Your teams have taken a lot of time to ensure your super secret systems are super secret, right? Thanks to Black Hat 2015, all that work to prove a system is secure and reliable is going to have to be redone.
Christopher Domas, security researcher at the Battelle Memorial Institute, metaphorically dropped the mic and walked off on what is probably the most interesting exploit I’ve seen come out of the show in years. And remember, this is the year of Stagefright, the “everywhere Android” exploit from JDuck!
Domas, it seems, has found what he calls a “Sinkhole” in the x86 APIC. This is an architectural privilege escalation vulnerability. It takes advantage of System Management Mode, which he refers to as “Pandora’s Box.”
Instead of being happy with hooking into Ring 0 in the processor, Domas described two layers lower than Ring 0, which are hidden from the OS and DMA. The first is Ring -1, the Hypervisor. The second is the Ring -2, where SMM lives.
Using this new ring metaphor, Domas laid out a method of getting through to SMM and issuing it commands. Specifically, he takes advantage of an 18-year-old, forgotten patch to solve a long-dead problem. In 1997, Intel added the ability to relocate the APIC memory registers to another physical address.
Thus the overall strategy for this attack is to find where SMM code is hiding in memory, and to hijack SMM execution privileges. Considering SMM is the trusted based for UEFI secure boot, things could be getting quite messy for your security and data center teams.
What’s the solution? Upgrade to Sandy Bridge and beyond? Use AMD? (Hold off on AMD, as Domas is still checking to see if their chips are vulnerable. The jury is still out.)