Intel CPU flaw allows for hard-to-detect rootkit

A pair of security researchers has released a paper and proof-of-concept code detailing a security vulnerability in Intel’s processors. In their words, the vulnerability allows the use of CPU cache poisoning to “read or write into (otherwise protected) SMRAM memory.”

SMRAM means System Management Mode memory, and according to NetworkWorld blogger Jamey Heary, a rootkit running there would be incredibly difficult to detect. Naturally, such a rootkit could also conceal any number of trojans, viruses, and miscellaneous malware apps running on an infected system. Here’s a snip from Heary’s blog post:

The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it’s not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy!

So, why release details about the vulnerability publicly instead of working quietly with Intel? Well, paper co-author Joanna Rutkowska says she and fellow researchers have already notified Intel. She also explains in another post on the Invisible Things Lab blog:

Interestingly, however, none of us was even close to being the first discoverer of the underlying problem that our attacks exploit. In fact, the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than… Intel’s own employees.

Rutkowska believes someone else would surely discover and exploit the flaw if it remains unpatched, so going public and forcing Intel’s hands is a good thing. Oh, and the proof-of-concept code isn’t a ready-made rootkit—it’s “totally harmless,” she claims.

Comments closed
    • MadManOriginal
    • 14 years ago

    Come on, you didn’t get that I was joking?

    • pogsnet
    • 14 years ago
    • sigher
    • 14 years ago

    Haha and ha, reminds of one of those investigating committees who get paid 100 grand a member and then just goto the accused and ask ‘are you guilty’ and then if the accused says no conclude that their ‘investigation’ shows the accused party was innocent.

    • sigher
    • 14 years ago

    ZOMG!!

    • Draxo
    • 14 years ago

    The flaw only comes out at night.

    mostly

    • brucect
    • 14 years ago

    same here also no windoze

    • UberGerbil
    • 14 years ago

    Hanlon’s razor covers this, I think

    • MadManOriginal
    • 14 years ago

    Lies! Macs don’t get viruses! Steve Jobs told me so

    • dustyjamessutton
    • 14 years ago

    This means macs may be vulnerable too. 🙂

    • Meadows
    • 14 years ago

    You’re thinking too dirty. I’d like to see intel pressure nations, and then get nuked and achieve government funding for AMD.

    • Thanato
    • 14 years ago

    I wonder if this flaw could generate Intel some cash?

    How much would a country pay to hack another country’s computer?

    How much would you pay to protect yourself?

    • mad dog
    • 14 years ago

    why don’t you read through the lines … if this bug is that serious it should have been patched long time ago … however it wasn’t, although it was known … now … you are allowed 3 guesses why big bother wouldn’t have your CPU’s patched 😉

    That’s right …. §[<http://en.wikipedia.org/wiki/File:Flock_of_sheep.jpg<]§

    • ludi
    • 14 years ago

    Thanks, but I’m not a programmer…or a CPU architect.

    I’m guessing FireGryphon’s point about undetectability on military or other sensitive type systems could be the biggest problem but I’m wondering whether there are other issues that I’ve overlooked.

    • ludi
    • 14 years ago

    That’s why the foil should be hidden inside the lining of a stylish fedora. Good looks, superior mind control protection, and nobody else is any wiser.

    • pluscard
    • 14 years ago

    Exactly right, but, it’s all about to change. AMD just ordered 30,000 wafers for something, and INTC knows the 1-2 punch of the EU antitrust ruling is imminent, with the US civil suit to be heard in Feb 2010.

    People have a way of piling on when once invincible institutions begin to slip.

    Plus

    • cocobongo_tm
    • 14 years ago

    Somehow I can’t shake the feeling that if this was on the AMD side, everybody would begin preaching Apocalypse to AMD and all the “I told you so” anti-AMD voices would soon spring up from all over the place. Oh, and Dell, Hp and all the other OEM would make sure to let the prospecting buyers know that they will not have anything to do with AMD.

    Now, I kinda wish Intel to go through what AMD went last year when that nasty Phenom bug appeared.

    • Unknown_Identifier
    • 14 years ago

    <Aside> Hello, I’m a new comer, have been lurking for a while though </Aside>

    To enter the SMM mode, the motherboard must support it :
    §[<http://en.wikipedia.org/wiki/System_Management_Mode#Entering_SMM<]§ SMM rootkits have been known long before this, as can be seen here : §[<http://www.msuiche.net/2008/08/06/smm-rootkit-limitations-and-how-to-defeat-it/<]§ This is not the first time such a possibility has been discovered, and mobo makers have already started the patch things up, not that this bug is not very interesting, but this bug is quite obscure. To install this thing, you would probably need to get kernel level access on a machine, and I am not sure how many rootkit makers would go out of their way to install such a rootkit when Windows is so much full of holes to hide in :) Invisible things has caused media buzz before, about VMM rootkits for example, tech journalism tends to become a magnet for inaccuracies at this kind of stuff, and I hate TR to be drawn into it :)

    • FireGryphon
    • 14 years ago

    Its undetectability is the problem. It’s possible that this exploit is so difficult to engineer that your everyday, run of the mill h4x0r isn’t going to use it. Probably only Very Important Systems are in danger, like military, banking, etc.

    • FireGryphon
    • 14 years ago

    If this is on all Intel hardware post-2005, Macs are vulnerable, too.

    • FireGryphon
    • 14 years ago

    The tinfoil hats may look silly now, but they won’t be enough if any of this stuff turns out to be true. Of course, it is far fetched, and you have to be a bit cautious, since the kill switches exist in the hardware to begin with. They could be activated (or deactivated) while in friendly hands as well as hostile hands.

    This is just begging for a Tom Clancy novel.

    • tfp
    • 14 years ago

    I don’t think it’s much different for anyone right now

    • MadManOriginal
    • 14 years ago

    IM IN UR CPUZ, CAUSING Y2K FORREALZ

    • sigher
    • 14 years ago

    You seem intelligent enough to answer your own question, and probably better than many others you find on comment sections.

    • sigher
    • 14 years ago

    TLB bug in some very rare circumstances could crash a computer, and was avoidable by a patch.

    This can infect your bank computer and take your money or a government computer and take your identity or create a criminal record and have you put in jail for life, or create accidents or take down the power grid or mess up a hospital or stop the water-supply pumps, to name a few really worse-case imaginary scenario.
    Now guess which is worse in my eyes?

    • alex666
    • 14 years ago

    Well, if it was first noted in 2005, so that was pre-C2D. If the vulnerability still exists in all post-2005 processors, then Intel has really dropped the ball. I am dubious that they would be so lax.

    • Krogoth
    • 14 years ago

    Nice healthy doses of paranoia eh?

    I call Occam’s Razor on this one.

    • Perezoso
    • 14 years ago

    Are you sure?

    §[<http://spectrum.ieee.org/may08/6171/<]§

    • clone
    • 14 years ago

    their were alot of attempts to replicate the issue but none were successful or at least none were ever replicated and mentioned on the web.

    the whole TLB bug issue was way overblown.

    • _Sigma
    • 14 years ago

    Good thing Macs are safe! [/sarcasm]

    • _Sigma
    • 14 years ago

    I was under the impression that some groups tried to replicate the TLB errata and either failed or had extremely inconclusive results.

    • Vaughn
    • 14 years ago

    Defensive much?

    Do you own intel stock?

    • 5150
    • 14 years ago

    HAHAHA. I just came back to fix that. Damn it!

    • Scrotos
    • 14 years ago

    That it’s been exploited already and that no one has been able to actually detect it for the reasons mentioned in the article?

    I don’t doubt that there are easier exploits, but how secure can you be when you say that no one is using an undetectable exploit because you haven’t detected anyone using it?

    Logically, that makes my brain hemmorage.

    • Scrotos
    • 14 years ago

    Skynet? Cyberdyne?

    • willyolio
    • 14 years ago

    yeah, i was wondering about which architectures. are the newer Core i7’s affected? i already own a core2, so i guess that one’s already vulnerable.

    • 5150
    • 14 years ago

    Cybernet just called, we weren’t supposed to know about this for a few years.

    • khands
    • 14 years ago

    +1/2 because it’s close enough 😛

    • Meadows
    • 14 years ago

    This could be similar, why else do you think intel would skimp on it?

    As for the TLB thing, only server environments would’ve had a realistic chance of ever seeing a BSOD (if even), average consumers could’ve run those CPUs without ever knowing about the erratum in the first place.

    • ludi
    • 14 years ago

    Okay, I skimmed the paper, but wasn’t able to decipher all of it. What I did seem to get out of it is that (1) this affects some, but not all, Intel boards and can be fixed with BIOS patching, as have some similar exploits that were previously discovered; and (2) the exploit could only be installed after obtaining admin access to the target system, which other than being nearly impossible to find afterwards, doesn’t set it that far apart from other viruses and trojans.

    What is the risk from this?

    • ltcommander.data
    • 14 years ago

    I’d like to know which CPUs are affected too.

    And if they are talking specific motherboards, I wonder if EFI is affected too?

    • derFunkenstein
    • 14 years ago

    I don’t think it did, but in the case of the TLB bug, the fix was worse than the problem.

    • derFunkenstein
    • 14 years ago

    They don’t say what CPUs exactly are affected – they reference two Intel boards for desktop Core 2 CPUs, but I’m curious if that means all Core 2 cores, only 45nm or only 65nm CPUs, or if this affects mobile parts at all (most important to me, as there are only mobile CPUs in my home).

    • grantmeaname
    • 14 years ago

    when did it occur in the wild?

    • moshpit
    • 14 years ago

    Bullcrap. TLB bug DID occur in the wild. This one has not. I’d say AMD’s screw up hurt more then this does considering the TLB bug had a real world effect while this bug has nothing but proof of concept code that isn’t in the wild.

    • albundy
    • 14 years ago

    …the same thing we do every day…try and take over the world!

    • MadManOriginal
    • 14 years ago

    I blame -[

    • eitje
    • 14 years ago

    that evil people are lazy, and there are easier exploits available right now.

    • swaaye
    • 14 years ago

    So, the flaw has been around and documented since 2005 and no evil people have done anything with it. What does that say? Heh.

    • flip-mode
    • 14 years ago

    But the two of you landed worthless comments first!

    • cygnus1
    • 14 years ago

    ++

    10chars

    • Meadows
    • 14 years ago

    You’re right, it has a higher chance of occuring in the wild and it poses more of a threat. Give me a TLB flaw any day.

    Note: I’m not actually interested because I’m sort of an AMD person.

    • bdwilcox
    • 14 years ago

    Intel’s response? “Hey, at least it’s not a TLB flaw!”

    • Meadows
    • 14 years ago

    Or if not, they’ll summon pluscard and do equal damage.

    • DrDillyBar
    • 14 years ago

    Agreed.

    • UberGerbil
    • 14 years ago

    I’m sure someone will find a way to blame Microsoft for this.

    • UberGerbil
    • 14 years ago

    “…mostly.”

    • khands
    • 14 years ago

    30 years from now, in some CIS history class:

    “And this is why we’ve got this dip here in the Moore’s law model…”

    • asdsa
    • 14 years ago

    Safe. No Intel here.

    • TheEmrys
    • 14 years ago

    Be happy that we went AMD?

    • ssidbroadcast
    • 14 years ago

    q[< Oh, and the proof-of-concept code isn't a ready-made rootkit—it's "totally harmless," she claims.<]q "Honest," she adds, placing a hand over her heart, "Scout's Honor."

    • ssidbroadcast
    • 14 years ago

    Can we get a comment from data8504 (that intel BIOS guy) on the validity of this?

    • Draxo
    • 14 years ago

    zoink what will we do now

Pin It on Pinterest

Share This

Share this post with your friends!