Tuesday, June 09, 2009

Quest to The Core

If you think SMM rootkits or PCI backdoors is low-level, then you should certainly see our talks in Vegas — ITL is going to define what does the "low-level" adjective really mean at the end of the decade ;)

In case you haven't noticed it at the Black Hat website yet — Alex and Rafal will be giving two presentations in Vegas:

1) Introducing Ring -3 Rootkits (description)

2) Attacking Intel® BIOS (description)

Let me stress that we have been in touch with Intel for quite some time about the above attacks, and that Intel is planning to release appropriate fixes a few weeks before our presentations at Black Hat.

There is more than just this coming at this year's Black Hat — most notably we will also be debuting with our Virtualization (In)Security Training. I will write a separate post about this training (containing a detailed agenda) in the coming days, so stay tuned.

Quite exciting.

8 comments:

davaeron said...

Great news.

MaD said...

Hmm, sounds interesting. Is there will be any sources of that rootkit?

ea1x said...

and not ine har2009? :-(
marc

Joanna Rutkowska said...

Sources? You're asking *us* about sources? Thought we already have established ourselves as The Ones Who Publishes The Code...

Anonymous said...

thanks for share it ,

Nima

Martin T said...

Sounds really cool with this ring -3 stuff.

I was so excited about your SMM attack. I remember when reading about SMM in Intel manuals back in '98 (it was there before, to be sure) there was something uncomfortable about the technology. I don't pretend to have foreseen your attack, I actually wasn't so concerned about the security aspect but more about the fact that the BIOS was so much in control even post boot and that there were things you as a user/programmer couldn't control even from ring 0(the BIOS can lock the SMM memory area, it can set port writes to triger SMM -- from any operating mode -- etc.).
So when I saw your exploit I still somehow thought my concerns on SMM were confirmed, albeit in a different way :)

Back to the -3 stuff one can only wonder what it is? Something related to TXT (bugs in authenticated modules, such as SINIT?), exploits in the chipset, in other CPU's on the mainboard (guess it wouldn't really be ring-3 in the usual sense)? Or something totally crazy like exploits of microcode bugs perhaps even subversion of the microcode update feature to get custom microcode running?Really puts your imagination at work - Knowing your past record I'm sure it will be great and will represent totally novel stuff! Looking forward to see the revelation! Too bad I can't be there to see it at Blackhat.

Joanna Rutkowska said...

@Martin: as usual we will publish the slides and code within a few days after the conference.

Martin T said...

@Joanna: Great! We will have to wait until then... maybe clues can be found if Intel releases fixes in the mean time :P