Trusted computing has been explored through several international initiatives. Trust in a platform generally requires a subset of its components to be trusted (typically, the CPU, the chipset and a virtual machine hypervisor). These components are granted maximal privileges and constitute the so called Trusted Computing Base (TCB), the size of which should be minimal. The rest of the platform is only granted limited privileges and cannot perform security-critical operations. A few initiatives aim at excluding the BIOS from the TCB in particular (e.g., Intel® TxT and AMD SVM/SKINIT). However, the BIOS is responsible for providing some objects that need to be trusted for the computer to work properly. This paper focuses on two of these objects, the SMI handler and the ACPI tables, which are responsible for the configuration and the power management of the platform. We study to what extent these two components shall reasonably be trusted. Despite the protections that are implemented, we show that an attacker can hide functions in either structure to escalate privileges. The main contributions of our work are to present an original mechanism that may be used by attackers to alter the SMI handler, and to describe how rogue functions triggered by an external stimulus can be injected inside ACPI tables (in our case, the attacker will plug and unplug the power supply twice in a row). We also explore the countermeasures that would prevent such modifications.
[1]
William A. Arbaugh,et al.
An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data
,
2006,
USENIX Security Symposium.
[2]
D. B. Davis,et al.
Intel Corp.
,
1993
.
[3]
Aaas News,et al.
Book Reviews
,
1893,
Buffalo Medical and Surgical Journal.
[4]
Scott A. Rotondo.
Trusted Computing Group
,
2011,
Encyclopedia of Cryptography and Security.
[5]
Stefan M. Petters,et al.
Towards trustworthy computing systems: taking microkernels to the next level
,
2007,
OPSR.
[6]
Per Brinch Hansen,et al.
Design principles
,
2002
.
[7]
Irene Mavrommati,et al.
Design principles
,
2001
.
[8]
Cliff Changchun Zou,et al.
SMM rootkits: a new breed of OS independent malware
,
2008,
SecureComm.
[9]
No License,et al.
Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1
,
2006
.
[10]
John Heasman.
Rootkits: Rootkit threats
,
2006
.