Smm and caching

Smm and caching

• 1.
  All materials arelicensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
• 2.
  SMRAM and Caching 2
• 3.
  Cache Basics • Temporarystorage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
• 4.
  • Physical memoryranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
• 5.
  Write-back (WB) • Thepoint of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
• 6.
  6 (D_LCK bit) https://cansecwest.com/csw09/csw09-duflot.pdf
• 7.
  7 https://cansecwest.com/csw09/csw09-duflot.pdf
• 8.
  8 https://cansecwest.com/csw09/csw09-duflot.pdf
• 9.
  The fix: SMRR •The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
• 10.
  SMRR • When theprocessor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
• 11.
  Verify SMRR Support:IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
• 12.
  SMRR MSR Number •If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
• 13.
  Homework heads up •Find the value of SMRR_PHYSBASE for your particular hardware 13