Security Issues Related to Pentium System Management Mode

  • Slides: 44
Download presentation
Security Issues Related to Pentium System Management Mode Loïc Duflot Direction Centrale de la

Security Issues Related to Pentium System Management Mode Loïc Duflot Direction Centrale de la Sécurité des Systèmes d’Information loic. duflot@sgdn. pm. gouv. fr SGDN/DCSSI 51 boulevard de la Tour Maubourg 75007 Paris

Outline n Introduction n PC architecture and I/O access n Using System Management Mode

Outline n Introduction n PC architecture and I/O access n Using System Management Mode to Circumvent Operating System Security n A sample exploit on Open. BSD systems n Conclusions

Introduction Pentium System Management mode can be used to circumvent operating system security mechanisms.

Introduction Pentium System Management mode can be used to circumvent operating system security mechanisms. n An example of how hardware functionalities can be misused by an attacker as a means for privilege escalation. n Only legal and documented functionalities are used in the privilege escalation scheme. n A generic approach…: Pentium®, P 6 (Pentium® IV, Xeon®), Pentium® clones. n … whenever the functionality exists. (some chipset do not implement SMM-related functionalities) n

Outline n Introduction n PC architecture and I/O access n Using System Management Mode

Outline n Introduction n PC architecture and I/O access n Using System Management Mode to Circumvent Operating System Security n A sample exploit on Open. BSD systems n Conclusions

Simplified Pentium 4 architecture Chipset Processor Front Side Bus Display Adapter North. Bridge RAM

Simplified Pentium 4 architecture Chipset Processor Front Side Bus Display Adapter North. Bridge RAM Hub Link Southbridge PCI Ethernet USB LPC IDE

I/O ports access n I/O access mechanisms: – Memory mapped I/O (MMIO) – I/O

I/O ports access n I/O access mechanisms: – Memory mapped I/O (MMIO) – I/O registers are mapped in physical address space. – Programmed I/O (PIO) – I/O registers are mapped on a separate 16 -bit bus. – Direct Memory Access (DMA) – Peripherals act as masters on the PCI bus. n IRQ to the processor. – Unidirectional. – Asynchronous.

Four modes of operation Real Address Mode rsm or reset PE=0 or reset PE=1

Four modes of operation Real Address Mode rsm or reset PE=0 or reset PE=1 Protected Mode VM=1 VM=0 or Int. Virtual 8086 Mode SMI System Management Mode rsm SMI rsm

Protected mode n Hardware security mechanisms: – Privilege rings: • Most privileged: Ring 0

Protected mode n Hardware security mechanisms: – Privilege rings: • Most privileged: Ring 0 (kernel execution) • Least privileged: Ring 3 (user space code) – Segmentation and Paging. Hardware-based memory protection checks. n Restricted instructions (HLT, LGDT, INVD). n n Mode of execution of most operating systems (Windows, Linux, Open. BSD…)

Protecting memory: Hardware mechanisms n Segmentation: – Privilege rings – Segment access restrictions (type

Protecting memory: Hardware mechanisms n Segmentation: – Privilege rings – Segment access restrictions (type and DPL) n Paging (when enabled): – User/supervisor bit – Read/Write bit – No e. Xecute/ e. Xecute Disable bit n Quite a few security techniques (W^X, Pa. X…) rely upon such mechanisms.

Programmed I/O access n Two different hardware mechanisms: – Set IOPL bits. (EFLAGS register)

Programmed I/O access n Two different hardware mechanisms: – Set IOPL bits. (EFLAGS register) – Clear bits in the I/O bitmap of the current hardware task. n -> Two different system calls: – iopl (i 386_iopl, /dev/io and the like) – ioperm (i 386_set_ioperm and the like)

System Management mode n Maintenance mode: – Used for efficient power management. – Run

System Management mode n Maintenance mode: – Used for efficient power management. – Run specific proprietary code. Assert a “System Management Interrupt” (SMI) from any other mode: SMI Thermal Sensor SMI RTC Alarm SMI TCO, USB SMM SMI Century Rollover Back to calling context RSM instruction

Generating the SMI

Generating the SMI

System Management mode n A separate execution space: – Every processor register is saved

System Management mode n A separate execution space: – Every processor register is saved upon assertion of the SMI. – The context (state) will be restored upon execution of « RSM » . n In SMM: – Free access to all physical memory. – Free access to all Programmed I/O ports.

Memory in SMM 16 -bit mode. n All 4 Gb of physical memory may

Memory in SMM 16 -bit mode. n All 4 Gb of physical memory may be accessed. n Real mode addressing style. (20 -bit) n But: segment limits are extended to 4 Gb. n And: 32 -bit operand-size override prefixes may be used. n

Real Address mode 16 -bit mode: 1 Mb address space n Address Translation: –

Real Address mode 16 -bit mode: 1 Mb address space n Address Translation: – Segment: Offset = Segment <<4 + Offset n – Example: 0 x. A 000: 0 x 8000 = 0 x. A 8000 n Mostly used: – At startup and shutdown time. – May be used to benefit from BIOS functionalities. n Transitions to protected mode unrestricted. Transitions from protected mode restricted. n A 8086 processor just a little faster!

Virtual 8086 mode n n n Virtual mode embedded into protected mode. Ring 3

Virtual 8086 mode n n n Virtual mode embedded into protected mode. Ring 3 execution context. Simulate the behavior of a 8086 processor. Paging may be used. 16 -bit mode. Access is only allowed during hardware task switch or interrupt handling.

Memory Protection n So Paging and Segmentation security mechanisms only exist in Protected Mode.

Memory Protection n So Paging and Segmentation security mechanisms only exist in Protected Mode. “Pa. X/Segmexec prevent introduction/execution of arbitrary code”. n Well that’s not true outside of protected mode!!! n But that’s ok because there is no way to switch to other modes from userspace, right? n

Outline n Introduction n PC architecture and I/O access n Using System Management Mode

Outline n Introduction n PC architecture and I/O access n Using System Management Mode to Circumvent Operating System Security n A sample exploit on Open. BSD systems n Conclusions

SMRAM SMBASE + 0 x 1 FFFF Physically localized in unused memory blocks Intel

SMRAM SMBASE + 0 x 1 FFFF Physically localized in unused memory blocks Intel processor doc: SMBASE=0 x 30000 Intel Chipset doc: SMBASE=0 x. A 0000 Usually SMBASE=0 x. A 0000 SMBASE + 0 x. FFFF State save area SMBASE + 0 x. FE 00 Processor context prior SMI assertion Code, Heap and Stack SMBASE +0 x 8000 SMBASE First SMI Handler instruction

State Save Area Map IOPL bits Instruction pointer Stack pointer Task register Code segment

State Save Area Map IOPL bits Instruction pointer Stack pointer Task register Code segment

Accessing SMRAM Protected Mode SMM Mode Access to physical address 0 x. A 8000

Accessing SMRAM Protected Mode SMM Mode Access to physical address 0 x. A 8000 Processor if D_OPEN = 0 Display Adapter if D_OPEN = 1 RAM (including SMRAM) North. Bridge Hub Link Southbridge PCI Ethernet USB LPC IDE

SMRAM control register 7 Reserved D_OPEN: Enables all SMRAM accesses even if not in

SMRAM control register 7 Reserved D_OPEN: Enables all SMRAM accesses even if not in SMM. D_OPEN D_CLOSE: No data type accesses to SMRAM space. D_CLOSE D_LCK: Locks SMRAM control register. Enable: Enables SMM functionalities Chipset-specific Read-Only 0 SMRAM control register: 8 -bit register

Possible attack scheme n Enable System Management Interrupts. n Open SMRAM space. n Replace

Possible attack scheme n Enable System Management Interrupts. n Open SMRAM space. n Replace default SMI Handler by custom one. n Close SMRAM space. n Trigger SMI. n Gain access to restricted operations.

Required privileges n I/O access privileges on the SMRAM control register. n I/O access

Required privileges n I/O access privileges on the SMRAM control register. n I/O access privileges on at least one of the I/O registers that can trigger the SMI. n Optional I/O access to corresponding SMIenable registers. n Write access to SMRAM (0 x. A 0000 -BFFFFF) -> Write access to the legacy video RAM.

Outline n Introduction n PC architecture and I/O access n Using System Management Mode

Outline n Introduction n PC architecture and I/O access n Using System Management Mode to Circumvent Operating System Security n A sample exploit on Open. BSD systems n Conclusions

Open. BSD n Security-aware operating system. n Proactive security. n Memory protection: W^X, guard

Open. BSD n Security-aware operating system. n Proactive security. n Memory protection: W^X, guard pages, randomized malloc() and mmap(), etc. . . n Secure levels.

Open. BSD n The Secure Levels:

Open. BSD n The Secure Levels:

Physical Memory Access n On Open. BSD-based systems: – If securelevel >0 /dev/mem and

Physical Memory Access n On Open. BSD-based systems: – If securelevel >0 /dev/mem and /dev/kmem cannot be written to. – This means that even root cannot directly write to physical memory. – And yet, the display server (X) needs to be able to map MMIO devices.

/dev/xf 86 n Use of the /dev/xf 86 pseudo-file. n /dev/mem but only in

/dev/xf 86 n Use of the /dev/xf 86 pseudo-file. n /dev/mem but only in video memory areas. n May be opened at most once (at a time). n Cannot be opened if the machdep. allowaperture variable is set to 0.

Allowaperture If set access to /dev/xf 86 is allowed. n Otherwise prevents access to

Allowaperture If set access to /dev/xf 86 is allowed. n Otherwise prevents access to both /dev/xf 86 and i 386_iopl() (and i 386_set_ioperm). n

Programmed I/O ports access n On Open. BSD two different system calls are available:

Programmed I/O ports access n On Open. BSD two different system calls are available: – i 386_iopl – i 386_set_ioperm – + Linux (linux_sys_iopl, linux_sys_ioperm) and Free. BSD (KDENABIO ioctl) compatibility system calls. But i 386_set_ioperm cannot be used to request access to ports 0 xcfc and 0 xcf 8. n i 386_iopl and i 386_set_ioperm restricted to superuser-owned processes. n

A sample exploit against Open. BSD We assume that the target system is running

A sample exploit against Open. BSD We assume that the target system is running Open. BSD in Highly Secure mode with allowaperture=1. n We assume that an attacker has found a way to execute code with superuser privileges. n Thus, the attacker may use the i 386_iopl call (unrestricted Programmed I/O access) and write to the /dev/xf 86 device (write access to the 0 x. A 00000 x. BFFFF memory range). n But the attacker still lacks a way to get to kernel (ring 0 random code execution) privileges… n

Sample proof-of-concept exploit A root in highly secure mode (or secure level) to kernel

Sample proof-of-concept exploit A root in highly secure mode (or secure level) to kernel privilege escalation scheme. n Aim: For example, lower the securelevel to « Permanently insecure » . n Bonus: Modification of the EIP register while in SMM. n n Experimentations carried out on a PC equipped with a Pentium® 4, and a Intel® MCH/GMCHICH 2/ICH 5 chipset.

1 st step: Locating the securelevel variable n Virtual address: nm /bsd | grep

1 st step: Locating the securelevel variable n Virtual address: nm /bsd | grep securelevel. n Physical Address: Virtual memory space 4 Go Physical memory space 4 Go Kernel 0 xd 0000000 offset 0 0 Example on Open. BSD 3. 5

2 nd Step: Craft Handler

2 nd Step: Craft Handler

3 rd Step: Default Handler Replacement

3 rd Step: Default Handler Replacement

Last step: SMI generation

Last step: SMI generation

Did it work? n Return to protected mode overwrites EIP with the address of

Did it work? n Return to protected mode overwrites EIP with the address of the test function. n The program displays that the secure level has been lowered. This proves that we had successfully gone into SMM. n Check that the secure level was lowered.

Possible countermeasures n Decision from the system administrator: decide that the X server will

Possible countermeasures n Decision from the system administrator: decide that the X server will not be used. – machdep. allowaperture = 0 n Patch the BIOS or the OS: Set the D_LCK bit in the early boot stages. n Prevent access to the SMRAM register: – Programmed I/O filter. – No IOPL, I/O Bitmap management only. n No PIO accesses from ring 3 code.

Outline n Introduction n PC architecture and I/O access n Using System Management Mode

Outline n Introduction n PC architecture and I/O access n Using System Management Mode to Circumvent Operating System Security n A sample exploit on Open. BSD systems n Conclusions

Efficiency of the attack Systems Windows XP Linux 2. 6 Free. BSD Net. BSD

Efficiency of the attack Systems Windows XP Linux 2. 6 Free. BSD Net. BSD Open. BSD Attack scheme works

Privilege escalation On most systems, being able to carry out this scheme means being

Privilege escalation On most systems, being able to carry out this scheme means being granted superuser privileges. n On Open. BSD, root is only granted limited privileges. That is why the attack scheme is effective. n There may be easier ways to bypass the Secure Level mechanism. But more than the result, the attack scheme in itself is interesting: unused, legacy or routinely used functionalities can be used from userspace to circumvent operating system security functions. n One of the problems is X requiring too many privileges. n

Conclusion Only documented functionalities of the Pentium® processor and its chipset were used… n

Conclusion Only documented functionalities of the Pentium® processor and its chipset were used… n … and yet we have been able to circumvent operating system security functions. n Would this point to a consistency issue in hardware and OS security models? n – IOPL and I/O privileges at stake. n This demonstrates the need for trust in, and wise use of, hardware components.

Thank you! Any questions? loic. duflot@sgdn. pm. gouv. fr Joint work with: Olivier Grumelard

Thank you! Any questions? loic. duflot@sgdn. pm. gouv. fr Joint work with: Olivier Grumelard (SGDN/DCSSI) Daniel Etiemble (Paris XI University, LRI)