# **SMM Protection in EDK II** Spring 2017 UEFI Seminar and Plugfest March 27 - 31, 2017 Jiewen Yao, Intel Corporation # Agenda - More Protection - SMM Memory Protection - -CommBuffer Enforcement - -ASLR in SMM - Guard Page - -Reduce SMI Handler - Summary / Call to Action # What is SMM and SMI? - System Management Mode (SMM) - Is a special CPU operating mode. - Is inside of a special SMM memory (SMRAM) - Access the whole system memory and IO, including OS memory and hypervisor memory. - Is invoked through a System Management Interrupt (SMI) - Has software executive (SMI handler) to perform operation based upon different SMI. # **Known SMM Attacks** | SMM Attack | Description | Example | |---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| | SMRAM is unlocked | An attacker can set register to unlock SMRAM, and override SMRAM. | A.1, A.2 | | Cache Poisoning | An attacker can set CPU cache to override SMRAM. | A.3, A.4 | | SMRAM remap | An attacker can control chipset register to remap a normal system memory to SMRAM. | A.5 | | Branch Outside of SMRAM | SMM code calls outside of SMRAM, which is controlled by the attacker. | A.6, A.7 | | SMM Communication Buffer Attack | SMM code uses SMM communication buffer to exchange information with non-SMM agent. The attacker can give a malicious communication buffer to SMM, and the SMM may write SMRAM or Virtual Machine Monitor (VMM). | A.8, A.9 | # **Known Mitigation** | SMM Attack | Mitigation | |-----------------------------|----------------------------------------------------------------------------------------------------------------| | SMRAM is unlocked | 1) Lock SMRAM at PI SmmReadyToLock. | | Cache Poisoning | 1) Enable SMM Range Register. | | SMRAM remap | 1) Lock Remap register. | | Branch Outside of SMRAM | <ol> <li>Enable Smm_Code_Access Register.</li> <li>Setup Non-Executable (NX) paging outside of SMM.</li> </ol> | | SMM Communication<br>Attack | <ol> <li>Check SMM Communication Buffer.</li> <li>Check MemoyMapped IO (MMIO) bar access.</li> </ol> | New methods may be discovered # **Current SMRAM Layout** - Every page in SMRAM is read/write - Every page in SMRAM is executable | MSEG | | |----------------------|--| | PiSmmCore (PE/COFF) | | | SMM Driver (PE/COFF) | | | PiSmmCpu (PE/COFF) | | | SMM Save State | | | SMM Stack | | | SMM IDT/GDT | | | SMM Page Table | | | SMM Driver (PE/COFF) | | | Other Heap Data | | | ••• | | | SMM S3 Resume State | | SPA - **MSEG** PiSmmCore (PE/COFF) SMM Driver (PE/COFF) PiSmmCpu (PE/COFF) **SMM Save State** SMM Stack SMM IDT/GDT SMM Page Table SMM Driver (PE/COFF) Other Heap Data ••• SMM S3 Resume State **SMM Memory Protection** PE Header PE Code PE Data CPU m Save State CPU 2m - 1 SMI Entry CPU m-1 Save State CPU 2m-2 SMI Entry **CPU 1 Save State** CPU m SMI Entry **CPU O Save State** CPU m-1 SMI Entry pad **CPU 1 SMI Entry** pad **CPU 0 SMI Entry** RO XD **TSEG** Using static page table Set NonExecutable (NX) for data - Set ReadOnly(RO) for code - Protect page itself - SMM driver can protect its own critical data in ReadOnly(RO) memory PE Code PE Data Page Table SMM EntryPoint Save State IDT/GDT Data (Stack/Heap) **RO-Data** - Prevents code injection - Protects critical data (read-only) - Limitations - Return-oriented programming (ROP) attack. - Size overhead - PE image: 6K \* SmmImageCount (average) - Static Page Table: 2M (1G paging for 48bit) # CommBuffer Enforcement # SMM CommBuffer Attack # Current CommBuffer Check SMI handler MUST check SMM communication buffer content by writing code like below: ``` if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) { DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n")); return EFI_SUCCESS; } ``` • But if the check is missing, there is no way to detect such problem. # CommBuffer Enforcement **BootCode BootData** Valid MMIO **MMIO SMRAM** Policy Enforcement Reserved Valid **SMM ACPINvs** Page Table **SmmComm** RuntimeCode Buffer RuntimeData **ACPI Reclaim BootCode BootData** LoaderCode **Not-Present** LoaderData # CommBuffer Enforcement - Resist comm buffer attack even the CommBuffer check is missing in SMM driver - Protects hypervisors - Limitation - This enforcement is not applied to hotplug memory, which is still read/write. - MMIO region is mapped. SMI handler need make sure MMIO bar point to a valid region. # Address Space Layout Randomization (ASLR) in SMM UEFI Plugfest – March 2017 www.uefi.org 16 # **Current SMM Layout** - The layout is fixed. - This attack may find out a sequence of instruction existed in code region (gadgets) and execute. (ROP) - This ROP attack can bypass NX/RO protection. | MSEG | | |----------------------|--| | PiSmmCore (PE/COFF) | | | SMM Driver (PE/COFF) | | | PiSmmCpu (PE/COFF) | | | SMM Save State | | | SMM Stack | | | SMM IDT/GDT | | | SMM Page Table | | | SMM Driver (PE/COFF) | | | Other Heap Data | | | | | | SMM S3 Resume State | | # Image Shuffle | Image A | |---------| | Image C | | Image B | | Image D | | | | Image C | |---------| | Image B | | Image D | | Image A | | | | Image D | |---------| | Image B | | Image A | | Image C | | | 1<sup>st</sup> Boot 2<sup>nd</sup> Boot 3<sup>rd</sup> Boot As such, it makes difficult for attacker to locate gadgets for ROP attack. # **Heap Shift** It makes difficult for attacker to locate gadget for ROP attack. MAX - Random SmmCore Random MAX - Random SMM Heap MAX-Random Stack Random MAX-Random PageTable Random Random Fixed Length 2(Entropy) 2(Entropy) ## **ASLR in SMM** Make Buffer Overflow/ROP attack harder, because the memory layout is changed in each boot. ### Limitations - SMM is a resource constrained environment. Entropy for Heap Shift might be not so big. - Information leakage in SMM (LoadedImageProtocol) # **Guard Page** **Current Memory Allocation** - Page overflow cannot be detected - Pool overflow can only be detected when memory is freed, because of POOL\_TAIL signature check at FreePool() Allocated Page POOL\_HEAD Allocated Pool POOL\_TAIL POOL\_HEAD Allocated Pool POOL TAIL Allocated Page # **New Page Allocation** Guard Page (Not Present) > Allocated Pages Guard Page (Not Present) One Allocation for AllocatePages() 2 guard pages (8K) # New pool allocation Guard Page (Not Present) POOL\_HEAD (phd0) Allocated Pool POOL\_TAIL (ptal) Guard Page (Not Present) One Allocation for AllocatePool() 2 guard pages (8K) + 4K page alignment # **Guard Page** - Catch page overflows when they happen - Catch pool overflows when they happen - Limitation - Memory size overhead - Additional 8K for each page allocation. - Additional 8K+4K alignment for each pool allocation. - It might need above 128M SMRAM. - A debug feature, because of size overhead. # Reduce SMI Handler UEFI Plugfest – March 2017 www.uefi.org 26 ## **SMI Handlers** SMI Handler == Attack Surface - Question: - How many SMI handlers in the BIOS? - How many Root SMI handlers, GUID handlers, software SMI handlers, .....? # **SMI Handler Profile** # **SMI Handler Profile** - Developer can check if the SMI handler is necessary - Test engineer can use it for validation - Limitation - Only used as a debug feature (info leakage) - The profile only shows info, which requires further analysis # Summary - SMM is a target due to high execution privilege - There are known SMM attacks and mitigations - Developers can do more to protect SMM - SMM Memory Protection - CommBuffer Enforcement - ASLR in SMM - Guard Page - Reduce Number of SMI Handlers # **Call To Action** - Adopt "SMM Memory Protection" and "CommBuffer enforcement" to harden the platform. [P.1][P.2] - Use "SMI handler profile" to audit the SMI handlers. [P.3] - Evaluate "ASLR in SMM" and resolve information leakage. [P.4] - Use "GuardPage" to validate buffer overflow. [P.4] # Acknowledgement Some content of the material is discussed with UEFI BIOS and security experts Special thanks to Vincent Zimmer (Intel), Kirt Brannock (Intel), Jeremiah Cox (Microsoft), Sean Brogan (Microsoft) # Reference ### Attacks - [A.1] Using CPU SMM to Circumvent OS Security Functions (<a href="http://fawlty.cs.usfca.edu/~cruse/cs630f06/duflot.pdf">http://fawlty.cs.usfca.edu/~cruse/cs630f06/duflot.pdf</a>) - [A.2] Using SMM For Other Purposes (<a href="http://phrack.org/issues/65/7.html">http://phrack.org/issues/65/7.html</a>) - [A.3] Attacking SMM Memory via Intel Cache Poisoning (<a href="http://invisiblethingslab.com/resources/misc09/smm">http://invisiblethingslab.com/resources/misc09/smm</a> cache fun.pdf) - [A.4] Getting Into the SMRAM: SMM Reloaded (<a href="http://www.politicalavenue.com/libraryebooks/cryptology-and-cryptography/csw09-duflot.pdf">http://www.politicalavenue.com/libraryebooks/cryptology-and-cryptography/csw09-duflot.pdf</a>) - [A.5] Attacking-Intel-TXT (<a href="http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20slides.pdf">http://invisiblethingslab.com/resources/bh09dc/Attacking%20Intel%20TXT%20-%20slides.pdf</a>) - [A.6] BIOS SMM Privilege Escalation Vulnerabilities (<a href="http://www.securityfocus.com/archive/1/505590">http://www.securityfocus.com/archive/1/505590</a>) - [A.7] System Management Mode Design and Security Issues (<a href="http://www.ssi.gouv.fr/uploads/IMG/pdf/IT\_Defense\_2010\_final.pdf">http://www.ssi.gouv.fr/uploads/IMG/pdf/IT\_Defense\_2010\_final.pdf</a>) - [A.8] A New Class of Vulnerabilities in SMI Handlers (<a href="https://cansecwest.com/slides/2015/A%20New%20Class%20of%20Vulnin%20SMI%20-%20Andrew%20Furtak.pdf">https://cansecwest.com/slides/2015/A%20New%20Class%20of%20Vulnin%20SMI%20-%20Andrew%20Furtak.pdf</a>) - [A.9] BARingthe System (<a href="http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017">http://www.intelsecurity.com/advanced-threat-research/content/data/REConBrussels2017</a> BARing the system.pdf) ### Reference ### Protection: - [P.1] A\_Tour\_Beyond\_BIOS\_Secure\_SMM\_Communication (<a href="https://github.com/tianocore-docs/Docs/raw/master/White\_Papers/A\_Tour\_Beyond\_BIOS\_Secure\_SM\_M\_Communication.pdf">https://github.com/tianocore-docs/Docs/raw/master/White\_Papers/A\_Tour\_Beyond\_BIOS\_Secure\_SM\_M\_Communication.pdf</a>) - [P.2] A\_Tour\_Beyond\_BIOS\_Memory\_Protection\_in\_UEFI (<a href="https://www.gitbook.com/book/edk2-docs/a-tour-beyond-bios-memory-protection-in-uefi-bios/details">https://www.gitbook.com/book/edk2-docs/a-tour-beyond-bios-memory-protection-in-uefi-bios/details</a>) - [P.3] SMI Handler Profile Feature (<a href="https://github.com/tianocore/tianocore.github.io/wiki/SMI-handler-profile-feature">https://github.com/tianocore/tianocore.github.io/wiki/SMI-handler-profile-feature</a>) - [P.4] A\_Tour\_Beyond\_BIOS\_Securiy\_Enhancement\_to\_Mitigate\_Buffer\_Ove rflow\_in\_UEFI (https://github.com/tianocore-docs/Docs/raw/master/White Papers/A Tour Beyond BIOS Security Enhancement to Mitigate Buffer Overflow in UEFI.pdf) # Thanks for attending the Spring 2017 UEFI Seminar and Plugfest THE STATE OF S For more information on the UEFI Forum and UEFI Specifications, visit <a href="http://www.uefi.org">http://www.uefi.org</a> presented by