System Management Interrupts provide a pathway into System Management Mode, a privileged, OS-invisible execution space that can host malware and potentially enable firmware-level attacks via the BIOS. The article documents a defensive approach using Chipsec (with an added scan mode) to enumerate SMIs, measure their execution timing, and validate the method against outliers, with the method later merged upstream. #SystemManagementInterrupts #Chipsec #SMM #BIOS #Firmware
Keypoints
- SMIs enter System Management Mode (SMM), a privileged execution space with full memory access that the OS cannot see.
- Mainboard BIOS/firmware can expose SMI signaling via I/O addresses, creating risk for malware insertion and supply chain abuse.
- Chipsecβs smm_ptr module originally searched for SMI handlers by detecting memory changes; it did not enumerate SMIs by timing alone.
- A new scan mode in Chipsec triggers SMIs and returns elapsed time, aiming to identify long-running or anomalous SMI handlers.
- Initial tests showed periodic long runtimes that may reflect NMI handling interactions; a confirmation-read step filtered out these outliers.
- With confirmation reads, the average elapsed time stabilized around ~0.22 ms on a 3.5 GHz CPU, reducing the influence of outliers.
- Threshold-based scanning has limitations due to high variance and lack of confirmed SMI codes; the implementation was merged upstream in Chipsec for future releases.
MITRE Techniques
- [T1542.001] Modify BIOS/UEFI β Potential attacker could insert new firmware entry-points via BIOS; the article notes BIOS signing issues. β βThis makes the code running in SMM an ideal target for malware insertion and potential supply chain attacksβ¦ in situations where there is either no signature verification for the BIOS, or where such verification can be bypassed by the attacker.β
- [T1068] Exploit for Privilege Escalation β SMI/SMM runs with high privilege, OS has no visibility, enabling potential privilege escalation through firmware execution. β βSMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility.β
- [T1195] Supply Chain Compromise β Risk of firmware-level compromise through BIOS and SMI mechanisms; discussion of attackers bypassing BIOS verification. β βno signature verification for the BIOS, or where such verification can be bypassed by the attacker.β
- [T1082] System Information Discovery β The article describes auditing/enumerating SMIs present on a running system. β βaudit the SMIs present on a running system β¦β
Indicators of Compromise
- [IO Port] B2h and B3h β SMI signaling and data exchange ports used by the processor to trigger and pass information to SMM. β B2h, B3h
- [Data Values] 0x09, 0x2C, 0x50, 0x73, 0x96, 0xB9, 0xDC β Data written to B3h as part of SMI signaling; used to identify specific SMI codes. β 0x09, 0x2C
Read more: https://research.nccgroup.com/2024/06/10/enumerating-system-management-interrupts/