The SMM code lives in a specially protected region of system memory, called SMRAM. The memory controller offers dedicated locks to limit access to SMRAM memory only to system ﬁrmware (BIOS). BIOS, after loading the SMM code into SMRAM, can (and should) later "lock down" system conﬁguration in such a way that no further access, from outside the SMM mode, to SMRAM is possible, even for an OS kernel (or a hypervisor).
Rafal Wojtczuk and Joanna Rutkowska today published a paper that discusses an architectural problem affecting Intel-based systems that allow for unauthorized access to SMRAM. It also discusses how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.