Using CPU System Management Mode to Circumvent Operating System Security Functions
Loı̈c Duflot, Daniel Etiemble, Olivier Grumelard
Abstract. In this paper we show how hardware functionalities can be misused by an attacker to extend her control over a system. The originality of our approach is that it exploits seldom used processor and chipset functionalities, such as switching to system management mode, to escalate local privileges in spite of security restrictions imposed by the operating system. As an example we present a new attack scheme against OpenBSD on x86-based architectures. On such a system the superuser is only granted limited privileges. The attack allows her to get full privileges over the system, including unrestricted access to physical memory. Our sample code shows how the superuser can lower the “secure level” from highly secure to permanently insecure mode. To the best of our knowledge, it is the first time that documented processor and chipset functionalities have been used to circumvent operating system security functions.
One thought on “Using SMM to Circumvent OS Security Functions”
You do realize that this paper is roughly 18 years old, right? That no modern BIOS is assigning SMBASE to A0000 these days, and that no modern chipsets limit SMRAM to 128K?
This is interesting in that it is a foundational paper that’s been sited many times in other much more recent papers… but it’s really old news now.