Stealthier then a MBR rootkit, more powerful then ring 0 control, it¡¦s the soon to be developed SMM root kit. , (Fri, Mar 20th)
Joanna Rutkowska founder and CEO of Invisible Things Lab along with
Rafal Wojtczuk has released a paper on attacking SMM memory via Intel
CPU cache Poisoning. They did not release an SMM rootkit as some people
stated they would. What was released includes totally harmless shell code according to Ms
Rutkowskas blog. Here is a reference to the paper.
invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf
System Management Mode (SMM) is the most privileged CPU operation
mode on x86/x86_64 architectures. It can be thought of as of Ring -2
as the code executing in SMM has more privileges than even hardware
hypervisors (VT), which are colloquially referred to as if operating in Ring
-1.
She goes on to explain how the protection of SMM can be trivially
circumvented in just over a half page of text ending with And thats it!
A talk was given today at CanSecWest on this paper by Loic Duflot of SGDN/ Central Directorate of Information Systems Security. cansecwest.com/agenda.html
