any thoughts on how to address SMM (System Management Mode) attacks? this code resides in the vulnerable motherboard''s bioses, and hence outside of the os. this is, in a sense, more of a free software issue. it is a part of your computer that you do not have control over. maybe a statement recommending non-usage of vulnerable boards would be warranted? mike [0] http://www.securityfocus.com/archive/1/505590/30/0/threaded [1] http://www.phrack.org/issues.html?issue=66&id=11#article
* Michael S. Gilbert:> any thoughts on how to address SMM (System Management Mode) attacks? > this code resides in the vulnerable motherboard''s bioses, and hence > outside of the os.It''s really not much different than flashable components of any other kind (NIC or disk firmware). The aproach may be new, but the dangers aren''t.
On Mon, Aug 10, 2009 at 1:25 AM, Florian Weimer wrote:> * Michael S. Gilbert: > >> any thoughts on how to address SMM (System Management Mode) attacks? >> this code resides in the vulnerable motherboard''s bioses, and hence >> outside of the os. > > It''s really not much different than flashable components of any other > kind (NIC or disk firmware). ?The aproach may be new, but the dangers > aren''t.right, but debian now has almost all free software firmwares for those devices, and hence those threats are mostly nullified, right? i think one of the key problems is that SMM updates can be initiated by the remote attacker without authentication; in fact this is intentional to be able to track stolen laptops. the solution proposed to the vendor is in fact an authentication mechanism, but asus hasn''t responded, which is very very disappointing, but tends to be the case in the hardware industry, so isn''t unexpected. mike
* Michael S. Gilbert:> right, but debian now has almost all free software firmwares for those > devices, and hence those threats are mostly nullified, right?Only for firmware which is not that firm and lost if the power is gone. If the manufacturer hasn''t got rid off flash to store the firmware, it''s not particularly likely that Debian ships it.> i think one of the key problems is that SMM updates can be initiated > by the remote attacker without authentication; in fact this is > intentional to be able to track stolen laptops.Aren''t you confusing two separate attacks? It''s also quite unlikely that those devices phone home by default. Why should you provision resources to non-customers?
On Mon, 10 Aug 2009 21:13:53 +0200, Florian Weimer wrote:> * Michael S. Gilbert: > > > right, but debian now has almost all free software firmwares for those > > devices, and hence those threats are mostly nullified, right? > > Only for firmware which is not that firm and lost if the power is > gone. If the manufacturer hasn''t got rid off flash to store the > firmware, it''s not particularly likely that Debian ships it. > > > i think one of the key problems is that SMM updates can be initiated > > by the remote attacker without authentication; in fact this is > > intentional to be able to track stolen laptops. > > Aren''t you confusing two separate attacks? It''s also quite unlikely > that those devices phone home by default. Why should you provision > resources to non-customers?i''ll admit that i honestly don''t know much about SMM, but i would imagine that it does phone home by default since its job is to track stolen laptops, and it would need to phone somewhere to convey that information. again, i haven''t really done enough research to fully understand the attack, but it sounds like they can push updates to SMM (such as a key logger) at will, without any interaction with the os. mike