Tag: smm

RESEARCH | July 6, 2023

Back to the Future with Platform Security | Enrique Nissim, Krzysztof Okupski, Joseph Tartaro

By Enrique Nissim Krzysztof Okupski & Joseph Tartaro

During our recent talk at HardwearIO (see here, slides here) we described a variety of AMD platform misconfigurations that could lead to critical vulnerabilities, such as:

  • TSEG misconfigurations breaking SMRAM protections
  • SPI controller misconfigurations allowing SPI access from the OS
  • Platform Secure Boot misconfigurations breaking the hardware root-of-trust

Here we are providing a brief overview of essential registers settings and explain how our internally developed tool Platbox (see here) can be used to verify them and ultimately exploit them.

In a previous blog post about AMD platform security (see here) we explained how forgetting to set a single lock can lead to a complete compromise of System Management Mode (SMM).

To recap, on modern systems SMM lives in a protected memory region called TSEG and four Model Specific Registers (MSRs) need to be configured to guarantee these protections:

Read the IOActive Labs’ Blog
RESEARCH | February 16, 2023

Adventures in the Platform Security Coordinated Disclosure Circus

By IOActive Research

IOActive research members continue the work on UEFI security and coordinated disclosure challenges. Platform security is one of the specialized service lines IOActive offers and we have worked with many vendors across the industry.

In a previous blog, IOActive research conducted research on various targets while developing tooling that we believe will help the industry make platform security improvements focused on AMD systems. In that blog we disclosed a number of security issues to ASUS and AMI in an SMM module called SecSMIFlash. This module garnered some attention after Alexander Matrosov (BlackHat USA 2017) demonstrated how the SMI handlers failed to check input pointers with SmmIsBufferOutsideSmmValid(), resulting in CVE-2017-11315. 

Read the IOActive Labs’ Blog
RESEARCH | November 2, 2022

Exploring the security configuration of AMD platforms

By IOActive Research

TLDR: We present a new tool for evaluating the security of AMD-based platforms and rediscover a long-forgotten vulnerability class that allowed us to fully compromise SMM in the Acer Swift 3 laptop (see Acer’s advisory).

Introduction

In the last decade, a lot of interesting research has been published around UEFI and System Management Mode (SMM) security. To provide a bit of background, SMM is the most privileged CPU mode on x86-based systems; it is sometimes referred to as ring -2 as it is more privileged than the kernel and even the hypervisor. Therefore, keeping SMM secure must be one of the main goals of the UEFI firmware.

One thing that caught our attention is that most, if not all, of the publicly available material is focused on Intel-based platforms. Since the release of CHIPSEC [1], the world has had a tool to quickly determine if the firmware does a good job protecting the system after the DXE phase and, as a result, it is hard to find misconfigured firmware in laptops from any of the major OEMs in 2022.

Read the IOActive Labs’ Blog