Results 1 to 7 of 7
  1. #1
    New Lounger
    Join Date
    Aug 2015
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Ring-2 - System Management Mode. Can this hide malware ?

    This article got me thinking. If you were a state sponsored huge group of programmers that wanted to take control of any machine at any time you would want to bake that into chips right ? Why fool with the OS when you can bake your hook right into the chip. http://www.theregister.co.uk/2015/08...el_processors/

    So... If there is a cycle count in the CPU and no CPU instruction, or significant amount of instructions, could by done without incrementing the CPU count then you could at least see that SOMETHING was taking up CPU cycles ? Is there software that looks for differences in the actual CPU cycle count and what should have been used from the OS ?

    Also assuming the baked in code could mask a CPU count, is it possible to synthisze this from the type of CPU and clock speed and then compare to what should have been used by the OS.

    It would seem this would be a almost infallible method to detect if something is trying to hide and run code. It would obviously take some interpretation and looking at to determine what it was.

  2. #2
    New Lounger
    Join Date
    Aug 2015
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This seems to be a difficult problem. If malicious code is built into the chip, how to detect it......

    It would make sense to bake into CPUs and Microcontrollers code that can be triggered remotely and allow complete control allowing insertion of additional code into any OS any code desired. This must be the ultimate dream of a spy agency.

    In fact, code like this could be baked into any chip that sits on the bus. So say a Intel Ethernet controller chip that has Wake On LAN.

    Networking chips, WiFi controllers, ARM processors, CPUs/Microcontrollers are in EVERYTHING. If code got slipped into these chips, wow. It might be possible to block access to CPU/Microcontroller code like this from the OS, but, if its baked into the Ethernet controller and on the bus, it seems impossible to block.

    Soooo...... How to spot this ? NOT EASY..

    Most likely the CPU would get some form of crazy interrupt and pause what its doing. So the OS would see missing CPU cycles. Also its RF output would change and maybe its thermal charistics.

    So Intel had this "bug" for 17 years in tons of CPU's. It seems completely plausible that some form of this is in there now. If not, i would imagine it will be soon. Chips made off shore could be corrupted far more easily. At the least, this 17 year old bug will be exploited and very hard to spot.

    So some tool needs to be developed to detect this sort of thing. Its not like Intel or AMD is likely to publish open source code. Even then what really gets burned into the chips could be different.

    Sooo... How to do this ??

  3. #3
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,367
    Thanks
    233
    Thanked 147 Times in 136 Posts
    If you REALLY want to get paranoid read about Intel Management Technology .


    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  4. #4
    New Lounger
    Join Date
    Aug 2015
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by wavy View Post
    If you REALLY want to get paranoid read about Intel Management Technology .


    I think that is what im talking about ? System Management Mode and the rings.

    Also.. Im not a paranoid person at all. I dont care at all myself, however, this might be the biggest computer security hole in history and may effect a incredible number of devices. I was just thinking that if I was in charge and could exert unfathomable pressure on any US company to do anything I wanted in the name of national security, this is what I would do. Bake it into the chips. Its just so obvious. Then when this odd 16 year old "bug" surfaced, I kinda figured it was not a bug at all, or maybe it just looks like a bug, good cover story should it ever be found. This all seems actually reasonable ? Snowden has shown far more incredible things have happened, so this may not be unreasonable.

    Zero doubt, this can be done. Just bake the hooks right into the chips. Its so easy and fairly foolproof.

    It all seems reasonable. I dont believe in BigFoot and I dont wear a tin foil hat.

    What im interested in from this forum is if anyone knows of a tool that counts real CPU cycles and compaires with what the OS is actually using. Virus' are doing this now to detect a virtual machine, so the code exists. I would like to harness for a good use.

  5. #5
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,367
    Thanks
    233
    Thanked 147 Times in 136 Posts
    Yup!
    I think Intel Management Technology, AMT is actually scarier.
    Thats why we don't use Chinese routers, but of course they make some chips for Cisco so they have most likely been compromised already.
    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  6. #6
    4 Star Lounger
    Join Date
    Jan 2010
    Location
    Fort McMurray, Alberta, Canada
    Posts
    557
    Thanks
    51
    Thanked 68 Times in 66 Posts
    The problem with malicious code in hardware is that the plausible deniability goes away. You know who sourced the product and who is responsible for that exploit. Since hardware is rarely upgraded at the chip level, evidence of the malware persists for years or decades. It's an extremely risky approach for any agency to attempt.

    I also suspect that finding such functions isn't as difficult as you seem to think. Reverse engineering hardware is a long-standing skill. Further, imagine you are a CPU maker. You discover malware in a competitor's product. How tempting is that for you to release that information and advertise that your product "doesn't spy on customers"?

    What is more problematic I think are legitimate system management functions that get exploited for malware purposes. If malware can access management mode and do something creepy with it, that becomes a very attractive attack vector.

  7. #7
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,367
    Thanks
    233
    Thanked 147 Times in 136 Posts
    Quote Originally Posted by BHarder View Post
    The problem with malicious code in hardware is that the plausible deniability goes away. You know who sourced the product and who is responsible for that exploit.

    Of course. However are you familiar with the phrase "hidden in plain sight"? It is of course spoken of as a management tool. Why would anybody think bad of a 'tool'? It is a very useful tool, does not even need the Operating System to be running! Exploit, heck no, just a tool! Very useful. Being firmware it can of course be amended. Completely transparent to 99.99999999% of users, no need to bother anybody, nope.
    'These aren't the droids you're looking for.' 'These aren't the droids we're looking for.' 'He can go about his business. ' 'You can go about your business.' 'Move along. ' 'Move along... move along. '


    David

    Just because you don't know where you are going doesn't mean any road will get you there.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •