Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spectre Attack Can Reveal Firmware Secrets (zdnet.com)

Posted by BeauHD on from the highly-privileged dept.

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

4 of 60 comments (clear)

  1. Too bad by 110010001000 · · Score: 3, Insightful

    Too bad this guy didn't do his job when he was at Intel.

    1. Re:Too bad by PolygamousRanchKid+ · · Score: 4, Insightful

      Too bad this guy didn't do his job when he was at Intel.

      Well, he could do us all a big favor and tell us what the Intel Management Engine is really doing . . . ?

      Of course, he can't because he probably signed some kind of non-disclosure agreement and would be killed by NSA operatives.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re: Too bad by Anonymous Coward · · Score: 2, Insightful

      "Many eyes make all bugs shallow."

      False.

      OpenSSH was open source, and it fell foul of some nasty bugs. Open source in no panacea and its dangerous to suggest otherwise. It leads to a false sense of security. You assume someone is watching when, in fact, no-one is watching.

      It's still better than closed source, but it won't save your ass.

  2. dafuq? by Snotnose · · Score: 5, Insightful

    I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

    I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

    How fucked up have we become that this is the norm?