Sebastian Schrittwieser and Julian Rauchberger presented our work on System Management Mode malware at DeepSec 2016.
Title: Advanced Concepts for SMM Malware
Abstract: Hiding malware inside the BIOS/UEFI of a computer has long been deemed a theoretical threat rather than an actual attack vector. Implementation seemed too difficult and the benefits for malicious actors aiming for quick profits were considered negligible. However, with the recent rise of Advanced Persistent Threats (APTs) and state-sponsored attacks, sophisticated targeted attacks are now considered a realistic threat. For skilled attackers seeking for high stealth and persistence rather than widespread infection, the BIOS/UEFI of a computer provides an ideal target. The System Management Mode (SMM) is a legacy mode of operation available in x86 and x86-64 CPUs. Originally, SMM was intended to be used for maintenance tasks such as power and thermal management. It is a highly privileged mode of operation which has free I/O access, can directly interact with memory and has no hardware memory protections enabled.
Our talk starts with a historical overview on previous SMM-based attacks. Most existing approaches are simple proof-of-concept implementations that do not explore the potential of threats stemming from SMM malware. In response to this deficit we present novel, advanced concepts for SMM malware, focussing on stealth, portability (including full Intel 64-bit support), and OS (memory layout) awareness of malware. Our talk aims at encouraging further research into the threat of SMM malware and enables the development of practical countermeasures against BIOS/UEFI malware.