The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware.
[1]
Tal Garfinkel,et al.
Compatibility Is Not Transparency: VMM Detection Myths and Realities
,
2007,
HotOS.
[2]
Duflot,et al.
Using CPU System Management Mode to Circumvent Operating System Security Functions
,
2022
.
[3]
Helen J. Wang,et al.
SubVirt: implementing malware with virtual machines
,
2006,
2006 IEEE Symposium on Security and Privacy (S&P'06).
[4]
Harold W. Thimbleby,et al.
A Framework for Modelling Trojans and Computer Virus Infection
,
1998,
Comput. J..
[5]
No License,et al.
Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1
,
2006
.
[6]
William A. Arbaugh,et al.
Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor
,
2004,
USENIX Security Symposium.
[7]
Eugene H. Spafford,et al.
The design and implementation of tripwire: a file system integrity checker
,
1994,
CCS '94.
[8]
Greg Hoglund,et al.
Rootkits: Subverting the Windows Kernel
,
2005
.