ARLINGTON, Va. -- Less than six months after Intel patched its BIOS to fix a vulnerability that allowed a blue bill attack on the Xen hypervisor, two researchers have demonstrated how to bypass the chip-maker giant's Trusted Execution Technology (TXT), a core security around its vPro technology.
To get security news and tips delivered to your inbox,
In a presentation at the Black Hat DC Briefings, researchers Joanna Rutkowska and Rafal Wojtczuk of the Invisible Things Lab, identified several new bugs in the Software Manager Management Mode (SMM), the most privileged software layer.
They said Intel acknowledges that the bugs affect Intel mobile, desktop and server motherboards. Rutkowska said they suspect that all recent Intel motherboards may be vulnerable.
An SMM bug in Intel's DQ35J motherboard enabled last year's attack on the Xen hypervisor.
"As a special bonus, our attacks against SMM can be used for other things like the SMM rootkits we presented last year at Black Hat, now becoming a reality on even the latest hardware," Rutkowska said.
Announced in 2005, Intel's TXT technology, code named LaGrande, was designed as a set of hardware security extensions to Intel processors and chipsets. The goal is to protect against software-based attacks, such as rootkits, by creating an environment for software to run in its own space.
The researchers said that a single design flaw is responsible for the bugs and results in more than 40 places in which code execution vulnerabilities could be introduced. They have exploited two vulnerabilities, strongly implying they could exploit more.
Intel, they said, reports it will have fixes for the problems before summer. The researchers said they would hold off publishing details of the bugs and exploits until Black Hat USA at the end of July.
The attack subverts TXT's trusted boot process, which relies on the Trusted Platform Module to provide essential services, such as securely storing TXT measurements in TPM registers. These measurements are used to ensure, for example, that only a trusted version of the hypervisor can get access to secrets, such as an encryption key, or authenticate itself to, say, an administrator's laptop.
TXT assures that system software, such as an OS kernel or virtualization machine monitor (VMM), is loaded and executed in a trusted way. It will securely load a clean VMM or OS kernel, even if the computer is compromised by boot sector viruses, BIOIS rootkits, etc.
This load process is called Late Launch and uses a CPU instruction called SENTER. The problem is that TXT was designed with the assumption that SMM was trustworthy and could not be undermined. Rutkowska and Wojtczuk demonstrated last year that this was not true in at least one chipset -- —now it's clear that the problem is far greater.
Intel's remedy to the SMM problem, the researchers said, is SMM transfer monitor (STM), which virtualizes the SMM handler in sandbox. Intel has not released STM, however. STM would be measured in Late Launch, bringing it under the TXT umbrella of protection. Rutkowska and Wojtczuk are skeptical, saying that there's no assurance that the STM implementations by various BIOS vendors would be anymore bug-free than SMM.
"TXT is, no doubt, exciting new technology, but Intel 'forgot' about one small detail about SMM," said Rutkowska said. "The whole point about TXT is that you don't have to trust your, for example, your BIOS, you don't have to trust your EEPROMs, anything. You can have a system that isn't trusted, and magically, it is trusted."