SMM Research

Presentation

Extract from my report

With increasing security mechanisms to ensure operating system integrity, such as SecureBoot1 which prevents unsigned binaries to be booted, or PatchGuard2 protecting kernel data structures to be overwritten by rootkits, it became extremely difficult for an attacker to find and exploit vulnerabilities in the low-level components of an OS that they can use to hide a rootkit. That’s why threat actors tend to switch towards bootkit instead, a malware that targets the boot sequence of a computer to hide itself. Infecting the boot sequence makes the malware OS agnostic and untouchable by standard security solutions installed at the OS level. LoJack is an example of such a threat discovered recently by security researchers (September 2018). It’s a UEFI rootkit tied to an anti-theft software company to spy on its users.

A UEFI firmware is a colossal software, with lots of functionalities. It is basically an OS running before the OS. Some functionalities continue to run alongside the operating system. That’s the case of the System Management Mode (SMM), Intel’s version of a secure execution environment. The goal of this internship is to study the SMM with a security point of view.

The first step will consists of doing research on what exactly is the SMM, to understand its architecture and its interaction with the system. Once the core concepts are assimilated, a state of the art of SMM exploitation techniques has to be documented. With all this information we will have a pretty good idea of the threat model we have to deal with.

The second part of the internship will be focused on looking for vulnerabilities in a given firmware’s SMM implementation. It will involve fuzzing and static binary analysis. Finally, this report should be usable as a starting point for someone else who want to assess the security of another SMM implementation.

Findings

A presentation of the findings is available here: slides.