## SENTER Sandman: Using Intel TXT to Attack BIOSes

Xeno Kovah Corey Kallenberg John Butterworth Sam Cornwell @xenokovah @coreykal @jwbutterworth3 @ssc0rnwell



© 2014 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 14-2053

## Introduction

#### Who we are:

Trusted Computing researchers at The MITRE Corporation

### What MITRE is:

- A not-for-profit company that runs seven US Government "Federally Funded Research & Development Centers" (FFRDCs) dedicated to working in the public interest
- The first .org, !(.mil | .gov | .com | .edu | .net), on the ARPANET
- Manager for a number of standards such as <u>CVE</u>, CWE, OVAL, CAPEC, STIX, TAXII, etc



## I'd like to tell you a dark fairy tale

The following story is fictional, and does not depict any actual event

MITRE

## Once Upon 2 Time...

• Off in never never land...

© 2014 The MITRE Corporation. All rights reserved.













## Myth meets reality

In July 2013 at BlackHat[18], in concert with our talk about BIOS attacks and exploits, we publicly released Copernicus. It was the first free public tool that could check for access control vulnerabilities in a BIOS implementation, and the first that could dump the BIOS contents on most x86-based Windows.

- You can download it by googling "MITRE Copernicus" or at [26].

In March 2014 at CanSecWest[27] we described an SMM MitM attack ("Smite'em") which can generically defeat many softwarebased BIOS dump tools like Copernicus, Flashrom, ChipSec and others. But we also released Copernicus 2 which could defeat Smite'em by using Intel Trusted Execution Technology (TXT).

- You can download it by googling "MITRE Copernicus 2" or at [28].



## **Myth meets reality 2**

- In April 2014 at Syscan[29], we publicly disclosed a weakness in some BIOSes where , and we showed a PoC attacker against this weakness called Charizard
  - So named because Sam Cornwell didn't think of a better name before we dubbed it in honor of his status as youngest team member.
  - The updated Copernicus was posted at the original [26] link.
- And now here we present for the first time the Sandman, which is like using Copernicus 2 code to perform a Charizard attack.

MITRF

### There can be only one! Who wins in a smackdown between BIOS malware, and BIOS integrity checkers?

- The malware. Always.
- We built Copernicus to be something "best effort" that could be deployed quickly with minimal requirements, to try and catch firmware malware with their pants down
  - Where there was darkness, we said "let there be light!" ;)
  - When we live in a world where no one is checking their firmware, any firmware malware need not necessarily fear detection and thus can be vulnerable to a surprise detect
  - Just the act of existing costs attackers development time/money if they hadn't previously provided any self-protection
- Now let's see what we need to do to make Copernicus actually trustworthy



## It's well understood how to manipulate integrity checking software output

- From within the OS, targeted hooks into Copernicus code
- From within the OS with "DDefy" [20] rootkit style hooks into file writing routines
- From within the HD controller firmware [21][22][23]
- From within the OS with a network packet filter driver
- From within the NIC firmware [24][25]
- Etc. Lots more options



## A new generic attack.

- It is possible for SMM to be notified when SPI reads or writes occur
- An attacker who controls the BIOS controls the setup of SMM
- In this way a BIOS-infecting attacker can perform a SMM MitM attack against those who would try to read the BIOS to integrity check it
- We call our SMM MitM "Smite'em, the Stealthy"



### Eye of the dragon - FSMIE - hw sequencing

This is what allows an attacker in SMM to know when someone is trying to access the flash chip (because a System Management Interrupt (SMI) will fire)

#### HSFC—Hardware Sequencing Flash Control Register (SPI Memory Mapped Configuration Registers)

Memory Address:SPIBAR + 06h Default Value: 0000h Attribute: Size: R/W, R/WS 16 bits

This register is only applicable when SPI device is in descriptor mode.

| Bit | Description                                                                                                                 |
|-----|-----------------------------------------------------------------------------------------------------------------------------|
| 15  | Flash SPI SMI# Enable (FSMIE) — R/W. When set to 1, the SPI asserts an SMI# request whenever the Flash Cycle Done bit is 1. |

#### The Flash Cycle Done bit is set to 1 after every read and write





BIOS reading software sets up the location it wants to read (as part of reading the entire chip) and how many bytes to read





#### BIOS reading software says to start the read







Once the cycle is done, and the data is available for reading, if the FSMIE = 1, an SMI is triggered, giving Smite'em the first look





Smite'em can change any data that would reveal its presence to the original benign data





BIOS reading software will be mislead



© 2013 The MITRE Corporation. All rights reserved.

## Think it can't happen?

#### Flashrom 0.9.7 source

| ichspi.c: | hsfc = REGREAD16(ICH9_REG_HSFC);                                               |
|-----------|--------------------------------------------------------------------------------|
| ichspi.c: | hsfc &= $\sim$ HSFC_FCYCLE; /* set read operation */                           |
| ichspi.c: | hsfc &= ~HSFC_FDBC; /* clear byte count */                                     |
| ichspi.c: | <pre>hsfc  = (((block_len - 1) &lt;&lt; HSFC_FDBC_OFF) &amp; HSFC_FDBC);</pre> |
| ichspi.c: | hsfc  = HSFC_FGO; /* start */                                                  |

If you don't account for hw/sw sequencing's FSMIE bit (as no previous software did), you will just lose and provide false assurances of a lack of BIOS compromise



### How can we defeat Smite'em?

- Smite'em lives in SMM, let's disable SMIs
- But its not sufficient to just disable them from an OS driver, because an attacker could just nop out our code to do so
- A side effect of Intel TXT is that it disables SMIs
  - "The ILP must re-enable SMIs which were disabled as part of the SENTER process"
- So lets learn about Intel Trusted Execution Technology (TXT)
  - Called "Safer Mode Extensions" (SMX) in the Intel manuals





## Intel Trusted Execution Technology (TXT)

- Dynamic Root of Trust for Measurement
- A means to provide "late launch" trust
  - You had a presumed-compromised system, you start TXT, and you're left in a state you setup and that you can trust



From http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20slides.pdf

#### AVMM we want to load (Currently unprotected)

#### The VMM loaded and its hash stored in PCR18



## How does it work?

- New Intel instruction "GETSEC"
- It's sort of like CPUID in that it's a single instruction that does different things based on what the value is in the EAX register at the time that it's called
- EAX = 0; GETSEC[CAPABILITIES] = report the capabilities
- EAX = 1; GETSEC[ENTERACCS] = run authenticated code (AC)
- EAX = 2; GETSEC[EXITAC] = stop running AC
- EAX = 3; GETSEC[<u>SENTER</u>] = Start a Measured Launch Environment (MLE) – this is the main one we care about, and the source of the title of this talk
- EAX = 4; GETSEC[SEXIT] = exit MLE
- EAX = 5; GETSEC[PARAMETERS] = reports supported AC info
- EAX = 6; GETSEC[SMCTRL] = turn on SMIs
- EAX = 7; GETSEC[WAKEUP] = wake up sleeping processors

### We're only interested in a subset

- We have to use GETSEC[CAPABILITIES] and GETSEC[PARAMETERS] just for sanity checking purposes
- We mainly care about SENTER and SEXIT to start and stop our MLE
- We're \*NOT\* going to use SMCTRL or WAKEUP
  - The whole point here is to freeze SMM code in place



## **SENTER THE DRAGON!**



## **Copernicus 1 Architecture**



## **Copernicus 1 Architecture**



© 2013 The MITRE Corporation. All rights reserved.

## **Copernicus 1 Architecture**



© 2013 The MITRE Corporation. All rights reserved.

## **Smite'em Attacks!**




#### **Overall behavior 1**

#### Initial actions:

- Turn on TPM & TXT
- Provision TPM key for later signature verification
- Load Flicker driver, pass MLE code to Flicker, tell it to start























#### **Overall behavior 2**

#### MLE actions:

- Read config info, place text in buffer, SHA1 hash it, extend buffer into TPM Platform Configuration Register (PCR) 18
- Read BIOS 0x10000 at a time, SHA1 hash it, extend buffer into PCR 18
- SEXIT





















#### Charizard



#### **Intel SPI Flash Protection Mechanisms**

- Intel provides a number of protection mechanisms that can "lock down" the flash chip.
- It's up to OEMs/IBVs to use these Intel provided mechanisms in a coherent way to implement things like:
  - UEFI variable protection
  - Signed firmware update requirement





# **BIOS\_CNTL**

|   | BIOS Lock Enable (BLE) — R/WLO.                                                                                                                                                                                                                                                                                      |
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | <ul> <li>0 = Setting the BIOSWE will not cause SMIs.</li> <li>1 = Enables setting the BIOSWE bit to cause SMIs. Once set, this bit can only be cleared by a PLTRST#</li> </ul>                                                                                                                                       |
|   | BIOS Write Enable (BIOSWE) – R/W.                                                                                                                                                                                                                                                                                    |
| 0 | <ul> <li>0 = Only read cycles result in Firmware Hub I/F cycles.</li> <li>1 = Access to the BIOS space is enabled for both read and write cycles. When this bit is written from a 0 to a 1 and BIOS Lock Enable (BLE) is also set, an SMI# is generated. This ensures that only SMI code can update BIOS.</li> </ul> |

- The above bits are part of the BIOS\_CNTL register on the ICH.
- BIOS\_CNTL.BIOSWE bit enables write access to the flash chip.
- BIOS\_CNTL.BLE bit provides an opportunity for the OEM to implement an SMM routine to protect the BIOSWE bit.

from: http://www.intel.com/content/www/us/en/chipsets/6-chipset-c200-chipset-datasheet.html



# SMM BIOSWE protection (1 of 2)



Here the attacker tries to set the BIOS Write Enable bit to 1 to allow him to overwrite the BIOS chip.



# SMM BIOSWE protection (2 of 2)



The write to the BIOSWE bit while BLE is 1 causes the CPU to generate a System Management Interrupt (SMI#).



# SMM BIOSWE protection (2 of 2)



The SMM code immediately writes 0 back to the BIOSWE bit before resuming the kernel code



# SMM BIOSWE protection (2 of 2)



The end result is that BIOSWE is always 0 when non-SMM code is running.



### **Protected Range SPI Flash Protections**

#### 21.1.13 PR0—Protected Range 0 Register (SPI Memory Mapped Configuration Registers)

| Memory Address: | SPIBAR + 74h | Attribute: | R/W     |
|-----------------|--------------|------------|---------|
| Default Value:  | 00000000h    | Size:      | 32 bits |

**Note:** This register can not be written when the FLOCKDN bit is set to 1.

| Bit   | Description                                                                                                                                                                                                                                                                                                      |
|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31    | <b>Write Protection Enable</b> — R/W. When set, this bit indicates that the Base and Limit fields in this register are valid and that writes and erases directed to addresses between them (inclusive) must be blocked by hardware. The base and limit fields are ignored when this bit is cleared.              |
| 30:29 | Reserved                                                                                                                                                                                                                                                                                                         |
| 28:16 | <b>Protected Range Limit</b> — R/W. This field corresponds to FLA address bits 24:12 and specifies the upper limit of the protected range. Address bits 11:0 are assumed to be FFFh for the limit comparison. Any address greater than the value programmed in this field is unaffected by this protected range. |
| 15    | <b>Read Protection Enable</b> — R/W. When set, this bit indicates that the Base and Limit fields in this register are valid and that read directed to addresses between them (inclusive) must be blocked by hardware. The base and limit fields are ignored when this bit is cleared.                            |
| 14:13 | Reserved                                                                                                                                                                                                                                                                                                         |
| 12:0  | <b>Protected Range Base</b> — R/W. This field corresponds to FLA address bits 24:12 and specifies the lower base of the protected range. Address bits 11:0 are assumed to be 000h for the base comparison. Any address less than the value programmed in this field is unaffected by this protected range.       |

Protected Range registers can also provide write protection to the flash chip.

### **HSFS.FLOCKDN**

#### HSFS—Hardware Sequencing Flash Status Register (SPI Memory Mapped Configuration Registers)

Memory Address: SPIBAR + 04h Default Value: 0000h

Attribute: RO, R/WC, R/W Size: 16 bits

| Bit | Description                                                                                                                                                                                                                                                                                                                  |
|-----|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 15  | Flash Configuration Lock-Down (FLOCKDN) — R/W/L. When set to 1, those Flash<br>Program Registers that are locked down by this FLOCKDN bit cannot be written. Once<br>set to 1, this bit can only be cleared by a hardware reset due to a global reset or host<br>partition reset in an Intel <sup>®</sup> ME enabled system. |

# HSFS.FLOCKDN bit prevents changes to the Protected Range registers once set.



# SMM\_BWP

#### 13.1.32 BIOS\_CNTL—BIOS Control Register (LPC I/F—D31:F0)

| Offset Address: | DCh | Attribute:  | R/WLO, R/W, RO |
|-----------------|-----|-------------|----------------|
| Default Value:  | 20h | Size:       | 8 bit          |
| Lockable:       | No  | Power Well: | Core           |

| Bit | Description                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|-----|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 7:6 | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 5   | <ul> <li>SMM BIOS Write Protect Disable (SMM_BWP)— R/WLO.</li> <li>This bit set defines when the BIOS region can be written by the host.</li> <li>0 = BIOS region SMM protection is disabled. The BIOS Region is writable regardless if processors are in SMM or not. (Set this field to 0 for legacy behavior)</li> <li>1 = BIOS region SMM protection is enabled. The BIOS Region is not writable unless all processors are in SMM.</li> </ul> |

- SMM\_BWP offers a way to prevent malicious ring 0 writes to the SPI Flash even if SMI's are suppressed.
- Of 8005 systems we surveyed, only 6 actually set SMM\_BWP = 1
  - Thanks to some forced patching, it's up to 1605/~10k! Only 84% fail! ;)

Source: Intel 8-series-chipset-pch-datasheet.pdf



#### **Intel Protections Summary**

- The Protected Range Registers, BIOS\_CNTL, and SMM\_BWP provide overlapping protection of the SPI flash chip that contains the platform firmware.
  - Protected Range registers can be configured to block <u>all</u> write access to ranges of the SPI Flash.
  - BIOS\_CNTL protection puts SMM in a position to decide who can write to the SPI Flash. (weaker)
  - SMM\_BWP says "only a CPU in SMM is allowed to write to the flash chip" (stronger)

#### Charizard

- BIOS\_CNTL protection of the SPI Flash can be defeated on a large number of systems by temporarily suppressing SMM.
  - Attack does not require arbitrary code execution in SMM.
- But how can we suppress SMM?





#### 12.8.1.1 GEN\_PMCON\_1—General PM Configuration 1 Register (PM—D31:F0)

| Offset Address: | A0-A1h | Attribute:            | R/W, RO, R/WLO       |
|-----------------|--------|-----------------------|----------------------|
| Default Value:  | 0000h  | Size:                 | 16 bits              |
| Lockable:       | No     | Usage:<br>Power Well: | ACPI, Legacy<br>Core |

|   | SMI_LOCK-R/WLO. When this bit is set, writes to the GLB_SMI_EN bit (PMBASE      |
|---|---------------------------------------------------------------------------------|
| 4 | + 30h, bit 0) will have no effect. Once the SMI_LOCK bit is set, writes of 0 to |
|   | PLTRST#).                                                                       |
|   |                                                                                 |

- SMI\_LOCK controls access to the next bit we care about in GBL\_SMI\_EN (it's a typo in the manual above)
- 3216 of 8005 (~40%) systems surveyed did not have SMI\_LOCK set.
  - A greater number could probably be made vulnerable by downgrading the BIOS to a vulnerable revision, which is usually allowed.



0



#### **13.8.3.7** SMI\_EN—SMI Control and Enable Register

I/O Address: PMBASE + 30h Default Value: 00000002h Lockable: No Power Well: Core Attribute: Size: Usage:

R/W, R/WO, WO, R/WL 32 bit ACPI or Legacy

#### GBL\_SMI\_EN - R/WL.

- 0 = No SMI# will be generated by PCH. This bit is reset by a PCI reset event. 1 = Enables the generation of SMI# in the system upon any enabled SMI event.
  - **NOTE:** When the SMI\_LOCK bit is set, this bit cannot be changed.
- If SMI\_LOCK == 0, we can set GBL\_SMI\_EN to 0 to temporarily disable SMIs and write to flash regions relying on BIOS\_CNTL protection, like the EFI variable region.



# **Disabled BIOSWE protection (1 of 2)**



Again the attacker tries to set the BIOS Write Enable bit to 1 to allow him to overwrite the BIOS chip.


# **Disabled BIOSWE protection (2 of 2)**



#### This time the SMI that protects BIOSWE fails to fire.





Ring 0 can now modify <u>authenticated</u> EFI Variables, which allows trivial bypassing of Secure Boot.















# **Caveat Dormientes**

- Xeno pursued TXT for SMI suppression in Copernicus 2 & Sandman because he read this in the Intel TXT Developer's Guide:
- "The ILP must re-enable SMIs which were disabled as part of the SENTER process; most systems will not function properly if SMIs are disabled for any length of time. ..."
- OK, good so far...but wait...Xeno didn't read to the end of the paragraph...
- "Newer CPUs may automatically enable SMIs on entry to the MLE;"
- Oh... Well that could be a problem. So how do we know which "Newer CPUs" behave which way, and under which conditions they "may" enable SMIs?



# **Follow the clues**

One clue in the EXITAC instruction leaf which is what the SINIT module would run as it's exiting and going to hand off to MLE

#### GETSEC[EXITAC]—Exit Authenticated Code Execution Mode

```
<Pseudocode snip>

IF (SENTERFLAG=0)

THEN Unmask SMI, INIT, NMI, and A20M pin event;

ELSEIF (IA32_SMM_MONITOR_CTL[0] = 0)

THEN Unmask SMI pin event;

ACMODEFLAG← 0;

EIP← tempEIP;

END;
```

- This translates to "If we are done with an SENTER, and we're about to transfer to the MLE, and if IA32\_SMM\_MONITOR\_CTL[0] = 1, then SMIs will be suppressed when we transfer to the MLE"
- So we want to be able to set IA32\_SMM\_MONITOR\_CTL[0] = 1
- How do we do that?

| 9BH | 155 | IA32_SMM_MONITOR_CTL | SMM Monitor Configuration (R/W)                         | If CPUID.01H: ECX[bit 5 or<br>bit 6] = 1 |
|-----|-----|----------------------|---------------------------------------------------------|------------------------------------------|
|     |     | 0                    | Valid (R/W)                                             |                                          |
|     |     | 1                    | Reserved                                                |                                          |
|     |     | 2                    | Controls SMI unblocking by VMXOFF (see Section 34.14.4) | If IA32_VMX_MISC[bit 28])                |
|     |     | 11:3                 | Reserved                                                |                                          |
|     |     | 31:12                | MSEG Base (R/W)                                         |                                          |
|     |     | 63:32                | Reserved                                                |                                          |
|     |     |                      |                                                         |                                          |

- OK, bit 0 is the valid bit.
- This architectural MSR is only valid if you call CPUID with EAX set to 1, and if the returned ECX has bit 5 or 6 = 1
- So what are those bits?

 5
 VMX
 Virtual Machine Extensions. A value of 1 indicates that the processor supports this technology

 6
 SMX
 Safer Mode Extensions. A value of 1 indicates that the processor supports this technology. See Chapter 5, "Safer Mode Extensions Reference".

 Well that's not helpful, because that implies anything that supports SMX will support IA32\_SMM\_MONITOR\_CTL



# **Follow the clues**

- Hmm...here's some other interesting facts that turned up in the search through the manuals
- The IA32\_SMM\_MONITOR\_CTL MSR is supported only on processors that support the dual-monitor treatment.<sup>1</sup> On other processors, accesses to the MSR using RDMSR or WRMSR generate a general-protection fault (#GP(0)).
- A write to the IA32\_SMM\_MONITOR\_CTL MSR using WRMSR generates a general-protection fault (#GP(0)) if executed outside of SMM or if an attempt is made to set any reserved bit. An attempt to write to the
- Software should consult the VMX capability MSR IA32\_VMX\_BASIC (see Appendix A.1) to determine whether the dual-monitor treatment is supported.

IA32\_SMM\_MONITOR\_CTL is an MSR that can be written only in SMM.

- OK, so we can't force the valid bit in the MSR. We'll come back to that.
- OK now we need to consult IA32\_VMX\_BASIC to know if a processor supports dual-monitor treatment to know if it supports IA32\_SMM\_MONITOR\_CTL...

| 480H | 1152 | IA32_VMX_BASIC | Reporting Register of Basic VMX<br>Capabilities (R/O) | If CPUID.01H:ECX.[bit 5] =<br>1 |
|------|------|----------------|-------------------------------------------------------|---------------------------------|
|      |      |                | See Appendix A.1, "Basic VMX Information."            |                                 |

If bit 49 is read as 1, the logical processor supports the dual-monitor treatment of system-management interrupts and system-management mode. See Section 34.15 for details of this treatment.

# **Double Your Pleasure, Double Your Fun**

#### What is this "dual-monitor treatment"?

### 34.15.1 Dual-Monitor Treatment Overview

The dual-monitor treatment uses an executive monitor and an SMM-transfer monitor (STM).

 Oh! It's the use of the STM! You remember STMs right? No? They were the solution to Intel TXT's problem with SMM that ITL found back in 2009









The dialogs between ITL and Intel presented here have been modified for brevity and for better dramatic effect.



### SMM Transfer Monitor (STM)



From "Attacking Intel Trusted Execution Technology", ITL, Feb 2009

Intel told us they do have STM specification that answers some of our concerns (e.g. that STM is difficult to write), and the spec is available under NDA.

> Intel offered us a chance to read the STM spec... ...but required signing an NDA.

### We refused.

(We'd rather not tie our hands with signing an NDA — we prefer to wait for some STM to be available and see if we can break it :)

- While our MITRE team also likes to take the black box approach to looking at things, we eventually decided that entering into some NDAs with Intel and other BIOS vendors would accelerate our discovery of problems and help move BIOS security forward faster, which is our ultimate goal.
- So we checked out the Intel STM document (still not released 5 years later...on version .99 v8 ;)), and came across this handy flow chart... which we didn't receive permission from Intel to even partially reproduce :(











### And in the end, just gave in and asked Intel...

- Intel says that the "newer CPUs" are some Nehalem and newer
- But I also accidentally found out that Xeon CPU's don't support STM, and rely on the Static Root of Trust for Measurement (SRTM)
  - :O That's not good! We showed in our "BIOS Chronomancy"[18] talk last year how SRTMs without truly immutable core roots of trust are fundamentally flawed and vulnerable
    - Oh, but they support using TXT ACMs as the entry point for the reset vector, so functionally the SRTM...so...hmm...As long as SMM can never ever get compromised directly while the system is running \*cough\*futurecoreytalk\*cough\* then I guess you're OK...

MITRF

# Result

- Sandman (and Copernicus 2) work on older machines that unconditionally suppress SMIs, and on newer machines that include an STM
  - "The once and future king"...
- The BIOS vendor needs to include an STM in their shipping BIOS, because the STM lives in SMM
  - SMM should be locked so that people can't put stuff there.
    - If anyone can just add an STM on demand that would be an attack.
- We're not aware of any vendors shipping or planning to ship STMs (but we haven't conducted a survey)
- Where Copernicus 2 has fallen, Smite'em holds court!
- Intel could fix this by just re-enabling SMI suppression for TXT. We asked them to, but we don't think they will.



### Must I be vulnerable to Sandman to run Copernicus 2?

- No. TXT has an access control mechanism where you can set a Launch Control Policy (LCP)
- The LCP can specify that you only want to allow specific MLEs to run on your systems
- LCPs are stored in the TPM's non-volatile RAM
- So basically when you're provisioning the TPM so that you can trust your measurements from some MLE like Copernicus 2, you can also lock it in so that only Copernicus 2 can run in the future

MITRF

# Conclusions

#### We have now completed the "BLE-SMI Suppression Trilogy"

- Via CPU cache poisoning at EkoParty [13]
- Via GBI\_SMI\_EN at Syscan[29]
- Via TXT at SummerCon [30]
- ("BlessMe Suppression" doesn't sound as cool as "Xen Owning" but if ITL has a trilogy, we need one too ;))
- Are there other ways? Probably, but it doesn't matter
- We've been telling people to stop relying on BIOSWE/BLE protection and starting using Protected Range Registers and SMM\_BWP for a while now.
- We recently found what we think is a *fundamental* architectural flaw in BIOSWE/BLE which will render it completely useless
- Stay tuned ;)



# A new caveat has entered the ring!

From "Ring -3 Rootkits", ITL, July 2009

http://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf

We do like many of the new Intel technologies (VT-x,VT-d, TXT), ...

But AMT is different in that it can potentially be greatly abused by the attacker

(VT-d or TXT can potentially be bypassed, but they cannot help the attacker!)

- We also like security technologies like TXT
- Wojtczuk & Rutkowska caveated this when they showed an SINIT buffer overflow (subsequently patched) which yielded SMM privs
- We've now showed another (more architectural) way that TXT can be a double-edged sword
  - But BIOS-vendors can mitigate this attack by not relying on BIOS\_CNTL.BIOSWE/BLE as a primary access control



# **Closing thoughts**

- Sleep with one eye open!
- Gripping your pillow tight!
- EXXXXIIIITTTT LIGHT!
- EEEENNNNNTTTTEERRR NIIIIIGHT!





# Thanks, Contacts, Questions?

- Thanks to FOO from Intel who saw our Cop 2 slides and pointed out the differing ways SMIs behave, and for John Loucaides and Bruce Monroe from Intel PSIRT for working with us on our various disclosures and getting us in touch with FOO.
- Thanks to Jon McCune and the team from CMU for making Flicker for people to build on.
  - Our changes we contributed back to make it work with default Win
     7 32 with PAE enabled are here:
  - <u>http://sourceforge.net/p/flickertcb/code/ci/experimental-pae-support</u>
- xkovah, callenberg, jbutterworth, scornwell @ mitre.org
- @xenokovah, @coreykal, @jwbutterworth3, @ssc0rnwell



# Backup





### "But I can detect that Sandman ran because of unexpected PCR values!"

- The attacker could reboot the system ASAP after the BIOS has been written to in order to try and gain their SMM or whatever other privileges ASAP.
- The attacker could run an expected/clean MLE immediately afterwards to have the PCR values overwritten with expected/ non-suspicious values
- The attacker could launch an MLE in a way that they knew would fail (but wouldn't reboot the system) so as to allow it to proceed past PCR reset but not until PCR extend.
- The attacker could manually reset the PCR from within the MLE at locality 3?

- [1] Attacking Intel BIOS Alexander Tereshkin & Rafal Wojtczuk Jul. 2009 <u>http://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf</u>
- [2] TPM PC Client Specification Feb. 2013 <u>http://www.trustedcomputinggroup.org/developers/pc\_client/specifications/</u>
- [3] Evil Maid Just Got Angrier: Why Full-Disk Encryption With TPM is Insecure on Many Systems – Yuriy Bulygin – Mar. 2013 <u>http://cansecwest.com/slides/2013/Evil%20Maid%20Just%20Got%20Angrier.pdf</u>
- [4] A Tale of One Software Bypass of Windows 8 Secure Boot Yuriy Bulygin Jul. 2013 <u>http://blackhat.com/us-13/briefings.html#Bulygin</u>
- [5] Attacking Intel Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska – Feb. 2009 <u>http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20paper.pdf</u>
- [6] Another Way to Circumvent Intel® Trusted Execution Technology Rafal Wojtczuk, Joanna Rutkowska, and Alexander Tereshkin – Dec. 2009 <u>http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf</u>
- [7] Exploring new lands on Intel CPUs (SINIT code execution hijacking) Rafal Wojtczuk and Joanna Rutkowska – Dec. 2011 <u>http://www.invisiblethingslab.com/resources/2011/</u> <u>Attacking\_Intel\_TXT\_via\_SINIT\_hijacking.pdf</u>
- [7] Meet 'Rakshasa,' The Malware Infection Designed To Be Undetectable And Incurable - http://www.forbes.com/sites/andygreenberg/2012/07/26/meetrakshasa-the-malware-infection-designed-to-be-undetectable-and-incurable/





[8] Implementing and Detecting an ACPI BIOS Rootkit – Heasman, Feb. 2006

http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdf

- [9] Implementing and Detecting a PCI Rookit Heasman, Feb. 2007 <u>http://www.blackhat.com/presentations/bh-dc-07/Heasman/Paper/bh-dc-07-Heasman-WP.pdf</u>
- [10] Using CPU System Management Mode to Circumvent Operating System Security Functions - Duflot et al., Mar. 2006 <u>http://www.ssi.gouv.fr/archive/fr/sciences/fichiers/lti/cansecwest2006duflot-paper.pdf</u>
- [11] Getting into the SMRAM:SMM Reloaded Duflot et. Al, Mar. 2009 <u>http://cansecwest.com/csw09/csw09-duflot.pdf</u>
- [12] Attacking SMM Memory via Intel® CPU Cache Poisoning Wojtczuk & Rutkowska, Mar. 2009 <u>http://invisiblethingslab.com/resources/misc09/smm\_cache\_fun.pdf</u>
- [13] Defeating Signed BIOS Enforcement Kallenberg et al., Sept. 2013 – URL not yet available, email us for slides
- [14] Mebromi: The first BIOS rootkit in the wild Giuliani, Sept. 2011 <u>http://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/</u>
  MITRE

- [15] Persistent BIOS Infection Sacco & Ortega, Mar. 2009 <u>http://cansecwest.com/csw09/csw09-sacco-ortega.pdf</u>
- [16] Deactivate the Rootkit Ortega & Sacco, Jul. 2009 <u>http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/</u> <u>BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf</u>
- [17] Sticky Fingers & KBC Custom Shop Gazet, Jun. 2011 <u>http://esec-lab.sogeti.com/dotclear/public/publications/11-reconstickyfingers\_slides.pdf</u>
- [18] BIOS Chronomancy: Fixing the Core Root of Trust for Measurement – Butterworth et al., May 2013 <u>http://www.nosuchcon.org/talks/</u> <u>D2\_01\_Butterworth\_BIOS\_Chronomancy.pdf</u>
- [19] New Results for Timing-based Attestation Kovah et al., May 2012 <u>http://www.ieee-security.org/TC/SP2012/papers/4681a239.pdf</u>

 [20] Low Down and Dirty: Anti-forensic Rootkits - Darren Bilby, Oct. 2006

http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Bilby-up.pdf

- [21] Implementation and Implications of a Stealth Hard-Drive Backdoor – Zaddach et al., Dec. 2013 <u>https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf</u>
- [22] Hard Disk Hacking Sprite, Jul. 2013 <u>http://spritesmods.com/?art=hddhack</u>
- [23] Embedded Devices Security and Firmware Reverse Engineering -Zaddach & Costin, Jul. 2013
   <u>https://media.blackhat.com/us-13/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf</u>
- [24] Can You Still Trust Your Network Card Duflot et al., Mar. 2010 <u>http://www.ssi.gouv.fr/IMG/pdf/csw-trustnetworkcard.pdf</u>
- [25] Project Maux Mk.II, Arrigo Triulzi, Mar. 2008 <u>http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf</u>





- [26] Copernicus: Question your assumptions about BIOS Security Butterworth, July 2013 <u>http://www.mitre.org/capabilities/cybersecurity/overview/</u> cybersecurity-blog/copernicus-question-your-assumptions-about
- [27] Copernicus 2: SENTER the Dragon Kovah et al., Mar 2014 <u>https://cansecwest.com/slides/2014/Copernicus2-SENTER\_the-Dragon-CSW.pptx</u>
- [28] Playing Hide and Seek with BIOS Implants Kovah, Mar 2014 <u>http://www.mitre.org/capabilities/cybersecurity/overview/</u> <u>cybersecurity-blog/playing-hide-and-seek-with-bios-implants</u>
- [29] Setup for Failure: Defeating UEFI Kallenberg et al., Apr 2014 <u>http://syscan.org/index.php/download/get/</u> <u>6e597f6067493dd581eed737146f3afb/</u> <u>SyScan2014\_CoreyKallenberg\_SetupforFailureDefeatingSecureBoo</u> <u>t.zip</u>
- [30] SENTER Sandman: Using Intel TXT to Attack BIOSes Kovah et al., June 2014

