Attacking SMM memory via Intel CPU cache poisoning

System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of “Ring -2”, as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in “Ring -1”.

The SMM code lives in a specially protected region of system memory, called SMRAM. The memory controller offers dedicated locks to limit access to SMRAM memory only to system firmware (BIOS). BIOS, after loading the SMM code into SMRAM, can (and should) later “lock down” system configuration in such a way that no further access, from outside the SMM mode, to SMRAM is possible, even for an OS kernel (or a hypervisor).

Rafal Wojtczuk and Joanna Rutkowska today published a paper that discusses an architectural problem affecting Intel-based systems that allow for unauthorized access to SMRAM. It also discusses how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits.

Don't miss