Vulnerability in the Intel processor cache

Date : May 11, 2009

Introduction

Joanna Rutkowska (Invisible Things Lab), well-known for the famous "BluePill", published a paper allowing to exploit a vulnerability in the cache of Intel processors. This vulnerability allows an unprivileged user to gain high privileges (SMM) on most of the latest Intel mother boards.

At the beginning, this flaw was reported to Intel by Loïc Duflot (DCSSI) in October 2008. Loïc Duflot presented the details during the CanSecWest conference, on March 19, 2009. Joanna Rutkowska, who re-discovered the flaw in February 2009, chose the date of March 19, 2009 to release as well an article on this matter. Intel on its side mentioned that this issue had already been identified by its engineers in 2005.

 

Technical context

The "System Management Mode" (SMM) is the most privileged mode for CPU operations on x86 and x86_64 architectures. In this mode, all the normal executions are suspended and specific software are executed in high privileged mode ("Ring -2"). The SMM mode is triggered when specific hardware events occur, generating a physical interruption at the mother board level, called "System Management Interrupt" (SMI).

The code executed via SMM is located in a protected area of the system memory, called SMRAM. Access to the SMRAM is limited to system firmware (BIOS): the BIOS, after having loaded the SMM code in SMRAM memory locks the system configuration and blocks the access attempts to the SMRAM that do not come from the SMM mode.

The vulnerability discovered in Intel systems allows unauthorized accesses to the SMRAM memory.


Parallel works

Other research studies already demonstrated the possibility to attack the SMM mode.

During the BlackHat 2008 conference, "Invisible Things Lab" mentioned in its presentation an attack allowing to exploit the remapping feature to illegally access to some memory areas, in particular the SMRAM. This issue has been  fixed by Intel.

In the same way, "Invisible Things Lab" said they discovered a third flaw in Intel firmware that enables to bypass the SMRAM security mechanisms in order to inject arbitrary code in the SMM code. Intel is currently working to release patches and this vulnerability will be presented at the BlackHat 2009 conference by "Invisible Things Lab".

 

Technical analysis and exploitation

Regarding the flaw revealed on March19, Joanna Rutkowska proposes two attack scenarios:

1/ SMM memory overwriting

The attacker must first of all modify the MTRR system registry (Memory Type Range Register) in order to tag as "Write-Back cacheable" the location of the SMRAM in the system memory. The attacker then generates write accesses to the physical addresses corresponding to the SMRAM. After that, the attacker generates an SMI event, which will cause the SMM code execution by the CPU. The CPU will first search for the instructions written in the cache. Therefore the data provided by the attacker and contained in the cache will be executed, with SMM privileges.

2/ SMM memory reading

A rather similar attack may allow an attacker to read the SMM memory. In this case as well, the attacker manipulates the MTRR system registry in order to tag as "Write-Back cacheable" the location of the SMRAM in the system memory. Then he triggers an SMI that causes the writing of his own instructions in the cache. Last, the attacker will have to use an instruction (preferably non-invasive to avoid cache poisoning with parasite data) in order to read the cache.

The possible consequences of these attacks are the installation of SMM rootkits, the compromising of hypervisors accounts or the bypass of the operating system kernel restrictions. They allow a privilege increase from user mode ("Ring 3") to SMM mode.

 

Conclusion

Intel is currently working on these cache memory issues and also works with BIOS providers to develop workarounds. According to Intel, many recent systems would be protected against this attack. However according to "Invisible Things Lab", some recent Intel mother boards, like the DQ35, are still vulnerable and the global security level of firmware editors is still insufficient.

 

For more information:

Previous Previous Next Next Print Print