New Spectre Attack Can Reveal Firmware Secrets

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

After the javascript engine changes in Chrome/FF..

It would require breaking the javascript sandbox (since performance counters in javascript now return less fine grained time values) and then hitting the CPU hard so that it can't change clock rates (doable on most modern processors, although you might want to trigger multiple passes across the same memory addresses at different periods just to make sure the values you gathered are either correct or haven't changed, a difference that you as a snooper won't be able to tell which is the cause.)

Given the browser changes, so long as our browsers are post-performance counter changes, most of us can assume we are safe from casual attack via javascript. However any sandbox breaking or privilege escalating attacks, worms, viruses, or trojans may be able to leverage these techniques for data exfiltration. Anyone running services on a third party VPS or version of Windows should assume either first parties at the behest of, or third parties can snoop on anything on their computer systems thanks to these attacks, including the potential to read areas of memory that will help fingerprint their system or help tailor malware to persistently infect their systems with a high level of reliability via fully automated means. Services like github.com where source code is stored remotely should be assumed as compromisable, which calls a large portion of the software ecosystem into question. While there have been known large public claims of backdooring of code the capability is certainly there and give the size of these codebases and revision control systems it is something to be aware of (althought the chances of being detected are also high.)

Basically this is a huge clusterfuck with an unknown threat profile that may very well turn out to run far deeper under far more software ecosystems than we will care to admit in a few years time.