System Management Mode (SMM) is an operating mode introduced by the x86 processor to handle critical hardware events and chipset errors. SMM applications, designed to run in this mode, operate at a high privilege level (known as Ring -2, which is even higher than the kernel mode, Ring 0). With the high privilege, SMM applications have almost unlimited access to system resources. However, vendors commonly adopt memory-unsafe programming languages, such as C and C++, to develop SMM applications, making them prone to memory corruption vulnerabilities. Once compromised, the attacker may gain complete control over the system. This intrinsic feature makes SMM applications a very attractive target for attackers.
While SMM applications play a crucial role in the foundation of low-level system software, applying efficient and effective fuzzing to them is a very challenging and complex task. In this talk, we present the first systematic SMM application fuzzing framework specifically designed to detect memory corruption vulnerabilities in closed-source SMM applications. We observe that the SMM application, as part of the UEFI firmware, is supposed to run in a UEFI runtime environment. Without such an environment, SMM applications cannot be correctly initialized and executed. As such, we will present all the technical details related to an all-in-one solution for SMM application fuzzing. Our framework offers a fully featured UEFI runtime environment. With such an environment, we ensure that fuzzing does not result in early crashes and a high number of false positives. Additionally, we present the details behind a universal fuzzing harness for successful fuzzing campaigns. The fuzzing harness contains an interface grouping and a memory access interception mechanism to infer the input semantics, such that it can explore the deep logic of SMM applications. Our framework has already proven its impact: in our experiments, we identified a total of 38 new vulnerabilities in firmware from nine well-known vendors. We will share the technical insights behind these discoveries and walk through several real-world case studies that highlight the power and versatility of our approach.
By: Jianqiang Wang | Dr.-Ing., Max Planck Institute for Security and Privacy
https://ift.tt/GSgiRT2
source https://www.youtube.com/watch?v=OXxSc4-sn9Q
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment