Intel CPU flaw allows for hard-to-detect rootkit

A pair of security researchers has released a paper and proof-of-concept code detailing a security vulnerability in Intel’s processors. In their words, the vulnerability allows the use of CPU cache poisoning to “read or write into (otherwise protected) SMRAM memory.”

SMRAM means System Management Mode memory, and according to NetworkWorld blogger Jamey Heary, a rootkit running there would be incredibly difficult to detect. Naturally, such a rootkit could also conceal any number of trojans, viruses, and miscellaneous malware apps running on an infected system. Here’s a snip from Heary’s blog post:

The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it’s not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy!

So, why release details about the vulnerability publicly instead of working quietly with Intel? Well, paper co-author Joanna Rutkowska says she and fellow researchers have already notified Intel. She also explains in another post on the Invisible Things Lab blog:

Interestingly, however, none of us was even close to being the first discoverer of the underlying problem that our attacks exploit. In fact, the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than… Intel’s own employees.

Rutkowska believes someone else would surely discover and exploit the flaw if it remains unpatched, so going public and forcing Intel’s hands is a good thing. Oh, and the proof-of-concept code isn’t a ready-made rootkit—it’s “totally harmless,” she claims.

Comments closed
    • dustyjamessutton
    • 11 years ago

    This means macs may be vulnerable too. 🙂

      • MadManOriginal
      • 11 years ago

      Lies! Macs don’t get viruses! Steve Jobs told me so

        • pogsnet
        • 11 years ago
          • MadManOriginal
          • 11 years ago

          Come on, you didn’t get that I was joking?

    • mad dog
    • 11 years ago

    why don’t you read through the lines … if this bug is that serious it should have been patched long time ago … however it wasn’t, although it was known … now … you are allowed 3 guesses why big bother wouldn’t have your CPU’s patched 😉

    That’s right …. §[< http://en.wikipedia.org/wiki/File:Flock_of_sheep.jpg<]§

    • ludi
    • 11 years ago

    Okay, I skimmed the paper, but wasn’t able to decipher all of it. What I did seem to get out of it is that (1) this affects some, but not all, Intel boards and can be fixed with BIOS patching, as have some similar exploits that were previously discovered; and (2) the exploit could only be installed after obtaining admin access to the target system, which other than being nearly impossible to find afterwards, doesn’t set it that far apart from other viruses and trojans.

    What is the risk from this?

      • sigher
      • 11 years ago

      You seem intelligent enough to answer your own question, and probably better than many others you find on comment sections.

        • ludi
        • 11 years ago

        Thanks, but I’m not a programmer…or a CPU architect.

        I’m guessing FireGryphon’s point about undetectability on military or other sensitive type systems could be the biggest problem but I’m wondering whether there are other issues that I’ve overlooked.

      • FireGryphon
      • 11 years ago

      Its undetectability is the problem. It’s possible that this exploit is so difficult to engineer that your everyday, run of the mill h4x0r isn’t going to use it. Probably only Very Important Systems are in danger, like military, banking, etc.

    • derFunkenstein
    • 11 years ago

    They don’t say what CPUs exactly are affected – they reference two Intel boards for desktop Core 2 CPUs, but I’m curious if that means all Core 2 cores, only 45nm or only 65nm CPUs, or if this affects mobile parts at all (most important to me, as there are only mobile CPUs in my home).

      • ltcommander.data
      • 11 years ago

      I’d like to know which CPUs are affected too.

      And if they are talking specific motherboards, I wonder if EFI is affected too?

      • willyolio
      • 11 years ago

      yeah, i was wondering about which architectures. are the newer Core i7’s affected? i already own a core2, so i guess that one’s already vulnerable.

      • alex666
      • 11 years ago

      Well, if it was first noted in 2005, so that was pre-C2D. If the vulnerability still exists in all post-2005 processors, then Intel has really dropped the ball. I am dubious that they would be so lax.

    • swaaye
    • 11 years ago

    So, the flaw has been around and documented since 2005 and no evil people have done anything with it. What does that say? Heh.

    • bdwilcox
    • 11 years ago

    Intel’s response? “Hey, at least it’s not a TLB flaw!”

    • UberGerbil
    • 11 years ago

    I’m sure someone will find a way to blame Microsoft for this.

      • Meadows
      • 11 years ago

      Or if not, they’ll summon pluscard and do equal damage.

        • flip-mode
        • 11 years ago

        But the two of you landed worthless comments first!

      • MadManOriginal
      • 11 years ago

      I blame -[

        • _Sigma
        • 11 years ago

        Good thing Macs are safe! [/sarcasm]

          • FireGryphon
          • 11 years ago

          If this is on all Intel hardware post-2005, Macs are vulnerable, too.

    • asdsa
    • 11 years ago

    Safe. No Intel here.

      • brucect
      • 11 years ago

      same here also no windoze

    • ssidbroadcast
    • 11 years ago

    q[< Oh, and the proof-of-concept code isn't a ready-made rootkit—it's "totally harmless," she claims.<]q "Honest," she adds, placing a hand over her heart, "Scout's Honor."

      • UberGerbil
      • 11 years ago

      “…mostly.”

        • 5150
        • 11 years ago

        Cybernet just called, we weren’t supposed to know about this for a few years.

          • Scrotos
          • 11 years ago

          Skynet? Cyberdyne?

            • 5150
            • 11 years ago

            HAHAHA. I just came back to fix that. Damn it!

        • Draxo
        • 11 years ago

        The flaw only comes out at night.

        mostly

    • ssidbroadcast
    • 11 years ago

    Can we get a comment from data8504 (that intel BIOS guy) on the validity of this?

      • DrDillyBar
      • 11 years ago

      Agreed.

      • sigher
      • 11 years ago

      Haha and ha, reminds of one of those investigating committees who get paid 100 grand a member and then just goto the accused and ask ‘are you guilty’ and then if the accused says no conclude that their ‘investigation’ shows the accused party was innocent.

    • Draxo
    • 11 years ago

    zoink what will we do now

      • TheEmrys
      • 11 years ago

      Be happy that we went AMD?

      • khands
      • 11 years ago

      30 years from now, in some CIS history class:

      “And this is why we’ve got this dip here in the Moore’s law model…”

        • cygnus1
        • 11 years ago

        ++

        10chars

      • albundy
      • 11 years ago

      …the same thing we do every day…try and take over the world!

        • khands
        • 11 years ago

        +1/2 because it’s close enough 😛

      • cocobongo_tm
      • 11 years ago

      Somehow I can’t shake the feeling that if this was on the AMD side, everybody would begin preaching Apocalypse to AMD and all the “I told you so” anti-AMD voices would soon spring up from all over the place. Oh, and Dell, Hp and all the other OEM would make sure to let the prospecting buyers know that they will not have anything to do with AMD.

      Now, I kinda wish Intel to go through what AMD went last year when that nasty Phenom bug appeared.

        • pluscard
        • 11 years ago

        Exactly right, but, it’s all about to change. AMD just ordered 30,000 wafers for something, and INTC knows the 1-2 punch of the EU antitrust ruling is imminent, with the US civil suit to be heard in Feb 2010.

        People have a way of piling on when once invincible institutions begin to slip.

        Plus

Pin It on Pinterest

Share This