SENTER Sandman: Using Intel TXT to Attack BIOSes

Presented at DeepSec 2014 „Do you want to know more?“, Unknown date/time (Unknown duration).

At CanSecWest 2014 we presented the first prototype of Copernicus 2, a trustworthy BIOS capture system. It was undertaken specifically to combat our "Smite'em the Stealthy" PoC which can forge the BIOS collection results from all other systems (including our own Copernicus 1, the open source Flashrom, Intel Chipsec, etc). Copernicus 2 makes use of the open source Flicker project from Jon McCune of CMU which utilizes Intel Trusted Execution Technology in order to build a trustworthy environment from which to run our BIOS measurement code. We specifically chose TXT because it has the ability to disable System Management Interrupts (SMIs) effectively putting the SMM MitM, Smite'em, to sleep. But if you've been following our work (specifically "Defeating Signed BIOS Enforcement" and "Setup for Failure: Defeating UEFI SecureBoot") you will have seen that we have two other attacks where we leverage the ability to suppress SMIs to break into some BIOSes. Thus the Sandman cometh! We will explain how we could implement the PoC "Sandman" attack using the same infrastructure as Copernicus 2. We will also explain the caveats to both the secure function of Copernicus 2 and the ability of Sandman to attack a system. We will also cover how Copernicus 1 and 2 can check for the problems with BIOSes that make SMI-suppression attacks feasible, how to tell if you're vulnerable, and what you may be able to do about it.

Presenters:

  • Xeno Kovah - MITRE
    Xeno Kovah leads a team of 5 researchers focusing on low level PC firmware and BIOS security. His specialty area is stealth malware and its ability to hide from security software and force security software to lie and report the system is clean when it is not. To combat such attacks he researches trusted computing systems that can provide much stronger guarantees than normal COTS. He is also the founder and lead contributor to OpenSecurityTraining.info, where he has posted 8 days of material on x86 assembly, architecture, binary formats, and rootkits.

Links:

Similar Presentations: