Uh Oh, Exploit code targeting major Intel chip flaw to be posted 3/19/09

Source: Network World

This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill! No, I'm not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.

Security Researchers Joanna Rutkowska and Loic Duflot are planning to release a research paper + exploit code for a new SMM (System Management Mode) exploit that installs via an Intel® CPU caching vulnerability. Joanna, of blue pill fame, reported this on her blog

Joanna cleared it up for me that they are not releasing a SMM rootkit but rather a exploit. It will be up to some other folks to tie this in with a SMM rootkit like this one perhaps.

"Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours."

The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you'd like further education or history lesson here is a good article.

__________

Since everyone's whining about the geekspeak, here's a paragraph with implications from Tech Republic:

This exploit is completely new and potentially devastating. The malware code takes over a PC with little or no recourse to remove it. I imagine the rootkit will be able to contact command and control servers and of course have the latest and greatest malware payloads rivaling any of the newest trojans. All of this and the computer’s operating system is totally oblivious to what’s happening.




Read more: http://www.networkworld.com/community/node/39825?t51hb&netht=mr_031909&nladname=031909dailynewsamal

---

Intel has known about this since 2005.

Remember the Pentium math flaw back in the early 90's?

$1000 for a 3.0GHz Phenom quad core with 8GB of RAM (1600mhz compatible) and mobo to replace my current kit; I'd rather spend it on a dual quad core Xeon mobo and two Xeon CPUs and risk it.

Life's uncertain enough already.

:hi:

enough dollars to the local computer guy to bail be out one one mess or another. This post above is so far above me that all I see are dollar signs and error messages.

Or maybe something like the series of Trojan horses I have been picking up as of late. Had this computer 6 years, never a Trojan Horse.
Two weeks ago,7. Last week 1.

I don't even know what I am doing but this posting sounds like someone is out to get us again.
Maybe it is just tech talk and I'm way off base. If I am, then you know how computer un-savvy I am.

Someone have mercy on those of us who are not-so-savvy.

If you have an Intel (Inside) brain in your computer, a hacker can get "Inside" stay there, then control your computer for as long as they want, and there is no way you could know it, no way you can do anything about it. Anti-spyware and Anti-viral programs will not help you once they get in, will not even detect it. You just have to buy a new computer, if you suspect they're in there, and you will suspect it.

Intel had better recall their processors, or people should switch to Apple or get a PC with an AMD brain. Hard to do in this economy.

I have an AMD. Always have. Home assembled from separate bought parts. In many generations, it's at least as good as an Intel.

:argh:

And, me, a new computer.

It might actually lead to a "frivilous" class action suit, despite EX-PRESIDENT Bush's reforms against class action suits.

I love writing that. EX-PRESIDENT Bush.

I'm sitting here writing on an Intel Macbook, and I assume I'm vulnerable. Nicht wahr?

I didn't read a whole article, but it might just be certain specific generations of Intel, but knowledge of that is beyond my expertise.

If that is the case then maybe some AMD chips are at risk as they used the exact same design for a very long time.

Power PC macs are immune, so save your old Mac if you have it.

I am guessing this cannot be fixed with some type of firmware/BIOS update. That is where you would try to patch this hole.

It might go back to the 386, but it still might not be in every generation, every model. Intel has made changes in its chip design since then.

I'm just saying, we might be lucky.

Certain generations. Intel has changed their processor designs radically in recent generations. I haven't read the whole article yet.

Chances are that older Pentiums (before Core2) are likely safe. Probably older Xeons too. And Celerons.
Anything from Intel that is RISC designed (and that's not much... I960s, Atom, others???).

But Core2, Itaniums, and especially I7s are all likely suspects.

IMHO, any program that tries this exploit would have to be very big. It has to do a lot of things with actual machine level language, that is zeros-and-ones. So, it will also be a lot of work, and not at the level of the garden-variety hacker. Few people have that expertise (though they are going to be in demand, now!) The size alone might make it easy to detect.

The other thing, you could still block it from getting in. It should be easy considering the possible size. Don't open attachments you don't expect, and have them swept for something funny before you do, and have security programs that block you from bad sites and dangerous links.

Most hackers have little skill with writing new hacks. What they do is find an exploit and then write delivery code around it.

They could do so here with little help.

However, that leaves a digital signature (the common exploit code) which, if scanned before allowed to be downloaded and run
on your machine, might be detectable.

As for the size... I wouldn't think the exploit itself is really large, probably only a few machine instructions that allow it
to gain "management mode" privileges. After that, what they do with the privilege, that could be small or large.

:eyes:

You'd have to buy a used G5 or G4 machine to get away from Intel on the Mac platform.

what would the signs be?

Almost a third of the computers in the US have been hacked in some way, and any low-level hack like this almost has to download a higher level program before it can really be used. So, if you keep coming up with viruses and stuff you've removed before, it might be this type of hack.

Here are some ways, and you should always verify them in some way before you freak out:


-Your computer is much slower than usual for no reason, and is slow even going to sites like Google.

-When you have it on, and you're not doing anything and the disk is spinning like there's no tomorrow. (This could also be a Windows background program or your Anti-Virus doing a check, so don't panic, yet.)

-If your files come up missing (this could also be a bad disk).

-If you have files on your disk that you've never downloaded, never installed, and can't account for, and which aren't part of Windows or a known program. Especially if you either can't access them, or they are loaded with something you don't want (like child porn).

-If you get pop up windows you can't close for no reason.

-If you try to go to one site, and you're directed to a totally different site.

-If you get up in the middle of the night or whenever you're usually away from your PC, check your computer (if it's always on and connected) and discover the disk is spinning for no reason and the processor fan is running like a gunned engine.

-If you get email messages that seem to be answering emails you've never sent. (Could be a spam ploy too. Don't open any attachments!)

-If in your mail-client's send box, there are messages you never sent. (dead give away)

-If there is less remaining space on your disk than you can account for.

-If you look in your browser cache and find it loaded with things that shouldn't be there (Like child porn).

-If your anti-virus, anti-spyware program crash and keep crashing.

-If you try to go to sites advising about spyware or viruses and you get re-directed, or your processor closes or your computer freezes, for some reason, you can't get there.

-Also, try going to this site to see if the processes running on your computer are on the up-and-up:

http://www.processlibrary.com/processscan/

Maby the people at Apple might consider porting out to AMD.

(3 or 4 total) has either committed suicide or melted itself, and the surrounding board. I have measured the temperature of the one sitting waiting for me to send it back under a recall at 150 degrees - I suspect the actual temperature is higher since I was using a candy thermometer that is designed ot be immersed. No more.

the Internet.... This takes profit motives from Russian mafiosos and other thieves--and almost makes them seem "quaint."

That is the sum of what I can comprehend of that. Could you put it in dumb terms ?

over the net, right? Also, no online banking. Just surfing and posting to blogs.

Okay.

:shrug:

that I doubt anyone but a total hardware geek would understand it -- maybe.

Could you explain that better and let us know what we might be able to do about it?

Where techs get news. It wasn't meant for Joe the Plumber

OK, say you're planting a field of wheat... (changed first line as I never got to the cake part of the analogy)

Now say there's some sort of bug infestation killing wheat fields. You can use insecticide to kill the bugs, but keep the wheat. This is like using anti-virus software on normal viruses.

Now say someone planting the wheat is putting the bug's eggs in with the wheat seeds in a way that both hatch at the right time that the bugs can just chow down. Still, you can fix this albeit in a harder fashion. Let's say this is the Trojan horse analogy - you can remove trojans but they are nastier and take longer. Sometimes you have to wipe the hard drive (clear the field and replant) to fix it.


THIS problem would be like if you made that bug so tiny, it ate the electrons, neutrons, and protons that make the *atoms* that make the molecules that make the cells that make up the wheat.

Fuck. How do you fix THAT?

Just guessing.

I will never go back to windows or anything microsoft. OSX will find a way to kill those buggers.

The only thing you could do is stop them from getting in. Check your email by an up-to-date anti-virus/malware program, don't open attachments until they're checked, sweep your downloads. Use security programs that block bad websites, most should do this.

Once hackers are in, you are fucked.

Most general purpose computing is integer based and anything fancy is often passed off to the video card.

That's why I kept my old G4 with a PowerPc CPU.


The NSA has probably been exploiting this for decades.


Why do you think they let us use the Internet?

System Management Mode was a well-known insert to allow for individual computer infiltration by the spooks. Funny that it takes an exploit to bring this inconvenient fact back to public consciousness.

J

So, there is nothing you can do about it except wait until the next election.

Is that a good analogy?

What this means is that IF your computer picks up a virus that has this exploit in it (or it comes pre-installed when you buy your
computer), the exploit could hide somewhere where NO anti-virus code could even detect it, much less remove it. Not only that, but
re-installing your OS from scratch might not be sufficient (won't be sufficient) to remove the exploit. In addition, no matter HOW
secure your OS is, this exploit could still control your entire computer. It could (for example) record every keystroke you ever
type, even the ones that you might type before your windoze system (or unix) actually boots. Passwords and encryption... phhttt.

Of course, the virus still needs to make it to your computer and run once to install the exploit.

It apparently makes use of a security flaw inside the chip, allowing the code to run at a level where the chip "trusts" the code
executed explicitly. There are many levels of security on your computer, the lowest levels are "application code" - like code
that might infect a browser like Windows Explorer... the next level up might be the Operating System - like something that attaches
to Windows Vista or XP, higher up is a possible hypervisor or a CPU presented architecture that handles things like managing the
memory maps and so on... viruses here are not visible to the Operating System. Highest would be the Chip "management mode" or above
even the hypervisor... this mode is reserved for configuring how the chip actually works (what soft programmable instructions actually
DO or similar, complete control of everything in your system, totally not visible to the Operating System.

A Hypervisor exploit or "management mode" exploit are the most dangerous... and should be impossible (damn chip programmers should
leave these levels as simple as possible just to avoid this type of problem). They are dangerous because anything you install to
detect and remove viruses at those levels won't, by definition, work (because those virus scan utilities cannot actually SEE anything
at that level - unless, of course, THEY use the exploit as well - but that's another topic).

Well, that sucks.

Fortunately (for me), the most likely delivery vehicle of such an exploit is some stupid Windows app or web or email thingy... and
my only Intel machine doesn't run Windows and doesn't ever surf the web or download email (it's a dumb file server).

However, for the rest of the world (including our military, our financial institutions, etc), it's quite possible to see a exploit
that simply (on a preset time code or on receipt of a command) causes every infected computer to halt, never to be booted again
without replacing the CPU(s). Or, as I said, pick up every keystroke and send it to some computer in China, or whatever...

Worse than the fear over Y2K (if you all remember the overblown fears of that).

Actually, this points out something... Adaptation in Natural and Artificial Systems (a great book and the title of a course I
took in college)... the author pointed out that there always needs to be a wide variety of species because of abrupt changes in
the environment and the possibility of wiping out an entire homogeneous species. In the case at hand... we need a number of popular
chip makers (and auto makers and types of corn and so on) because should we become overly dependent on ONE species (of CPUs), where
one event can render the entire population extinct. We need to have resilience just to avoid these types of disasters, even if
having multiple types of X is less efficient than the "dominant" species.

Something to think about.

If it's Intel it's infectable.

Quick check of the memory reminds me that my desktop is AMD so I'm good there. Can't remember if the Aspire One netbook runs on intel or AMD but I'd hate to lose that thing.

Guess I should install a linux antivirus program. Man, I feel weird just typing that.

AMD still refuses to get into the netbook market. They are too far behind in R&D to invest enough to make it worth-wild.

was even real. Some say she ginned up the danger to gain pub for her business, some say she was taken out of context. Whatever, most say that a threat in the real world was not likely to happen. See this blog post for a back and forth with her and one of her detractors:

http://rationalsecurity.typepad.com/blog/2008/04/an-open-letter.html

So the now that the same group is saying this about Intel chips, it's sort of like the boy who cried wolf. This time, it might be a more credible threat, but who knows? I tried to read the comments over at Tech Republic, but gave up quickly after the format doesn't allow you to view all posts without ponying up. And every time you click on a comment individually, you get a floating nag screen. Way to marginalize yourself.

Anyway, I'd like to find someplace to see if the chip I have is vulnerable.

Why are these people releasing the exploit code?

If they found it, then others will also. Kinda like sunshine is the best disinfectant, in government and in code.

-Hoot

It seems to me they are just aiding and abetting those who would use the code for illegal purposes.

The concept is known in the industry as full disclosure. Odds are that there are already exploits out there now, this one's been around a long time.

The white hat generally will notify the company involved to give them some lead time to get a fix out (in this case there is no fix as it's a hardware exploit) before announcing the exploit. Full disclosure is best for all concerned, more eyes on the problem and those developing similar systems should be aware so they don't leave a similar hole.

-Hoot

to be incorporated into virus scan softwares.

to the virus protection companies instead of putting it out where anyone and everyone can get it?

I'm not trying to be argumentative, I just don't understand.

Excuse me, I don't deal with mere SUPERvisors. I demand to speak with your HYPERvisor!






:shrug:

If you're not running day-to-day in an Admin account, would this require your Admin name and password to execute? Or does it just bypass that layer and live deeper?
hamerfan

Any thing that is executed by your CPU could contain this virus. There are lots and lots of things that you visit everyday that
execute locally (on your system). Lots of files that you download, even some web pages you might visit, even an email attachment
you might open with your email system. All of them have the potential to execute some code in the object being viewed, opened, etc.

And that is all that it takes.

Once executed, the exploit would be able to bury the "virus" (some more code) deep inside your CPU, not on your disk drive, not in
the memory subsystem, but inside the CPU. It would have to be small, a few dozen to few hundred instructions, but that's enough
to do enormous damage.

Reloading windows won't get rid of it... all the virus scanning in the world won't get rid of it... hell, nothing will even detect it.

Actually, that's not quite true... I just thought of a way for application code to POTENTIALLY detect it... but even that would be
some very sophisticated code.

Still couldn't do anything about it, other than tell you to buy a new CPU (again, there might be a way to "fix" it, but it might
be cheaper and simpler to buy a new CPU).

And there might well be quite a number of CPUs (older Intel models) that are not affected.

you can't "take Over" a PC unless you "take over" the operating system. Panic, it's like when the whiskey runs out. :eyes:

Do you understand where this exploit even IS? It's above the hypervisor. Even the "OS" doesn't touch (or even know about) the
hypervisor. Of COURSE it can "take over" your machine. Even if you don't even HAVE an OS. It changes (potentially) the way
the CPU works! You think you are doing a shift left 16 bits in register XXX and IT (the CPU) does something entirely different.

Because CPUs are no longer simple hard wired gate sequences (like they were when I taught this subject at the University). Now,
everything is programmable. And this exploit allows someone to change the programming to whatever they want.

It's the ultimate "takeover".

I'll be waiting in the Lounge, for a long time. Oh, I forgot, if I have a system without an OS, the CPU can 'talk to the exploiter" as if this is the 23rd century when all things mechanical will be extinct.

Silly rabbit, you believe the hype.

PS HERE is an exploit code, and without an OS exploit code, machine level code ain't working. Oh, and you keep saying virus, how could you know the delivery vehicle when the publishers don't even know how to deliver this miraculous code?


http://www.securiteam.com/exploits/5SP0L159FC.html





:rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl: :rofl:

Of course, I write microcode all the time. Don't have any pesky OSes around. And, yeah, we even have our own Networking Stack
and do the whole TCP/IP thing (and someone ported a realtime web browser to the damn thing. Imagine that!) Lord help us
if someone decides that we need a Java virtual machine embedded in the RTOS, just so they can go surf some really cool
website (well, probably more like send error reports to tracking website for the high end disk controller I work on), that
would suck.

Why would you need an OS?

Probably the delivery vehicle of choice would require Winblows. Because it's the most popular. Second candidate would be
MacOS and FreeBSD (same code base for both, btw). Third (if they really want to hurt some people) would be Wind River or
so other embedded RTOS.

I use virus because that would be the standard delivery system for this exploit. But then, I was hacking systems back when
John Brunner was writing about hacking systems... worm, virus, whatever.

Most people use the term virus because that's what the no nothings in the media use.

You still need to control the OS to control the computer. You can claim that this 'stealthy' code will execute in the background and communicate everything personal in your system without your knowledge, but that is a physical impossibility.

Keep trying to panic the people here who are computerz illiterate, you make lots of new friends that way. Oh and what my friends and I did way back was cracking, not hacking, hacking was for the kiddies.


Buh-bye

You're funny. Just how much code do you think it takes to insert an outgoing IP packet? It's not like you have to write a
complete IP stack and device driver... just because this little thing doesn't need an OS doesn't mean it can USE one to for
it's own devices... the comment about the "doesn't need an OS" was aimed at making people understand that this think is
a bit harder to find than the usual irritating crap floating around the 'net.

So yeah, I'm pretty sure a good HACKER (that's what they call themselves these days sport) could actually use this
to transmit every keystroke to someone.

But the more likely hack (damaging to the economy) is to simply lock up the machine. No amount of rebooting/reloading
will fix it.

And, sport, I was cracking/hacking (we didn't have a term for it) long before you even learned how to type. Like with plugboard
computers... and IBM 026 punchcards... and stuff.

"Click"

you shouldn't make people paranoid on here, they have enough to worry about.

Goodbye, 'sport'.

I have no idea how this will spread. That such an potential exploit exists should worry those in the security domain.

And, yeah, I have a pretty big "computer dick"...

I'm pretty goddam sure you've benefited from some of my computer innovations. So, yeah, byte me.

How would something like this work with an OS that does not allow direct interaction with the Hardware? If memory serves, Windows based systems use the hardware abstraction layer to prevent applications from directly accessing hardware.

Please note, not challenging you're knowledge, just trying to expand my own.

In other words, your main OS buzzes along happily while a tiny secondary VM of the writers choosing does whatever it wants on your system.

So you distribute a virus that hijacks the hypervisor and bootstraps a micro-OS for the secondary VM. At that point, the author would have the choice to either cache the micro-OS in a tiny secondary partition (under 1mb, with a deadman switch to kill the computer if a low level format happens), or to park it in any available flash chips on the board. If they wanted to really be a prick, they could just use the access to chut down your computer at that moment.

The only real problem is delivery...you have to get the computer user to execute the malicious payload first. Once that's done, this exploit could deal incredible damage. If executed properly, it could force you to replace your computer.

Let's say, the machine is already compromised, and the cracker/hacker has administrator privileges. Can't the cracker/hacker deliver the payload that way, and so make sure that the computer is always infected?

If this hole can be developed into a fully mature exploit, and I have little doubt that someone will do so eventually, then I'd virtually gurantee that most existing botnet operators will "upgrade" their networks to utilize it.

Getting the exploit to run on a new computer would be a bit more involved than getting someone to click on a vbs worm, but it could be done. Getting it to run on an already compromised machine wouldn't even be a challenge for a script kiddie newb.

Doesn't die once the machine is shut down? I mean, it isn't a hardware change. Unless a capacitor keeps part of the chip going?

Now, can't you just move in your own "fix"?

An exploit running unimpeded with that level of access has a number of ways to stay resident. Obviously it can't hang out in the CPU when the board is powered down, but an exploit at that level could have access to everything from the hypervisor to the BIOS ROM. Any programmable chip on the mainboard could potentially be compromised with a bootstrapper to reload the main payload on power up.

So...the exploit gets into the cache and bootstraps its launch code into the SMM. Once that launch code executes, it pulls the rest of its operating data from the original delivery package (or a remote host, it doesn't matter), accesses the hypervisor, and generates a new mini VM running a micro-OS and whatever payload they want. That micro-OS has its own loader that checks the HDD, identifies unallocated addresses, and writes itself (preferably redundantly) to multiple empty locations on the HDD outside of the filesystem (the micro-OS would allow the loader to create a secondary FS on the disk using any unallocated space as well, but writing to the existing FS without updating the MFT would provide the writer with an easier way to store the data without detection).

At that point it's a matter of just rewriting the FS, bios, or whatever vector they can identify to bootstrap their VM first. When their system loads, before the primary OS is even touched, they can reload their original payload back into the SMM, pull a copy of the original file from the disk and load it into a protected memory location, and resume whatever operations they were doing in their VM. Even if you wipe the disk at that point, a copy of the exploit code is living in RAM and can be rewritten to the disk at will. If you format the drive, an exploit with this level of access could actually write itself to the disk AS YOU WERE FORMATTING IT.

Replacing the hard disk would work to cut this off, but an update to the CPU microcode could plant a deadman switch to "get even" if that happened. All they'd need to do is make some register dependent on some other new function in the SMM. If you wipe the VM at that point by replacing the hard disk, the CPU errors out. Now you're replacing a CPU and a hard drive.

This is all just theoretical of course. It's been a long time since I've mucked around with anything at that level, and I may be missing something here, but it seems to me that an exploit that can execute at that level of privilege could do nearly anything on the compromised computer.

I honestly have no idea what you're talking about, or why you posted it to an empty dupe?!?!

I thought it meant you were fucking with me throughout and you just sprung the joke. I apologize if that wasn't your meaning. I'm sorry.

What did you mean?

It means that I accidentally clicked the Submit button twice when I was writing the post above it, so the post showed up twice. It was duplicated. Rather than leave it there, I edited and replaced the second.

Since we can't delete the redundant post, the "dupe" tag just lets people know why there's an empty post there.

It wasn't pointed at you (or anyone else) at all.

would probably at least prevent someone from storing malicious code on the processor IF this is real. I do not need to know that my computer is infected to clean it.

http://www.kb.cert.org/vuls/

http://www.kb.cert.org/vuls/bymetric?open&start=1&count=20

You can't "clean" it because there isn't virus detecting software built to even find it, much less clean it.

The best you can hope for is to prevent the execution of some piece of code that delivers the virus. That's about it.

Given the state of things today, a clever virus writer could easily install this in something is isn't readily detectable
as a new virus delivery "malware". Most virus scan stuff look at things in memory or on hard disk. Once delivered, this
virus isn't in either place (it's stored in the CPU). And most virus scan stuff depends on cleaning up after delivery.

If malicious code can read and write to a processor register then so can other software.

First it is an exploit and then it is a place to store malicious code that can only be read by the malicious code. I don't buy that but if I did writing something to the address space every 60 seconds would prevent malicious code from being stored there.

Tech Republic is just a forum and should not be used as a primary source.

http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper.pdf

This is an article from 2006.

I did not read the OP very carefully. Network World is generally a reliable source.

In this case, it's merely proof-of-concept code being released. CERT won't send anything out until someone starts rooting machines with it.

By the way, your suggestion won't work. The exploit uses a CPU caching vulnerability to gain access to the SMM, which is not directly writeable by the OS under ANY circumstances. The vulnerability allows the exploit to plant code into the SMM, which can then execute without any interference from anything. That initial execution uses the caching vulnerability to boostrap the payload into the SMM, but isn't required once that initial execution is completed. The only hope you'd have of removing the illicit code would involve you executing your own version of the cache exploit to overwrite the viral code within the SMM addresses. Since you can't overwrite it all (obviously, the system would fail if you tried), this overwriting process would require you to know exactly what data was written and exactly what addresses it's currently residing at. And if the illicit code overwrote or replaced something important, you're simply screwed.

If the coder is really skilled, an exploit of this kind could also potentially update the systems microcode to slam the original exploit closed after it installs itself anyway. Since the exploit relies on a caching flaw to install itself, a microcode update that shut down caching would essentially become invulnerable to removal. The system owner would instantly know that something was wrong with the computer, but they'd have no way to confirm what the problem was and no way to fix it short of replacing hardware. I'd have to think about it a bit, but it might even be possible to route calls to some sort of parser that would identify incoming exploits and intermittently shut down caching to block removal by a computer owner or competing botnet WITHOUT disabling caching on a permanent basis.

It's an interesting suggestion, but it is the equivalent of changing the locks on the door after the burglar is already inside.

Oh god this is too horrible to even contemplate...

if intel knew about this and did not inform the public, its gonna lose big time.


one wonders why they did nothing about this. reminds me of the scanner/printer companies incoporating code in order to comply with NSA instructions.


Sleuths Crack Tracking Code Discovered in Color Printers
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html

No worries.

what's really annoying though is everytime I switch channels for a full second it says scanning.

Pre-infected hardware is already a problem, but only rarely gets much reporting. We maybe hear of various USB items carrying autorun infections -- picture frames, keyfob "disks", cameras, iPods, etc. These infections are just updated versions of the problems we had with floppy disks.

Harder-to-detect malware can be hidden in the initialization code for other hardware components -- things like graphics cards, disk controllers, network controllers. Infection of such components can happen during manufacturing (corrupt master), distribution, or during operations by using the same techniques used to update the "firmware".

Based on what little I know of this alleged flaw in the Intel chip, I suspect it might be vulnerable during this early power-up phase of low-level initialization using other components as the attack vector.

I have posted about the risk posed by using insecure chip foundries and manufacturing facilities around the world to produced critical systems for military, voting systems, financial transactions, or anything else. My journal has some of these posts.

In the modern world, once a "secured" system is breached, it can not be "re-secured". When the Naval War College was breached over two years ago, it was reported that they replaced all the hardware involved.

We have reached the point that almost no computer system is provably secure.

Is it self-powered with on-board capacitors? I guess it must be. Is there a way to run it down for a reset? I mean, switch it out for a period of time?

Moreover, can't you just download-counter-firmware? Things that fix the problem. I hear that chip manufacturers have firmware updates on their sites, though I've never checked them.

Also, can an attack like this be effective without OS changes or other higher level software? It seems to me that the main symptom would be if you keep getting spyware on your system and can't get rid of it.

Or is it that the VM could totally hide a shadow system on you, but then can the VM actually "see" the rest of your computer? It seems to me a VM isn't supposed to see anything outside of it without some software support.

It's the same stuff that keeps those files on your USB drive when you unplug it from your computer.

The only problem with writing the exploit to HW firmware is that firmware tends to be highly variable between manufacturers and devices. It would be very difficult (though not impossible) to create a firmware exploit that would run on a wide variety of hardware.

As for that last part, you are correct, but this is the danger of this particular exploit. Typically the hypervisor prevents VM's from interacting with each other and would keep the system relatively secure from cross infection, but this code executes at the SMM level which gives it de facto control of hypervisor processes. It WOULD need software support to peer across VM's, but with that level of access it has everything it needs to provide itself with whatever access it wants. SMM operates at a lower level than the hypervisor, which makes the protections provided at that level less than useless (less because a person who thinks he's secure and isn't is in even more danger than a person who is fully aware of his security issues).

It doesn't need a lot of power to operate, I know, but I really thought that static flash memory will deteriorate without eventually being powered up. How long can it sit before the firmware fades? Might there be a way to recover it after that point. How long? Five years?

Now, another problem a cracker would have, it would seem that something like this is more likely to permanently crash the chip than it is to work. Not only that, the operator has to notice something when the firmware is changed. You can't make that big a change that deep in the processor without the PC acting very odd. The attempt doesn't seem like it would be necessary either, since a third of all computers have already been hacked and are zombies for somebody.

But I suppose somebody might get a practical plan for doing it, or trying it.

This really isn't the place to get into the intimate details of floating gate transistor theory, but it basically boils down to this. A charge is applied to a tiny transistor that flips the bit to "on". The transistor is extremely well insulated, so the charge can only escape via entropic losses. Since most modern electronics can detect the cell charge down to a tiny fraction of its original amount, and since entropic losses are very small in modern transistors, the data embedded in those flash chips can be readable for an extremely long time. They haven't been around long enough to actually test, but the most common estimate is that a flash chip programmed today will be readable for at least a decade, and possibly two, without it ever being connected to any sort of power source.

By Joel Hruska | Last updated March 20, 2009 8:25 AM CT

... The term "ring" refers to protective rings that encircle the OS kernel. Ring 3 (defined as "Applications" in the diagram below) is where users and programs should spend the vast majority of their time. Applications should never need access to Ring 0 or kernel mode, as it amounts to writing the application a literal carte blanche to modify, change, or delete anything it wants. One of the features Intel's Vanderpool (VT) technology offers is the ability to virtualize an OS starting from what we might call "Ring -1." An OS launched from Ring -1 can therefore run its own Ring 0 operations and is more effectively sandboxed from the host operating system.

The exploit Rutkowska unveiled (PDF) yesterday affects System Management Mode (SMM); the security team describes SMM as equivalent to Ring -2. Code operating this deep could do virtually anything, all while operating on a level too deep for an OS-level scan to reasonably detect. Access to this mode and the memory block where it's stored (known as SMRAM) is therefore extremely restricted. The memory controller is configured to lock SMRAM access exclusively to the BIOS, which then copies the SMM code into SMRAM. Once that copy is complete, the BIOS disallows all further access/modification requests that originate from outside the SMM memory block. Because the SMM module operates at Ring -2, no other program, hypervisor, or OS kernel has sufficient authority to access the memory block.

... An attacker who wishes to modify the code within the SMM must first locate the SMRAM region within system memory and designate it as a write-back cache. Once the address range is properly specified, our hypothetical hacker "creates write accesses to the SMRAM's physical address range." Because the space as been previously set as WB cacheable, the accesses are cached rather than rejected. Next, the attacker triggers a System Management Interrupt (SMI), which orders the CPU to enter System Management Mode and execute the code therein. The CPU drops into SMM happily enough, but when it fetches code from SMRAM, it fetches the corrupted cached data first. The result, says Rutkowska, is that "the above scenario allows for arbitrary SMM memory overwrite (and later code execution...)."

... an attacker would need a great deal of time and in-depth information on a particular system configuration in order to launch the type of attack described above. For all the furor surrounding the idea of a chip or chipset-level vulnerability, the chances of a general exploit going wild is virtually nil. General exploits thrive on commonalities; Rutkowska's SMM assault requires extreme specificity ...

http://arstechnica.com/security/news/2009/03/storm-over-intel-cpu-security-could-be-tempest-in-a-teapot.ars

now it could be ANYONE!

just got mine back from repair!