Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SmmPack: Obfuscation for SMM Modules with TPM Sealed Key (2405.04355v3)

Published 7 May 2024 in cs.CR

Abstract: System Management Mode (SMM) is the highest-privileged operating mode of x86 and x86-64 processors. Through SMM exploitation, attackers can tamper with the Unified Extensible Firmware Interface (UEFI) firmware, disabling the security mechanisms implemented by the operating system and hypervisor. Vulnerabilities enabling SMM code execution are often reported as Common Vulnerabilities and Exposures (CVEs); however, no security mechanisms currently exist to prevent attackers from analyzing those vulnerabilities. To increase the cost of vulnerability analysis of SMM modules, we introduced SmmPack. The core concept of SmmPack involves encrypting an SMM module with the key securely stored in a Trusted Platform Module (TPM). We assessed the effectiveness of SmmPack in preventing attackers from obtaining and analyzing SMM modules using various acquisition methods. Our results show that SmmPack significantly increases the cost by narrowing down the means of module acquisition. Furthermore, we demonstrated that SmmPack operates without compromising the performance of the original SMM modules. We also clarified the management and adoption methods of SmmPack, as well as the procedure for applying BIOS updates, and demonstrated that the implementation of SmmPack is realistic.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (27)
  1. RWEverything Read & Write Everything. http://rweverything.com/ (2017)
  2. Unified Extensible Firmware Interface Forum. https://uefi.org/ (2021)
  3. et al., J.A.H.: Lest we remember: Cold boot attacks on encryption keys. In: Proc. of 17th USENIX Security Symp. pp. 91–98 (2008)
  4. ANT: DEITYBOUNCE ANT Product Data. https://www.eff.org/files/2014/01/06/20131230-appelbaum-nsa˙ant˙catalog.pdf (2013)
  5. Binarly: [BRLY-2021-004] SMM callout vulnerability in SMM driver on multiple HP devices (SMM arbitrary code execution). https://www.binarly.io/advisories/BRLY-2021-004/index.html (2021)
  6. Binarly: [BRLY-2021-032] The heap buffer overflow vulnerability in child SW SMI handler on multiple HP devices. https://www.binarly.io/advisories/BRLY-2021-032/index.html (2021)
  7. Binarly: [BRLY-2021-040] SMM Callout Vulnerability In SMM Driver On Multiple HP Devices. https://www.binarly.io/advisories/BRLY-2021-040/index.html (2021)
  8. Binarly: Firmware supply chain is hard(coded). https://www.binarly.io/posts/Firmware˙Supply˙Chain˙is˙Hard(coded)/index.html (2021)
  9. Binarly: [BRLY-2022-016] Stack Overflow Vulnerability In SMI Handler. https://www.binarly.io/advisories/BRLY-2022-016/index.html (2022)
  10. chipsec: chipsec. https://github.com/chipsec/chipsec (2023)
  11. Intel Corporation: Intel® hardware shield – below-the-os security. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/below-the-os-security-white-paper.pdf (May 2021)
  12. Intel Corporation: Intel® hardware shield – intel® total memory encryption. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/white-paper-intel-tme.pdf (2021)
  13. Intel Corporation: Intel® trusted execution technology (intel® txt). https://cdrdv2-public.intel.com/315168/315168˙TXT˙MLE˙DG˙rev˙017˙4.pdf (2023)
  14. kokke: tiny-aes-c. https://github.com/kokke/tiny-AES-c (December 2021)
  15. Lin, J.: Multi-key total memory encryption on windows 11 22h2. https://techcommunity.microsoft.com/t5/windows-os-platform-blog/multi-key-total-memory-encryption-on-windows-11-22h2/ba-p/3683043 (2022)
  16. MachineHunter: Smmpack. https://github.com/MachineHunter/SmmPack (2023)
  17. Malhotra, A.: Amd ryzen™ pro 5000 series mobile processors making defenses count: Designing for substantial depth. https://www.amd.com/system/files/documents/amd-security-white-paper.pdf (2021)
  18. shop, U.: Up squared pro atom quad core 04/64. https://up-shop.org/up-squared-pro-atom-quad-core-0464.html (2023)
  19. tpm2 software: tpm2-tools. https://github.com/tpm2-software/tpm2-tools (2023)
  20. The MITRE Corporation: CVE Search Results. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=smm (2023)
  21. TheSecMaster: Be Aware About these Six Unpatched SMM Vulnerabilities in HP Enterprise Devices. https://thesecmaster.com/be-aware-about-these-six-unpatched-smm-vulnerabilities-in-hp-enterprise-devices/ (September 2022)
  22. TianoCore Community: 38. SW SMI Confused Deputy SmramSaveState.c. https://edk2-docs.gitbook.io/security-advisory/sw-smi-confused-deputy-smramsavestate˙c (2021)
  23. TianoCore Community: Tcg trusted boot chain in edk ii. https://tianocore-docs.github.io/edk2-TrustedBootChain/release-1.00/3˙TCG˙Trusted˙Boot˙Chain˙in˙EDKII.html (March 2021)
  24. TianoCore Community: edk2. https://github.com/tianocore/edk2 (2023)
  25. Trusted Computing Group: Tcg platform reset attack mitigation specification. https://www.trustedcomputinggroup.org/wp-content/uploads/Platform-Reset-Attack-Mitigation-Specification.pdf (2008)
  26. Trusted Computing Group: https://trustedcomputinggroup.org/ (2023)
  27. Wojtczuk, R.: ANALYSIS OF THE ATTACK SURFACE OF WINDOWS 10 VIRTUALIZATION-BASED SECURITY. https://www.blackhat.com/docs/us-16/materials/us-16-Wojtczuk-Analysis-Of-The-Attack-Surface-Of-Windows-10-Virtualization-Based-Security.pdf (2016)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now