A security researcher has revealed a potentially serious vulnerability in x86 processors which allows for malicious code to be injected directly into the chip, providing an undetectable back-door or entirely destroying a system's hardware.
In a presentation late yesterday during the Black Hat security conference in Las Vegas, a white-paper (PDF warning)
of which has already been published, researcher Christopher Domas revealed what he describes as a 'design flaw that's gone unnoticed for 20 years.
This flaw, Domas explains, allows malicious code to jump from 'ring 0,' typically the most privileged level of execution, to 'ring -2,' the System Management Mode. While running under SMM, said code is able to preempt code running in any other ring, including the 'ring -1' hypervisor, and can even bypass protections such as Trusted Execution Technology. 'Due to an extreme potential for abuse, SMM is protected through innumerable security mechanisms. However, the complexity of the architecture precludes the simple separations found in higher rings, and SMM security circumventions can be constructed through elaborate configurations of unexpected architectural features.
During the presentation, Domas revealed a working exploit - tested only on Intel processors, but believed effected on any x86 chips from the last couple of decades - which was able to jump code from ring 0 to ring -2. 'The secondary payload is installed by ring 0, and runs with SMM privileges, after the SMM handler is hijacked through the sinkhole,
' he explains. 'The specific effects of the secondary payload are left to the reader’s imagination, but commonly include deeply persistent rootkits, hardware modifications, and system destruction.
While Intel has not yet commented publicly on the flaw, Domas claims the company is aware of his research and has already worked to close the vulnerability in its latest processor designs. The company is also claimed to be releasing firmware updates for its older chips, but Domas has warned that not all processors can or will be patched to guard against the flaw. Thankfully, exploitation of the vulnerability requires low-level access to the host system - meaning that an attacker wishing to make use of the flaw to implant malicious code in ring -2 would already need to have ring 0 access, the highest level of access typically available to user-level code.
Neither Intel nor AMD have released statements regarding Domas' findings.