Security researchers are sounding the alarm about what they say is a serious and long-known flaw in x86 processors that could prove embarrassing not just for its existence — but for the lack of action taken to address it so far.
Joanna Rutkowska and Rafal Wojtczuk today published a research paper describing a proof-of-concept rootkit that a hacker can install on a system through a vulnerability in Intel CPUs’ caching memory.
The rootkit specifically attacks System Management Mode (SMM) memory, called SMRAM — an area of memory not accessible by software because it’s many uses, such as it is where the processor stores information when a system enters sleep mode.
The memory operates at a higher level of privilege than the operating system, which means the OS can’t manage or control it. Even the kernel or a hardware hypervisor can’t override it, making attacks that penetrate SMM potentially difficult to thwart. Because SMM memory is protected from applications accessing it, any code that runs in it is trusted to be valid and safe.
As a result, malware could take over a PC with little or no way to remove it.
While Rutkowska and Wojtczuk’s proof of concept code is harmless, it’s meant to illustrate the potential for danger if an attacker gets control of SMRAM and uploads special executable code, called shellcode, into the memory.
She said the issue has been fixed on some Intel (NASDAQ: INTC) motherboards, but older Intel boards are still open to exploitation. She also added in the report that the company is pursuing more widespread answers to the problem.
“Intel has informed us that they have been working on a solution … for quite a while and have also engaged with OEMs/BIOS vendors to implement certain new mechanisms that are supposed to prevent the attack,” Rutkowska and Wojtczuk wrote in their report. “According to Intel, many new systems are protected against the attack.”
But not all motherboards are secured. She noted that Intel’s popular new DQ35 board is still vulnerable to it.
Rutkowska also said in an e-mail to InternetNews.com that she has not determined whether the problem extends to AMD.
“We haven’t got enough resources to extend our research to also cover other CPUs and other chipsets,” she said.
AMD (NYSE: AMD) has not responded to queries seeking comment.
A known problem
Despite the potential severity of the issue, Intel has known about the problem with SMM for some time. Rutkowska said on her Web site that “SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than… Intel’s own employees.”
An Intel spokesperson confirmed in an e-mail to InternetNews.com that the company has been aware of the vulnerability.
“We are working with these researchers,” an Intel spokesperson said in an e-mail to InternetNews.com. “We take this research and all reports seriously. Currently, as far as we know, there are no known exploits in the wild.”
It’s unclear how long that might last, however, considering that Rutkowska and Wojtczuk are not the only people to find the vulnerability.
A researcher named Loic Duflot found a SMM exploit and is scheduled to present his own paper on the problem at the CanSecWest conference in Vancouver, Canada. Rutkowska said Duflot told her that he had informed Intel of the problem in October.
In addition to the problems outlined in this week’s paper, Rutkowska discussed other SMM problems during a presentation at Black Hat DC 09 last month.
And, she added, there’s been at least one more recent incidence in which researchers uncovered a problem with SMM.
“This is the third attack on SMM memory our team has found within the last 10 months, affecting Intel-based systems. It seems that current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying,” Rutkowska and Wojtczuk wrote in their research paper.
Still, Rutkowska, who made headlines in recent years with her Blue Pill rootkit, said that that the SMM vulnerability isn’t something people should worry about just yet — chiefly because the industry has yet to get a handle on far more obvious problems.
“Today, we cannot effectively detect even the ‘traditional’ ring 0 (kernel) rootkits, so I wouldn’t be losing much sleep about the detection of SMM malware now,” she said in an e-mail to InternetNews.com. “Let’s focus on simpler problems first.”