Back to Top

Friday, February 13, 2009

Good security news

Teletypesetter keyboardBeing Friday the 13th one can really use some positive news: on rootkit.com we have an article about Implementing SMM PS/2 Keyboard sniffer. How is this good news you ask me? Towards the end of the paper we have the following text (emphasis added):

The limitations of hacking through SMM are obvious. It is almost impossible to use in reality. The largest problem is that BIOS since 2004 set D_LCK bit during booting, which blocks access to SMRAM. Also, modern operating systems use ACPI. In ACPI, #SMI does not occur, so we cannot use Device Trap based on chipset. There is also a document about hibernation, which shows that system enters hibernation mode after the intruder uploads handler in SMRAM. Then, when system memory is restored, SMRAM space is reset so that the handler we uploaded disappears. Loic Duflot’s OpenBSD Exploit obtains permission by manipulating the physical memory in SMM status, and to apply this to Linux, we have to be able to access PCI Configuration Space. In order for a general application to access PCI Configuration Space, iopl() function has to be used to obtain I/O permission, but that function does not operate if not by superuser.

The gist of it: some very specific conditions need to satisfied for this to work, and there is very little chance for that to happen in everyday life. W00t!

Image taken from Quinn deEskimo's photostream with permission.

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.