Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spectre Attack Can Reveal Firmware Secrets (zdnet.com)

Posted by BeauHD on from the highly-privileged dept.

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

13 of 60 comments (clear)

  1. Too bad by 110010001000 · · Score: 3, Insightful

    Too bad this guy didn't do his job when he was at Intel.

    1. Re:Too bad by PolygamousRanchKid+ · · Score: 4, Insightful

      Too bad this guy didn't do his job when he was at Intel.

      Well, he could do us all a big favor and tell us what the Intel Management Engine is really doing . . . ?

      Of course, he can't because he probably signed some kind of non-disclosure agreement and would be killed by NSA operatives.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re: Too bad by Anonymous Coward · · Score: 2, Insightful

      "Many eyes make all bugs shallow."

      False.

      OpenSSH was open source, and it fell foul of some nasty bugs. Open source in no panacea and its dangerous to suggest otherwise. It leads to a false sense of security. You assume someone is watching when, in fact, no-one is watching.

      It's still better than closed source, but it won't save your ass.

  2. Oh Intel enginerrs by bobstreo · · Score: 3, Funny

    thanks for the gift that keeps giving, and won't ever be fixed for so many users,,, /s

  3. dafuq? by Snotnose · · Score: 5, Insightful

    I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

    I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

    How fucked up have we become that this is the norm?

    1. Re:dafuq? by bobstreo · · Score: 2

      I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

      I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

      How fucked up have we become that this is the norm?

      Companies follow a standard trajectory now.

      Start with a couple people with an innovative idea.

      Get funding to make your dream come true.

      Get forced to hire "business" people who have never had an original idea.

      Either be forced out, bought out, or sold off to some nameless faceless company (yahoo?)

      See your dream idea turned into something nobody wants anymore.

      (sometimes there is a Profit step, but it's probably going to be at the cost of what's left of your soul)

    2. Re:dafuq? by thegarbz · · Score: 2

      I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

      This is literally what the entire consulting industry does. I've seen countless people leave companies only to form consultancies and bill themselves back to the companies they left at triple the price to fix the problems they were never able to.

      The irony is that this is supported by upper management who don't listen to employees bitching and moaning, but are all to happy to listen to someone after they ask for their opinion with a wheelbarrow full of money.

    3. Re:dafuq? by ThomasD3 · · Score: 2

      "Fuck the dems for all eternity for running the one person America hates more than Trump." : I wish I could upvote this. This one sentence summarizes everything.

  4. Flawed article / story by Hallux-F-Sinister · · Score: 4, Interesting

    You kinda forgot an important detail for your readers:

    IS THIS A REMOTE EXPLOIT? Can someone use this to hack into a computer without physical access to it? If the attacker has to be in the same room with the computer, it is a very different story from "attacker needs no access to terminal, and all internet-connected machines are susceptible and as of this writing, are unpatched."

    Because in the first case, "oh, that's interesting, I hope they fix that soon..." and in the second, "HOLY FUCK! UNPLUG EVERYTHING FROM THE INTERWEBZ NAOW!!!

    So... which is it? Should I be mildly concerned, or should I break the glass, and punch the big red button that trips the circuit-breaker that kills all my internet-linked equipment? Or did it already mention which and I just missed it somehow?

    --
    Our reign has gone on long enough. Indeed. Summon the meteors.
    1. Re:Flawed article / story by jabuzz · · Score: 2

      You need ability to run specific code in ring 0 (aka the kernel) and this allows you to access memory that in theory the SMM keeps hidden even from ring 0, aka itself. Unless you are in the habit of loading random shit into your kernel this has no practical use for a hacker.

      Further the issue with this is that you have been able to read arbitrary memory on the system for around the last 20 fucking years if you have the privilege to read from port 0xb2 via the delights of the SMM itself. This is just grandstanding like the hacks against AMD that involved loading hacked firmware onto the system.

      It's an Intel/Microsoft/Toshiba thing that originally was for being able to fiddle with things likes fans, backlights etc. on laptops. Came in around about the time of the Toshiba T1900. All this stuff is now done via ACPI though I believe deep down it's still actually accomplished via SMM. It is at least on a Tecra M5 which is the last time I looked, but this is a 12 year old laptop now, though it was ACPI based rather than APM.

      You can see it in the kernel in the toshiba, thinkpad, a dell driver and possibly others. That toshiba kernel module is mine and it is the first documentation of using the SMM for controlling things outside the likes of Intel/Microsoft and Toshiba as far as I am aware. The thinkpad and other similar drivers built off the top of the knowledge I gained.

      I can still remember being astounded while single stepping through fan.exe in DOS on my Satellite Pro 400CS and seeing a simple "in al,0xb2" change all sorts of registers that should simply not be changing and the fan turning on and off.

      I am not going to detail what values you need to load into what registers to read the arbitrary memory because I think it's better that it's not generally known and because there is no patch.

    2. Re:Flawed article / story by arth1 · · Score: 2

      You kinda forgot an important detail for your readers:

      IS THIS A REMOTE EXPLOIT?

      The summary is pretty clear: they didn't exploit physical access, but had to be "running with kernel-level privileges". So it's obviously not a remote exploit in itself, although other vulnerabilities in an OS and app that allows a remote user to run bespoke code with kernel-level privileges would open up for remote attacks. But if you have that big holes in your system to start with, you're already fucked three ways over from Sunday.

      The main risk here, as I see it, is that it may be used to gain access to encryption keys and similar that don't reside in memory that a superuser normally has access to.

  5. After the javascript engine changes in Chrome/FF.. by Anonymous Coward · · Score: 2, Informative

    It would require breaking the javascript sandbox (since performance counters in javascript now return less fine grained time values) and then hitting the CPU hard so that it can't change clock rates (doable on most modern processors, although you might want to trigger multiple passes across the same memory addresses at different periods just to make sure the values you gathered are either correct or haven't changed, a difference that you as a snooper won't be able to tell which is the cause.)

    Given the browser changes, so long as our browsers are post-performance counter changes, most of us can assume we are safe from casual attack via javascript. However any sandbox breaking or privilege escalating attacks, worms, viruses, or trojans may be able to leverage these techniques for data exfiltration. Anyone running services on a third party VPS or version of Windows should assume either first parties at the behest of, or third parties can snoop on anything on their computer systems thanks to these attacks, including the potential to read areas of memory that will help fingerprint their system or help tailor malware to persistently infect their systems with a high level of reliability via fully automated means. Services like github.com where source code is stored remotely should be assumed as compromisable, which calls a large portion of the software ecosystem into question. While there have been known large public claims of backdooring of code the capability is certainly there and give the size of these codebases and revision control systems it is something to be aware of (althought the chances of being detected are also high.)

    Basically this is a huge clusterfuck with an unknown threat profile that may very well turn out to run far deeper under far more software ecosystems than we will care to admit in a few years time.

  6. Something good from something bad. by CptLoRes · · Score: 3, Interesting

    Maybe finally we get some insight into the security engine stuff to make it do what we want, instead of what Intel and big corp. in general wants.