Advanced Concepts for SMM Malware

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration)

Hiding malware inside the BIOS/UEFI of a computer has long been deemed a theoretical threat rather than an actual attack vector. Implementation seemed too difficult and the benefits for malicious actors aiming for quick profits were considered negligible. However, with the recent rise of Advanced Persistent Threats (APTs) and state-sponsored attacks, sophisticated targeted attacks are now considered a realistic threat. For skilled attackers seeking for high stealth and persistence rather than widespread infection, the BIOS/UEFI of a computer provides an ideal target. The System Management Mode (SMM) is a legacy mode of operation available in x86 and x86-64 CPUs. Originally, SMM was intended to be used for maintenance tasks such as power and thermal management. It is a highly privileged mode of operation which has free I/O access, can directly interact with memory and has no hardware memory protections enabled. Our talk starts with a historical overview on previous SMM-based attacks. Most existing approaches are simple proof-of-concept implementations that do not explore the potential of threats stemming from SMM malware. In response to this deficit we present novel, advanced concepts for SMM malware, focussing on stealth, portability (including full Intel 64-bit support), and OS (memory layout) awareness of malware. Our talk aims at encouraging further research into the threat of SMM malware and enables the development of practical countermeasures against BIOS/UEFI malware.

Presenters:

• Sebastian Schrittwieser / Julian Rauchberger - St. Poelten University of Applied Sciences
  Sebastian Schrittwieser (1st speaker): Sebastian Schrittwieser heads the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (https://www.jrz-target.at) and is a lecturer for IT security at the University of Applied Sciences St. Pölten, Austria. He received a doctoral degree in informatics with focus on information security from the Vienna University of Technology in 2014. Sebastian's research interests include, among others, network analysis, digital forensics, binary analysis, and mobile security. Furthermore, Sebastian is a senior expert at Kibosec GmbH. Julian Rauchberger (2nd speaker) Julian Rauchberger is a master student in the Information Security program and research assistant at the St. Poelten University of Applied Sciences. From 2014 to 2015 he worked in the Usable Privacy Box (https://www.upribox.org) project at the university. In the past, Julian was part of several research projects on the stealth of malware and possible detection methods. His research interests include, among others, system security, malware, and privacy.

Links:

• https://deepsec.net/archive/2016.deepsec.net/speaker.html#PSLOT284
• https://infocon.org/cons/DeepSec/DeepSec 2016/Advanced Concepts for SMM Malware.mp4

Similar Presentations:

• Black Hat USA 2022 / Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases
• REcon Brussels 2017 / Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
• 31C3 (2014) / Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer