New Spectre Attack Can Reveal Firmware Secrets

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM). ZDNet reports: Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware. SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software. SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains. To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory. "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

Too bad

[110010001000]

Too bad this guy didn't do his job when he was at Intel.

Re:

[Anonymous Coward]

If processors were open source, at least Intel could have said: "you should have read our VHDL code". Instead though, Intel is paying the price for being closed source.

Re: Too bad

[Anonymous Coward]

"Many eyes make all bugs shallow."

False.

OpenSSH was open source, and it fell foul of some nasty bugs. Open source in no panacea and its dangerous to suggest otherwise. It leads to a false sense of security. You assume someone is watching when, in fact, no-one is watching.

It's still better than closed source, but it won't save your ass.

Re:Too bad

[PolygamousRanchKid]

Too bad this guy didn't do his job when he was at Intel.

Well, he could do us all a big favor and tell us what the Intel Management Engine is really doing . . . ?

Of course, he can't because he probably signed some kind of non-disclosure agreement and would be killed by NSA operatives.

Re:

[Anonymous Coward]

Actually, this is good.
1) It will set back Intels 'fixes' many many months, if ever
2) The new, fixed CPU's on the drawing board will need refactoring
3) Extra pins for hardware jumpers may come back
4) Register testing will have to be performed (I presume it never was)
5) Future contract spreads will have to be changed for a new release date
6) Intels silence in not coming clean means more bad stuff in the pipeline.

Intel is desperate to roll out a fully fixed CPU that will give it an Apple like boost to its for

Re:

[thegarbz]

Just because a guy does a job doesn't mean that he knows everything there is about the job always and instantly. If it did then we would need this thing called "research".

Oh Intel enginerrs

[bobstreo]

thanks for the gift that keeps giving, and won't ever be fixed for so many users,,, /s

dafuq?

[Snotnose]

I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

How fucked up have we become that this is the norm?

Re:

[Snotnose]

Trump epitomizes what is wrong with the USA today. Form a company, build a building with all the tax breaks and subsidies you can, suck as much cash out of it as you can, declare bankruptcy, leaving all the other investors holding the bag while you walk away with the money. Lather, rinse, repeat.

Fuck the dems for all eternity for running the one person America hates more than Trump.

Re: dafuq?

[negRo_slim]

He's in your head rent free and it's hilarious.

Re:

[ThomasD3]

"Fuck the dems for all eternity for running the one person America hates more than Trump." : I wish I could upvote this. This one sentence summarizes everything.

Re:

[AHuxley]

Re "have we become that this is the norm?"
Issues with crypto and hardware? 1920-30's would have been the start and global radio network collect it all.
1945 with the results of Enigma like real time decryption would have seen the need to control all advanced crypto sold for embassy and commercial use after ww2.
Every message to/from any French embassy in the 1950's in plain text in real time.
Any early advance computer system, communications, crypto product on sale in the West would have been defective by

Re:

[bobstreo]

I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

I feel like this country has been on a downward spiral since the 80s, when MBAs decided firing people when a company didn't meet it's numbers was A Good Thing. (note: they still made money, just didn't meet the numbers). Now we have MBAs fucking up, realizing they fucked up, quitting,, and making a startup capitalizing on their earlier fuckups.

How fucked up have we become that this is the norm?

Companies follow a standard trajectory now.

Start with a couple people with an innovative idea.

Get funding to make your dream come true.

Get forced to hire "business" people who have never had an original idea.

Either be forced out, bought out, or sold off to some nameless faceless company (yahoo?)

See your dream idea turned into something nobody wants anymore.

(sometimes there is a Profit step, but it's probably going to be at the cost of what's left of your soul)

Re:

[thegarbz]

I wish I was smart enough to fuck up at my 7 figure job, then quit and make a start up utilizing my fuck ups to get rich.

This is literally what the entire consulting industry does. I've seen countless people leave companies only to form consultancies and bill themselves back to the companies they left at triple the price to fix the problems they were never able to.

The irony is that this is supported by upper management who don't listen to employees bitching and moaning, but are all to happy to listen to someone after they ask for their opinion with a wheelbarrow full of money.

Re:

[epine]

This is literally what the entire consulting industry does. I've seen countless people leave companies only to form consultancies and bill themselves back to the companies they left at triple the price to fix the problems they were never able to.

You need to be somewhat naive about human interpersonal behaviour to find any of this surprising in the first place.

The best way to stay naive is to view the world through a "management is stupid" filter. (Really? This would, by itself, negate half the theory of ef

typo

[epine]

Append the word "filter" to appropriate sentence.

Re:

[thegarbz]

Management isn't stupid.
Management is stupid.

The first being the noun describing people in management positions.
The second being the noun describing the process created around the organisational structure.

Re:

[Bongo]

Alas, the edict “go fuck yourself”, no longer means what it used to.
 

Re:

[raftpeople]

In fairness to the Intel engineers, many of the same flaws affect IBM Power, IBM Z, ARM, Sparc (v9), some AMD, Apple processors, VIA processors, etc.

In addition, the flaw was subtle enough to exist for something like 10 to 20 years before anyone spotted it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

After the javascript engine changes in Chrome/FF..

[Anonymous Coward]

It would require breaking the javascript sandbox (since performance counters in javascript now return less fine grained time values) and then hitting the CPU hard so that it can't change clock rates (doable on most modern processors, although you might want to trigger multiple passes across the same memory addresses at different periods just to make sure the values you gathered are either correct or haven't changed, a difference that you as a snooper won't be able to tell which is the cause.)

Given the brows

Re:

[jabuzz]

You need ability to run specific code in ring 0 (aka the kernel) and this allows you to access memory that in theory the SMM keeps hidden even from ring 0, aka itself. Unless you are in the habit of loading random shit into your kernel this has no practical use for a hacker.

Further the issue with this is that you have been able to read arbitrary memory on the system for around the last 20 fucking years if you have the privilege to read from port 0xb2 via the delights of the SMM itself. This is just grandsta

Re:

[Anonymous Coward]

I am not going to detail what values you need to load into what registers to read the arbitrary memory because I think it's better that it's not generally known...

Dipshits like this are the reason there shouldn't be "backdoors" or secret operating modes in hardware or software.

Re:

[jabuzz]

Actually if you read the source of the toshiba character driver in the Linux kernel (you might need to pick an older kernel as it may well have been dropped by now) then you will see that I actually block the calls to fiddle with memory. I forgot that it's worse than just being able to read it, you can write it too!!! They also have wacky functions to fiddle with PCI as well.

These days it's usually done via the ACPI interface using HCI methods but as I said deep down the ACPI code eventually just reads from

Re:

[arth1]

You kinda forgot an important detail for your readers:

IS THIS A REMOTE EXPLOIT?

The summary is pretty clear: they didn't exploit physical access, but had to be "running with kernel-level privileges". So it's obviously not a remote exploit in itself, although other vulnerabilities in an OS and app that allows a remote user to run bespoke code with kernel-level privileges would open up for remote attacks. But if you have that big holes in your system to start with, you're already fucked three ways over from Sunday.

The main risk here, as I see it, is that it may be used to gain access

Self contradiction?

[Eunuchswear]

To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR) ... "These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory,"

An "unprivileged attacker" is "running with kernel-level privileges"?

Comment removed

[account_deleted]

Comment removed based on user account deletion