Break things, write reports

Sitting in hardware

A tl;dr summary on System Management Mode (SMM), light covering on hardware backdoors and forensic capabilities

Posted at — Feb 2, 2019

A tl;dr summary on System Management Mode (SMM), light covering hardware backdoors. Check out www.c7zero.info

This all started with a blog post on building a reliable SMM backdoor, but went into a rabbit hole. These were my notes when reading into it.

My understanding of sitting in SMM is:

Summarised: It’s a pretty good place to sit in, you’re not going to be observed when running.

In terms of when it spins up:

Unrelated to this, the rest of the UEFI booting seems to be:

Deploying things to the actual host:

Unsure when to detect this kind of thing - If you’re lucky you might be able to dump UEFI out of SPI flash and find things that way? [Edit: It looks like the intel team made a tool for this exact thing, chipsec. ]

Is anyone looking for this stuff when doing IR? I didn’t see any content in SANS (sans this paper - Which described the attack surface, but no courses on the matter. Lazy googling of popular forensics tools (encase) looked like it was also not a consideration.

Some research has been done into detection Chip based approach to detect rootkits, 2007 - ‘deepwatch’ - Intels idea of using a seperate microcontroller to do detection, but it doesn’t appear like this ever went anywhere (or was adopted in a widespread manner). There’s also a cool paper on the Acquisition of compromised firmware using memory analysis (2015).

According to the paper:

The same names keep popping up in this sphere (Yuriy Bulygin, Oleksandr Bazhaniuk), which propose quite a few cool ideas (time measurement), They appear to have quite a bit of research - http://www.c7zero.info/

There’s also the question of AMT or just flashing firmware on other devices

The posts I’m referring to are: