• Corpus ID: 18562348

Using CPU System Management Mode to Circumvent Operating System Security Functions

@inproceedings{DuflotUsingCS,
  title={Using CPU System Management Mode to Circumvent Operating System Security Functions},
  author={Duflot and {\'E}tiemble and Grumelard}
}
In this paper we show how hardware functionalities can be misused by an attacker to extend her control over a system. The originality of our approach is that it exploits seldom used processor and chipset functionalities, such as switching to system management mode, to escalate local privileges in spite of security restrictions imposed by the operating system. As an example we present a new attack scheme against OpenBSD on x86-based architectures. On such a system the superuser is only granted… 

Figures from this paper

Improving system security through TCB reduction
TLDR
This work shows how the security-critical part of the OS, the so called TCB (Trusted Computing Base), can be reduced from millions to less than hundred thousand lines of code to achieve these security goals.
Design and Implementation of a Hardware Assisted Security Architecture for Software Integrity Monitoring
TLDR
The design and the implementation of a security architecture that is designed to securely execute integrity checks of any software running on top of this architecture, composed of asecurity hypervisor running in the most privileged level of the processor, assisted by a trusted hardware component.
SMM Revolutions
  • W. A. R. Souza, A. Tomlinson
  • Computer Science
    2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems
  • 2015
TLDR
This paper discusses how the use of the SMM has been contributing to the arms race between system's attackers and defenders and how Intel Software Guard Extensions (SGX) technology, a sort of "hypervisor in processor", presents a possible answer to the issue of using SMM for security purposes.
SoK: Hardware Security Support for Trustworthy Execution
TLDR
This paper systematizes hardware mechanisms providing trusted execution environments (TEEs), support for integrity checking and memory safety and widespread uses of hardware roots of trust through the lens of abstraction and finds that these abstractions can both obscure information that is needed for security enforcement, as well as reveal information that needs to be kept secret, leading to vulnerabilities.
Formal Verification of Secure User Mode Device Execution with DMA
TLDR
This paper proposes an approach to device modeling based on the idea of executing devices nondeterministically in parallel with the (single-core) deterministic processor, covering a fine granularity of interactions between the model components.
SoK: A Study of Using Hardware-assisted Isolated Execution Environments for Security
TLDR
Overall, this paper aims to give an essential checkpoint of the state-of-the-art systems that use HIEEs for trustworthy computing and compares their features from the security perspective.
Applying the Principle of Least Privilege to System Management Interrupt Handlers with the Intel SMI Transfer Monitor
TLDR
Results show the STM can protect against published SMM vulnerabilities with tolerable performance overheads, and a detailed overview of the architecture, evaluate its protections, and quantify its performance.
Enforcing kernel constraints by hardware-assisted virtualization
TLDR
This article proposes a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel, and exposes the approach based on hardware-virtualization that is partially implemented into Hytux, which is inspired from bluepill.
Flexible Hardware-Managed Isolated Execution: Architecture, Software Support and Applications
TLDR
Iso-X is proposed—a flexible, fine-grained hardware-supported framework that provides isolation for security-critical pieces of an application such that they can execute securely even in the presence of untrusted system software.
Management Engine ME Processor Crypto Engine DMA Engine HECI Engine ROM Internal SRAM Interrupt Controller Timer
Hardware-assisted Isolated Execution Environments (HIEEs) have been widely adopted to build effective and efficient defensive tools for securing systems. Hardware vendors have introduced a variety of
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 15 REFERENCES
Validating a High-Performance , Programmable Secure Coprocessor
This paper details our experiences with successfully validating a trusted device at FIPS 140-1 Level 4—earning the world’s first certificate at this highest level. Over the last several years, our
Countering code-injection attacks with instruction-set randomization
TLDR
A new, general approach for safeguarding systems against any type of code-injection attack, by creating process-specific randomized instruction sets of the system executing potentially vulnerable software that can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.
Cryptography in OpenBSD: An Overview
TLDR
An overview of the cryptography employed in OpenBSD is given, including the various components (IPsec, SSL libraries, stronger password encryption, Kerberos IV, random number generators, etc.), their role in system security, and their interactions with the rest of the system (and, where applicable, the network).
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
  • C. Cowan
  • Computer Science
    USENIX Security Symposium
  • 1998
TLDR
StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
A Dynamic Mechanism for Recovering from Buffer Overflow Attacks
TLDR
This work automatically augment source code to dynamically catch stack and heap-based buffer overflow and underflow attacks, and recover from them by allowing the program to continue execution, so that each code function can be aborted when an attack is detected, without affecting the application's ability to correctly execute.
A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks
  • M. Prasad, T. Chiueh
  • Computer Science
    USENIX Annual Technical Conference, General Track
  • 2003
TLDR
This paper uses a binary rewriting approach to augment existing Win32/Intel Portable Executable binary programs with a return address defense (RAD) mechanism, which protects the integrity of the return address on the stack with a redundant copy.
Run-time Detection of Heap-based Overflows
TLDR
This paper presents a technique that protects the heap management information and allows for run-time detection of heap-based overflows, and proposes a detection scheme that has been implemented as a patch to the GNU Lib C.
Randomized instruction set emulation to disrupt binary code injection attacks
TLDR
A randomized instruction set emulator (RISE), based on the open-source Valgrind x86-to-x86 binary translator, which disrupts binary code injection attacks against a program without requiring its recompilation, linking, or access to source code.
Hardware Requirements for Secure Computer Systems: A Framework
TLDR
This report develops a new set of criteria for evaluating computer architectures that are to support systems with security requirements, here interpreted as a set of information and authorizations for the manipulation of that information in a comput system.
Statically Detecting Likely Buffer Overflow Vulnerabilities
TLDR
An implementation of a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code is described that extends the LCLint annotation-assisted static checking tool.
...
1
2
...