New Spectre Attack Can Reveal Firmware Secrets

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

Too bad

[110010001000]

Too bad this guy didn't do his job when he was at Intel.

Re:Too bad

If processors were open source, at least Intel could have said: "you should have read our VHDL code". Instead though, Intel is paying the price for being closed source.

Re:Too bad

[PolygamousRanchKid+]

Too bad this guy didn't do his job when he was at Intel.

Well, he could do us all a big favor and tell us what the Intel Management Engine is really doing . . . ?

Of course, he can't because he probably signed some kind of non-disclosure agreement and would be killed by NSA operatives.

Re:Too bad

If he did at Intel, you wouldn't hear about it.

Re:Too bad

Actually, this is good.
1) It will set back Intels 'fixes' many many months, if ever
2) The new, fixed CPU's on the drawing board will need refactoring
3) Extra pins for hardware jumpers may come back
4) Register testing will have to be performed (I presume it never was)
5) Future contract spreads will have to be changed for a new release date
6) Intels silence in not coming clean means more bad stuff in the pipeline.

Intel is desperate to roll out a fully fixed CPU that will give it an Apple like boost to its fortunes upon release. In the mean time, people bill be breaking SMM and BIOS''s all over the place, maybe even recovering keys for mil level encrypted disk drives and phones

The real question is WHO decided to take hideous shortcuts at Intel, and surely override engineer protests. If it was to please sone three letter agency, well reputational damages is knocking on the stock exchange. Sure the PR spent so far has worked. The prediction that such truthiods and QA defects would not be noticed, has come early.

AMD need not snicker, Intels 'help' has dropped them in it too. Every voting box, every US carrier can be nixed by just a usb stick. terrific.

Re:Too bad

[thegarbz]

Just because a guy does a job doesn't mean that he knows everything there is about the job always and instantly. If it did then we would need this thing called "research".

Re: Too bad

"Many eyes make all bugs shallow."

False.

OpenSSH was open source, and it fell foul of some nasty bugs. Open source in no panacea and its dangerous to suggest otherwise. It leads to a false sense of security. You assume someone is watching when, in fact, no-one is watching.

It's still better than closed source, but it won't save your ass.

Re:Too bad

>would be killed by NSA operatives.
I think you mean Mossad.

Re:Too bad

Israel Inside. It's always the jews.

Re: Too bad

That is not the benefit of open source.
The benefit is it can actually be changed quickly.

Re: Too bad

OpenSSL. It kind of invalidates anything you have said when you cannot get the basics right.

Re: Too bad

Yet somehow someoneodded him up.

Re: Too bad

Factually incorrect, not insightful.
Bugs can not be shallow until they are found. "Many eyes makes all bugs shallow" alludes to the fixing of bugs, not the non-creation of them.

It may be that it doesn't save your ass, but it at least have the possibility to do it, and probably frequently does so without you even knowing it.

Re:Too bad

If only the world was that simple. Satan has many children.

Oh Intel enginerrs

[bobstreo]

thanks for the gift that keeps giving, and won't ever be fixed for so many users,,, /s

dafuq?

[Snotnose]

I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

How fucked up have we become that this is the norm?

Re:dafuq?

[Snotnose]

Trump epitomizes what is wrong with the USA today. Form a company, build a building with all the tax breaks and subsidies you can, suck as much cash out of it as you can, declare bankruptcy, leaving all the other investors holding the bag while you walk away with the money. Lather, rinse, repeat.

Fuck the dems for all eternity for running the one person America hates more than Trump.

Re:dafuq?

[AHuxley]

Re "have we become that this is the norm?"
Issues with crypto and hardware? 1920-30's would have been the start and global radio network collect it all.
1945 with the results of Enigma like real time decryption would have seen the need to control all advanced crypto sold for embassy and commercial use after ww2.
Every message to/from any French embassy in the 1950's in plain text in real time.
Any early advance computer system, communications, crypto product on sale in the West would have been defective by design and leaked plain text from the 1950's into the 1970's.
Early 1980's would have seen the need for the GCHQ to be all over every new computer and digital network in/out of Ireland. The NSA all over every CPU like chip design "copied" by the Soviet Union, East Germany.
Follow the need to spy and the defective Western hardware is on sale, at a low cost and very easy to export.

Set standards so every commercial system sold for decades is 100% 'ready' for NSA, GCHQ collection methods.
The other stand out network at that time was South African. South African mil communications system had to stay 100% secure for decades given constant Soviet, East German, Cuban spying.
PRISM and BULLRUN https://en.wikipedia.org/wiki/... then fills out ideas surrounding this generations collect it all.
Enjoy that secure VPN that offers 110% security :)

Re:dafuq?

[bobstreo]

I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

How fucked up have we become that this is the norm?

Companies follow a standard trajectory now.

Start with a couple people with an innovative idea.

Get funding to make your dream come true.

Get forced to hire "business" people who have never had an original idea.

Either be forced out, bought out, or sold off to some nameless faceless company (yahoo?)

See your dream idea turned into something nobody wants anymore.

(sometimes there is a Profit step, but it's probably going to be at the cost of what's left of your soul)

Re:dafuq?

It's the managerial class, helping itself at our expense. See this writeup by George Orwell.

Capitalism is disappearing, but Socialism is not replacing it. What is now arising is a new kind of planned, centralised society which will be neither capitalist nor, in any accepted sense of the word, democratic. The rulers of this new society will be the people who effectively control the means of production: that is, business executives, technicians, bureaucrats and soldiers, lumped together by Burnham, under the name of âmanagersâ(TM). These people will eliminate the old capitalist class, crush the working class, and so organise society that all power and economic privilege remain in their own hands.

Re:dafuq?

I occasionally see reference to this obscure country, but haven't yet found it on a map. Is Dafuq anywhere near Kahndaq?

Re: dafuq?

[negRo_slim]

He's in your head rent free and it's hilarious.

Re:dafuq?

[thegarbz]

I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

This is literally what the entire consulting industry does. I've seen countless people leave companies only to form consultancies and bill themselves back to the companies they left at triple the price to fix the problems they were never able to.

The irony is that this is supported by upper management who don't listen to employees bitching and moaning, but are all to happy to listen to someone after they ask for their opinion with a wheelbarrow full of money.

Re:dafuq?

[Bongo]

Alas, the edict “go fuck yourself”, no longer means what it used to.
 

Re: dafuq?

ðYZ...

Re:dafuq?

[ThomasD3]

"Fuck the dems for all eternity for running the one person America hates more than Trump." : I wish I could upvote this. This one sentence summarizes everything.

Re: dafuq?

And it's hilarious that a significant portion of the electorate will vote Trump in 2020 due in large part to the hyperbolic behavior of Snotnose, his political party, and their media adjuncts. Well-done Progressives, well-done.

Re:dafuq?

[raftpeople]

In fairness to the Intel engineers, many of the same flaws affect IBM Power, IBM Z, ARM, Sparc (v9), some AMD, Apple processors, VIA processors, etc.

In addition, the flaw was subtle enough to exist for something like 10 to 20 years before anyone spotted it.

Re: dafuq?

I think it's next to Wakanda.

DaFuq, Wakanda shit is that?

Re:dafuq?

[epine]

This is literally what the entire consulting industry does. I've seen countless people leave companies only to form consultancies and bill themselves back to the companies they left at triple the price to fix the problems they were never able to.

You need to be somewhat naive about human interpersonal behaviour to find any of this surprising in the first place.

The best way to stay naive is to view the world through a "management is stupid" filter. (Really? This would, by itself, negate half the theory of efficient capital markets.)

The best way to become less naive is to view the world through a "management isn't stupid, but what they are doing sure doesn't solve what I thought was the problem in a direct way, so they must actually be solving a different problem".

Organizations have a lot of path dependence. It often matters far less whether the idea is right than who proposed it in the first place (and therefore, what the political trajectory of the idea implies for future promotions, performance bonuses, and downside survival chits).

"Management is stupid" is the sound that a thirsty horse makes standing beside a Theory of Mind drinking pond (aka cognitive empathy) it couldn't possibly deign to touch.

Re: dafuq?

And it's hilarious that a significant portion of the electorate will vote Trump in 2020 due in large part to the hyperbolic behavior of Snotnose, his political party, and their media adjuncts. Well-done Progressives, well-done.

Yeah, it's the progressive's fault for being so horrible (meanwhile we'll ignore the conservatives committing much worse offences, because we have a blind spot since they're "our" lizards. Ha!).

Re:dafuq?

Making fuckups great again!

Nation of losers

Re:dafuq?

[thegarbz]

Management isn't stupid.
Management is stupid.

The first being the noun describing people in management positions.
The second being the noun describing the process created around the organisational structure.

Coreboot: Intel should come clean

The family's house was between the mountains and the sea where baskets of apples and drying herbs on the porch mingled their scents with those of the neighboring pine woods.

Message received and acknowledged.

Seascape portrait of the woman child cavern of the soul. Under pressure-heat ratio ides of evolutions have buried their fears. Mists of dreams drip along the nascent echo and love no more.

Too bad AMD,ARM.

AMD and ARM fucked up as well since they have Spectre, while Meltdown is Intel's own personal bit of hell.

Flawed article / story

[Hallux-F-Sinister]

You kinda forgot an important detail for your readers:

IS THIS A REMOTE EXPLOIT? Can someone use this to hack into a computer without physical access to it? If the attacker has to be in the same room with the computer, it is a very different story from "attacker needs no access to terminal, and all internet-connected machines are susceptible and as of this writing, are unpatched."

Because in the first case, "oh, that's interesting, I hope they fix that soon..." and in the second, "HOLY FUCK! UNPLUG EVERYTHING FROM THE INTERWEBZ NAOW!!!

So... which is it? Should I be mildly concerned, or should I break the glass, and punch the big red button that trips the circuit-breaker that kills all my internet-linked equipment? Or did it already mention which and I just missed it somehow?

Re:Flawed article / story

[jabuzz]

You need ability to run specific code in ring 0 (aka the kernel) and this allows you to access memory that in theory the SMM keeps hidden even from ring 0, aka itself. Unless you are in the habit of loading random shit into your kernel this has no practical use for a hacker.

Further the issue with this is that you have been able to read arbitrary memory on the system for around the last 20 fucking years if you have the privilege to read from port 0xb2 via the delights of the SMM itself. This is just grandstanding like the hacks against AMD that involved loading hacked firmware onto the system.

It's an Intel/Microsoft/Toshiba thing that originally was for being able to fiddle with things likes fans, backlights etc. on laptops. Came in around about the time of the Toshiba T1900. All this stuff is now done via ACPI though I believe deep down it's still actually accomplished via SMM. It is at least on a Tecra M5 which is the last time I looked, but this is a 12 year old laptop now, though it was ACPI based rather than APM.

You can see it in the kernel in the toshiba, thinkpad, a dell driver and possibly others. That toshiba kernel module is mine and it is the first documentation of using the SMM for controlling things outside the likes of Intel/Microsoft and Toshiba as far as I am aware. The thinkpad and other similar drivers built off the top of the knowledge I gained.

I can still remember being astounded while single stepping through fan.exe in DOS on my Satellite Pro 400CS and seeing a simple "in al,0xb2" change all sorts of registers that should simply not be changing and the fan turning on and off.

I am not going to detail what values you need to load into what registers to read the arbitrary memory because I think it's better that it's not generally known and because there is no patch.

Re:Flawed article / story

[arth1]

You kinda forgot an important detail for your readers:

IS THIS A REMOTE EXPLOIT?

The summary is pretty clear: they didn't exploit physical access, but had to be "running with kernel-level privileges". So it's obviously not a remote exploit in itself, although other vulnerabilities in an OS and app that allows a remote user to run bespoke code with kernel-level privileges would open up for remote attacks. But if you have that big holes in your system to start with, you're already fucked three ways over from Sunday.

The main risk here, as I see it, is that it may be used to gain access to encryption keys and similar that don't reside in memory that a superuser normally has access to.

Re:Flawed article / story

IS THIS A REMOTE EXPLOIT?

The other varieties could be exploited from javascript; it doesn't look like this is any different.

Can someone use this to hack

This doesn't mean anything.

Re:Flawed article / story

I am not going to detail what values you need to load into what registers to read the arbitrary memory because I think it's better that it's not generally known...

Dipshits like this are the reason there shouldn't be "backdoors" or secret operating modes in hardware or software.

Re:Flawed article / story

i'm looking at your verrrrry curious browser history right now ... so you tell me.

Re:Flawed article / story

If you are a target, they are already in.

Re: Flawed article / story

This. Assume that anything of interest will instantly get assigned more focus. The key is hiding in plain sight and creating enough noise to drown out the clandestine channels.

Re:Flawed article / story

[jabuzz]

Actually if you read the source of the toshiba character driver in the Linux kernel (you might need to pick an older kernel as it may well have been dropped by now) then you will see that I actually block the calls to fiddle with memory. I forgot that it's worse than just being able to read it, you can write it too!!! They also have wacky functions to fiddle with PCI as well.

These days it's usually done via the ACPI interface using HCI methods but as I said deep down the ACPI code eventually just reads from port 0xb2 to drop the machine into SMM to get the actual work done.

After the javascript engine changes in Chrome/FF..

It would require breaking the javascript sandbox (since performance counters in javascript now return less fine grained time values) and then hitting the CPU hard so that it can't change clock rates (doable on most modern processors, although you might want to trigger multiple passes across the same memory addresses at different periods just to make sure the values you gathered are either correct or haven't changed, a difference that you as a snooper won't be able to tell which is the cause.)

Given the browser changes, so long as our browsers are post-performance counter changes, most of us can assume we are safe from casual attack via javascript. However any sandbox breaking or privilege escalating attacks, worms, viruses, or trojans may be able to leverage these techniques for data exfiltration. Anyone running services on a third party VPS or version of Windows should assume either first parties at the behest of, or third parties can snoop on anything on their computer systems thanks to these attacks, including the potential to read areas of memory that will help fingerprint their system or help tailor malware to persistently infect their systems with a high level of reliability via fully automated means. Services like github.com where source code is stored remotely should be assumed as compromisable, which calls a large portion of the software ecosystem into question. While there have been known large public claims of backdooring of code the capability is certainly there and give the size of these codebases and revision control systems it is something to be aware of (althought the chances of being detected are also high.)

Basically this is a huge clusterfuck with an unknown threat profile that may very well turn out to run far deeper under far more software ecosystems than we will care to admit in a few years time.

Self contradiction?

[Eunuchswear]

To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR) ... "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory,"

An "unprivileged attacker" is "running with kernel-level privileges"?

Re:Self contradiction?

No contradiction. Any code not signed by Intel (similar in other vendors tech) is unprivileged. Kernel code is not supposed to have the privilege to break into SMM. Sure, there is lower code with less privilege, but it's not like it is two layers "unprivileged/privileged" anymore, is it ? Now it's like "sandboxed/cointainerized somehow/user code/virtual kernel/hypervisor kernel/some kind of firmware/SMM/who knows what else" with some branches into parallel processors inside peripheral stuff and Spectre, Rowhammer and friends playing rabbit holes and ladders in the ladders and snakes game. There're security rings all the way down, with some key to rule them all and in the darkness bind them (but how would one have a ring without a hole?).
It's been a few years that having physical access to a machine does not give you full control, because machines are sold prebackdoored and the manufacturer keeps ultimate control (yes, that means the current manufacturer CEO, future owners, their attackers, their governments, eventual defectors and that cute baby/stud one of the said people never thought would take their credentials with her/him).
If vendors just openend their code, stopped adding layers upon layers of cruft, consumers would stop buying new hardware as if that was good for them or anything, and people would once in a while care or pay for quality, then yes, we could aspire to understand privileged/unpriviliged code and things would be simpler.
As it is your best effort when someone asks who controls a particular device is "who knows? someone else, most likely".

Can we get a full copy of the SMI firmware?

I'm sure the QEMU guys would be happy to emulate it, just for completeness' sake.

Not a problem

Intel will just invent some other undocumented,super secret, user hostile, ring of "protection" that can be used to manage SMM.

Something good from something bad.

[CptLoRes]

Maybe finally we get some insight into the security engine stuff to make it do what we want, instead of what Intel and big corp. in general wants.

Re: Something good from something bad.

I wonder if a crowd funded effort to break everything down to the very lowest level would get enough support to be successful. I'd certainly support it and probably most techies with a will to take back control might be interested too.

What else is hiding in the microcode

I'm getting sick of hearing about yet more undocumented hidden software secrets in lower and lower levels of hardware. Surely a concerted effort to break everything down to the lowest machine instructions can purge this crap once and for all? Or are all modern processors basically designed to spy on us as their primary function? Hoping the spooks don't have a self-destruct sequence waiting behind all the trapdoors, might have to burn through a few sacrificial chips before regaining control.

typo

[epine]

Append the word "filter" to appropriate sentence.

how to hack text messages

This man assisted me in hacking my CHEATING HUSBAND Facebook account and he is a very good hacker for services like :what's app, call logs, test messages etc. He delivers in 2hrs or less you can email him on E N R I Q U E H A C K D E M O N 11 ( a t ) G M A I L d o t C O M or WhatsApp: + 1 ( 6 2 8 ) 2 0 3 - 7 3 4 5 .
www..enriquehackdemon11.. com