X
Tech

Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets

A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.
Written by Liam Tung, Contributing Writer

Video: AMD and Microsoft join forces to block Spectre attacks.

Yuriy Bulygin, the former head of Intel's advanced threat team, has published research showing that the Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems known as System Management Mode (SMM).

Spectre and Meltdown vulnerabilities enable software attacks using CPU design flaws common to Intel, AMD, and Arm chips to access secrets stored in memory.

Bulygin, who has launched security firm Eclypsium, has modified Spectre variant 1 with kernel privileges to attack a host system's firmware and expose code in SMM, a secure portion of BIOS or UEFI firmware.

SMM resides in SMRAM, a protected region of physical memory that should only be accessible by BIOS firmware and not the operating system kernel, hypervisors or security software.

SMM handles especially disruptive interrupts and is accessible through the SMM runtime of the firmware, knows as System Management Interrupt (SMI) handlers.

See: Special report: Cybersecurity in an IoT and mobile world (free PDF)

As a former Intel researcher explained in a 2013 paper, when an SMI event occurs, say, due to thermal throttling or system health checks, all the CPU's cores enter SMM or system management mode.

"Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg, hypervisor, operating system, or application)," Bulygin explains.

To expose code in SMM, Bulygin modified a publicly available proof-of-concept Spectre 1 exploit running with kernel-level privileges to bypass Intel's System Management Range Register (SMRR), a set or range registers that protect SMM memory.

"These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory," he notes.

"This can expose SMM code and data that was intended to be confidential, revealing other SMM vulnerabilities as well as secrets stored in SMM. Additionally, since we demonstrate that the speculative memory access occurs from the context of SMM, this could be used to reveal other secrets in memory as well."

See: Cyberwar: A guide to the frightening future of online conflict

Bulygin said he's been working with Intel since March and that Intel believes its guidance to mitigate Spectre variant 1 and Spectre variant 2 should also be applied to SMM.

Intel said as much in a statement to ZDNet: "We have reviewed Eclypsium's research and, as noted in their blog, we believe that the existing guidance for mitigating variant 1 and variant 2 will be similarly effective at mitigating these scenarios," an Intel spokesperson said.

"We value our partnership with the research community and are appreciative of Eclypsium's work in this area."

Previous and related coverage

Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?

Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.

Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2

Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.

Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks

AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.

Intel: We now won't ever patch Spectre variant 2 flaw in these chipsA handful of CPU families that Intel was due to patch will now forever remain vulnerable.

Windows 7 Meltdown patch opens worse vulnerability: Install March updates now

Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode

Intel makes progress on reissuing stable microcode updates against the Spectre attack.

Got an old PC? Find out whether you will get Intel's latest Spectre patch TechRepublic

Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.

Class-action suits over Intel Spectre, Meltdown flaws surge CNET

Since the beginning of 2018, the number of cases has risen from three to 32.

Editorial standards