当前时区为 UTC + 8 小时



发表新帖 回复这个主题  [ 1 篇帖子 ] 
作者 内容
1 楼 
 文章标题 : 来个intel cpu缓存漏洞
帖子发表于 : 2009-03-23 8:40 
头像

注册: 2007-07-20 22:15
帖子: 896
送出感谢: 0 次
接收感谢: 0 次
Intel CPU-level exploit could be tempest in a teapot
http://arstechnica.com/security/news/2009/03/storm-over-intel-cpu-security-could-be-tempest-in-a-teapot.ars

Johanna Rutkowska of Invisible Things Lab has been making headlines ever since she announced her development of a seemingly undetectable rootkit she dubbed "Blue Pill." While that project is now defunct, Rutkowska has continued her research into hardware virtualization technology. Her more recent efforts have focused on Intel platforms and the company's Trusted Execution Technology; Intel released a BIOS update to fix several security vulnerabilities Invisible Things Lab discovered back in August of 2008. On Thursday, March 19, Rutkowska and fellow team member Rafal Wojtczuk released details of yet another Intel-focused exploit—is the CPU manufacturer's security sandbox not up to snuff?

Before we discuss the flaw in particular, let's take a quick moment and review the ring security model. The term "ring" refers to protective rings that encircle the OS kernel. Ring 3 (defined as "Applications" in the diagram below) is where users and programs should spend the vast majority of their time. Applications should never need access to Ring 0 or kernel mode, as it amounts to writing the application a literal carte blanche to modify, change, or delete anything it wants. One of the features Intel's Vanderpool (VT) technology offers is the ability to virtualize an OS starting from what we might call "Ring -1." An OS launched from Ring -1 can therefore run its own Ring 0 operations and is more effectively sandboxed from the host operating system.
图片

The exploit Rutkowska unveiled (PDF) yesterday affects System Management Mode (SMM); the security team describes SMM as equivalent to Ring -2. Code operating this deep could do virtually anything, all while operating on a level too deep for an OS-level scan to reasonably detect. Access to this mode and the memory block where it's stored (known as SMRAM) is therefore extremely restricted. The memory controller is configured to lock SMRAM access exclusively to the BIOS, which then copies the SMM code into SMRAM. Once that copy is complete, the BIOS disallows all further access/modification requests that originate from outside the SMM memory block. Because the SMM module operates at Ring -2, no other program, hypervisor, or OS kernel has sufficient authority to access the memory block.

Accessing the inaccessible

Invisible Things Lab provides a step-by-step guide to this attack; I'll only summarize it here. An attacker who wishes to modify the code within the SMM must first locate the SMRAM region within system memory and designate it as a write-back cache. Once the address range is properly specified, our hypothetical hacker "creates write accesses to the SMRAM's physical address range." Because the space as been previously set as WB cacheable, the accesses are cached rather than rejected. Next, the attacker triggers a System Management Interrupt (SMI), which orders the CPU to enter System Management Mode and execute the code therein. The CPU drops into SMM happily enough, but when it fetches code from SMRAM, it fetches the corrupted cached data first. The result, says Rutkowska, is that "the above scenario allows for arbitrary SMM memory overwrite (and later code execution...)."

Intel continues to work on resolving these security issues. Senior Intel spokesperson George Alfs told Ars, "We are working with these researchers. We take this research and all reports seriously. Currently as far as we know, there are no known exploits in the wild." Invisible Things notes that the company claims to have solved the problem in later chipsets, but that shipping DQ35 models are still affected.

Truthfully, there's precious little reason to panic, particularly given the fact that Invisible Things believes an attacker would need a great deal of time and in-depth information on a particular system configuration in order to launch the type of attack described above. For all the furor surrounding the idea of a chip or chipset-level vulnerability, the chances of a general exploit going wild is virtually nil. General exploits thrive on commonalities; Rutkowska's SMM assault requires extreme specificity. It is, however, important that Intel take these issues seriously as the company appears to do. The complexity of computer security is such that seemingly low-level, unimportant flaws can be combined with higher-level problems, and suddenly spawn something far more ugly and massive. The only approach is to lock every gate—particularly when you're selling a platform based entirely around the idea of "trusted" computing.


附件:
smm_cache_fun.pdf [156.85 KiB]
被下载 45 次


_________________
发言并不是一种义务,最喜欢的回答是不知道
两个手指点击,居然默认就是鼠标中键功能
右上角是中键,右下角是左键
Grub真小,才512B
零度电子书(Unix&Linux)
http://books.05sun.com/downlist/s_62_3.html
win7恢复能力不如xp,ubuntu相对较稳定。。。待机恢复起来似乎。。。
页首
 用户资料  
 
显示帖子 :  排序  
发表新帖 回复这个主题  [ 1 篇帖子 ] 

当前时区为 UTC + 8 小时


在线用户

正在浏览此版面的用户:没有注册用户 和 3 位游客


不能 在这个版面发表主题
不能 在这个版面回复主题
不能 在这个版面编辑帖子
不能 在这个版面删除帖子
不能 在这个版面提交附件

前往 :  
本站点为公益性站点,用于推广开源自由软件,由 DiaHosting VPSBudgetVM VPS 提供服务。
我们认为:软件应可免费取得,软件工具在各种语言环境下皆可使用,且不会有任何功能上的差异;
人们应有定制和修改软件的自由,且方式不受限制,只要他们自认为合适。

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
简体中文语系由 王笑宇 翻译