SlideShare a Scribd company logo

Smm and caching

Download as PPTX, PDF
L
Luis Goldster

This document discusses caching and the SMRR mechanism introduced by Intel to prevent cache poisoning attacks on SMRAM. It explains that: 1) Memory caching types like write-back can allow data in CPU caches to be modified without writing to physical memory. 2) Early researchers exploited this to poison SMRAM caches and gain unauthorized access to protected memory. 3) Intel addressed this with the System Management Range Register (SMRR) that defines a restricted memory range for SMRAM and prevents caching of that memory when not in SMM.

Technology
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
SMRAM and Caching 2
Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
• Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
6 (D_LCK bit) https://cansecwest.com/csw09/csw09-duflot.pdf
7 https://cansecwest.com/csw09/csw09-duflot.pdf
8 https://cansecwest.com/csw09/csw09-duflot.pdf
The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

More Related Content

PPT
Memory
Em Magallon
 
PPTX
Multithreading computer architecture
Haris456
 
PPT
Smp and asmp architecture.
Gaurav Dalvi
 
PDF
What is simultaneous multithreading
Fraboni Ec
 
PPTX
Symmetric multiprocessing (smp)
rayhan basher
 
DOC
Symmetric multiprocessing and Microkernel
Manoraj Pannerselum
 
PPTX
ملٹی لیول کے شے۔
maamir farooq
 
PPTX
Symmetric multiprocessing
Mohammad Ali Khan
 
Memory
Em Magallon
 
Multithreading computer architecture
Haris456
 
Smp and asmp architecture.
Gaurav Dalvi
 
What is simultaneous multithreading
Fraboni Ec
 
Symmetric multiprocessing (smp)
rayhan basher
 
Symmetric multiprocessing and Microkernel
Manoraj Pannerselum
 
ملٹی لیول کے شے۔
maamir farooq
 
Symmetric multiprocessing
Mohammad Ali Khan
 

What's hot (14)

PDF
Multithreaded processors ppt
Siddhartha Anand
 
PPT
Hardware multithreading
Fraboni Ec
 
PDF
Lecture24 Multiprocessor
allankliu
 
PPTX
Multiple processor (ppt 2010)
Arth Ramada
 
PPTX
Computer architecture multi processor
Mazin Alwaaly
 
DOCX
Symmetric Multi Processor Multiprocessors
Saad Tanvir
 
PPT
Multi processing
Muhammad Ishaq
 
PPTX
Graphics processing uni computer archiecture
Haris456
 
PDF
Lecture 6.1
Mr SMAK
 
PDF
Shared-Memory Multiprocessors
Salvatore La Bua
 
PPTX
Multiprocessor Scheduling
oDesk
 
PPTX
Multi core processors
Adithya Bhat
 
PPTX
Hardware Multi-Threading
babuece
 
PPT
Memory Organization
Acad
 
Multithreaded processors ppt
Siddhartha Anand
 
Hardware multithreading
Fraboni Ec
 
Lecture24 Multiprocessor
allankliu
 
Multiple processor (ppt 2010)
Arth Ramada
 
Computer architecture multi processor
Mazin Alwaaly
 
Symmetric Multi Processor Multiprocessors
Saad Tanvir
 
Multi processing
Muhammad Ishaq
 
Graphics processing uni computer archiecture
Haris456
 
Lecture 6.1
Mr SMAK
 
Shared-Memory Multiprocessors
Salvatore La Bua
 
Multiprocessor Scheduling
oDesk
 
Multi core processors
Adithya Bhat
 
Hardware Multi-Threading
babuece
 
Memory Organization
Acad
 
Ad

Viewers also liked (12)

PDF
AmysVividVision_v1_0
Amy Smalarz
 
PPTX
Memory,intelligence,AI and Web Design
Ansar Gill
 
PPT
Linked list
James Wong
 
PPTX
Learning python
Harry Potter
 
PPTX
Programming for engineers in python
Fraboni Ec
 
PPTX
Artefact 1 for submission 7
rebecca sparks
 
PDF
Official Transcript
Jessica Zeller
 
PPTX
2015 bioinformatics python_strings_wim_vancriekinge
Prof. Wim Van Criekinge
 
PPTX
Seguridad Y Salud Ocupacional
Santiago Brayan Cumbal
 
PPTX
2015 bioinformatics protein_structure_wimvancriekinge
Prof. Wim Van Criekinge
 
PPTX
How Marketo Uses Marketo
Marketo
 
PPTX
Social Media: The Rising Star for Your Digital Marketing Strategy
Marketo
 
AmysVividVision_v1_0
Amy Smalarz
 
Memory,intelligence,AI and Web Design
Ansar Gill
 
Linked list
James Wong
 
Learning python
Harry Potter
 
Programming for engineers in python
Fraboni Ec
 
Artefact 1 for submission 7
rebecca sparks
 
Official Transcript
Jessica Zeller
 
2015 bioinformatics python_strings_wim_vancriekinge
Prof. Wim Van Criekinge
 
Seguridad Y Salud Ocupacional
Santiago Brayan Cumbal
 
2015 bioinformatics protein_structure_wimvancriekinge
Prof. Wim Van Criekinge
 
How Marketo Uses Marketo
Marketo
 
Social Media: The Rising Star for Your Digital Marketing Strategy
Marketo
 
Ad

Similar to Smm and caching (20)

PDF
Board support package_on_linux
Vandana Salve
 
PPTX
UNIT IV Computer architecture Analysis.pptx
rajesshs31r
 
PDF
15CS44 MP & MC Module 4
RLJIT
 
PDF
Memory Organization | Computer Fundamental and Organization
Smit Luvani
 
PDF
Memory (Computer Organization)
JyotiprakashMishra18
 
PPTX
UNIT-5 computer architecture and instruction set .pptx
JemimaA1
 
PPT
Synchronization linux
Susant Sahani
 
PPTX
It322 intro 2
J Cza Àkera
 
PDF
Computer architecture for HNDIT
tjunicornfx
 
PPTX
CA UNIT V..pptx
ssuser9dbd7e
 
PDF
ARM architcture
Hossam Adel
 
PPT
Ct213 memory subsystem
Sandeep Kamath
 
PPT
Rahman
Mihika Sharma
 
PPT
E.s unit 4 and 5
Sneha Chopra
 
PPTX
BSP.pptx
taruian
 
PPTX
Exploring Of System Hardware
Muhammad Nauman
 
PDF
Computer Architecture | Computer Fundamental and Organization
Smit Luvani
 
PPTX
COA (Unit_4.pptx)
Thapar Institute
 
PPTX
Computer organisation ppt
chandkec
 
PPTX
ARM_CPSR_Full_Detailed_Presentation.pptx
hemalathacse1
 
Board support package_on_linux
Vandana Salve
 
UNIT IV Computer architecture Analysis.pptx
rajesshs31r
 
15CS44 MP & MC Module 4
RLJIT
 
Memory Organization | Computer Fundamental and Organization
Smit Luvani
 
Memory (Computer Organization)
JyotiprakashMishra18
 
UNIT-5 computer architecture and instruction set .pptx
JemimaA1
 
Synchronization linux
Susant Sahani
 
It322 intro 2
J Cza Àkera
 
Computer architecture for HNDIT
tjunicornfx
 
CA UNIT V..pptx
ssuser9dbd7e
 
ARM architcture
Hossam Adel
 
Ct213 memory subsystem
Sandeep Kamath
 
Rahman
Mihika Sharma
 
E.s unit 4 and 5
Sneha Chopra
 
BSP.pptx
taruian
 
Exploring Of System Hardware
Muhammad Nauman
 
Computer Architecture | Computer Fundamental and Organization
Smit Luvani
 
COA (Unit_4.pptx)
Thapar Institute
 
Computer organisation ppt
chandkec
 
ARM_CPSR_Full_Detailed_Presentation.pptx
hemalathacse1
 

More from Luis Goldster (20)

PPTX
Ruby on rails evaluation
Luis Goldster
 
PPTX
Design patterns
Luis Goldster
 
PPT
Lisp and scheme i
Luis Goldster
 
PPT
Ado.net & data persistence frameworks
Luis Goldster
 
PPTX
Multithreading models.ppt
Luis Goldster
 
PPTX
Business analytics and data mining
Luis Goldster
 
PPTX
Big picture of data mining
Luis Goldster
 
PPTX
Data mining and knowledge discovery
Luis Goldster
 
PPTX
Cache recap
Luis Goldster
 
PPTX
Directory based cache coherence
Luis Goldster
 
PPTX
Hardware managed cache
Luis Goldster
 
PPTX
How analysis services caching works
Luis Goldster
 
PPT
Abstract data types
Luis Goldster
 
PPTX
Optimizing shared caches in chip multiprocessors
Luis Goldster
 
PPTX
Api crash
Luis Goldster
 
PPTX
Object model
Luis Goldster
 
PPTX
Abstraction file
Luis Goldster
 
PPTX
Object oriented analysis
Luis Goldster
 
PPT
Abstract class
Luis Goldster
 
PPTX
Concurrency with java
Luis Goldster
 
Ruby on rails evaluation
Luis Goldster
 
Design patterns
Luis Goldster
 
Lisp and scheme i
Luis Goldster
 
Ado.net & data persistence frameworks
Luis Goldster
 
Multithreading models.ppt
Luis Goldster
 
Business analytics and data mining
Luis Goldster
 
Big picture of data mining
Luis Goldster
 
Data mining and knowledge discovery
Luis Goldster
 
Cache recap
Luis Goldster
 
Directory based cache coherence
Luis Goldster
 
Hardware managed cache
Luis Goldster
 
How analysis services caching works
Luis Goldster
 
Abstract data types
Luis Goldster
 
Optimizing shared caches in chip multiprocessors
Luis Goldster
 
Api crash
Luis Goldster
 
Object model
Luis Goldster
 
Abstraction file
Luis Goldster
 
Object oriented analysis
Luis Goldster
 
Abstract class
Luis Goldster
 
Concurrency with java
Luis Goldster
 

Recently uploaded (20)

PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 

Smm and caching

  • 1. All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  • 3. Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 4. • Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 5. Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
  • 9. The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
  • 10. SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
  • 11. Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
  • 12. SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
  • 13. Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

Editor's Notes

  • #2: Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  • #4: ***This is not going to be a discussion on CPU architecture, for details on caching I recommend 3 sources: Both the Intel and AMD Optimization Reference Manuals, and Agner Fog’s optimization references
  • #5: Todo, cite Loic's paper since they technically found it first