Slashdot Mirror
New Spectre Attack Can Reveal Firmware Secrets (zdnet.com)
Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.
"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.
"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.
You kinda forgot an important detail for your readers:
IS THIS A REMOTE EXPLOIT? Can someone use this to hack into a computer without physical access to it? If the attacker has to be in the same room with the computer, it is a very different story from "attacker needs no access to terminal, and all internet-connected machines are susceptible and as of this writing, are unpatched."
Because in the first case, "oh, that's interesting, I hope they fix that soon..." and in the second, "HOLY FUCK! UNPLUG EVERYTHING FROM THE INTERWEBZ NAOW!!!
So... which is it? Should I be mildly concerned, or should I break the glass, and punch the big red button that trips the circuit-breaker that kills all my internet-linked equipment? Or did it already mention which and I just missed it somehow?
Our reign has gone on long enough. Indeed. Summon the meteors.
Maybe finally we get some insight into the security engine stuff to make it do what we want, instead of what Intel and big corp. in general wants.