ataque ao System Management Mode dos CPUs Intel
"System Management Mode (SMM) is the most
privileged CPU operation mode on x86/x86_64
architectures. It can be thought of as of "Ring -2",
as the code executing in SMM has more privileges
than even hardware hypervisors (VT), which are
colloquially referred to as if operating in "Ring -1".
The SMM code lives in a specially protected region
of system memory, called SMRAM. The memory
controller offers dedicated locks to limit access to
SMRAM memory only to system firmware (BIOS).
BIOS, after loading the SMM code into SMRAM,
can (and should) later "lock down" system
configuration in such a way that no further access,
from outside the SMM mode, to SMRAM is
possible, even for an OS kernel (or a hypervisor).
In this paper we discuss an architectural problem
affecting Intel-based systems that allow for
unauthorized access to SMRAM. We also discuss
how to practically exploit this problem, showing
working proof of concept codes that allow for
arbitrary SMM code execution. This allows for
various kind of abuses of the super-privileged SMM
mode, e.g. via SMM rootkits ."
introdução ao ataque
(com agradecimentos ao Bruno Garrancho)