

jfruh writes: Security researcher Christopher Domas has demonstrated a method of installing a rootkit in a PC's firmware that exploits a feature built into every x86 chip manufactured since 1997. The rootkit infects the processor's System Management Mode, and could be used to wipe the UEFI or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure.

5 of 128 comments (clear)

  1. Right by Anonymous Coward · · Score: 1, Interesting

    Design flaw my ass. I bet it was there deliberately and everybody knows who originally requested it. I just love the good ol US of A.

  2. It's a feature by Anonymous Coward · · Score: 5, Interesting

    System Management Mode is a feature. It's meant to render separate processors unnecessary for tasks like temperature management and system specific keyboard shortcuts. These functions need to work even if an unsupported or no operating system is running. Consequently SMM behaves almost like a separate processor. That's not a flaw, that's necessarily so.

    The problem isn't SMM per se. It's that there is no way to be sure what code is executing in SMM, because there is no way to guarantee which firmware the system is running. Basic firmware should be in ROM (not flash. Read Only Memory.) And it should only do one thing: Load the actual firmware from a removable medium, like a micro SD card. With all writable storage in the system accessible to external inspection, there would at least be a chance to find and reliably remove infections.

  3. BIOS/UEFI protection by edtice1559 · · Score: 3, Interesting

    The article is (as expected) light on details since this is newly disclosed. I've had machines where the BIOS would require confirmation from a connected PS/2 keyboard before certain changes were written. Added a need for physical access in order to write anything to SMM. All the terms have changed but it seems the same principle here. If I can update the firmware, I can keep a machine compromised forever.

  4. Not every chip by BIOS4breakfast · · Score: 5, Interesting

    In the talk he said it was Sandy Bridge and older. Ivy Bridge/Haswell/Broadwell/Sky Lake are not affected. Ivy Bridge was apparently released in 2012 - https://en.wikipedia.org/wiki/... But 1997-2012 is still a decent window of time. In the talk he also said that it's un-patchable (it's not, the SMI handler can check whether the APIC overlaps the SMM range and change it) He also said SMM controls every instruction from the boot. It doesn't. Maybe on the crappy Acer netbooks that he said he was using for tests. But on enterprise grade systems from Dell, Lenovo, or HP, they use "protected range registers" to stop SMM from being able to write to the code in the firmware. It's a good find, but he's got a lot to learn about firmware still.

  5. Simple way to avoid the problem on Macs... by tlambert · · Score: 3, Interesting

    Simple way to avoid the problem on Macs... don't load BootCamp, and you won't have SMM on the systems you load under bootcamp.

    Mac OS X itself doesn't use SMM. Instead, it uses a PE (Platform Expert) module that loaded as part of the OS, which knows in detail about the hardware platform it's going to be running on. Without bootcamp, there's not even ACPI support, since power management is implemented in a much more discrete level of steps than the 4 which ACPI provides.