SlideShare a Scribd company logo
1 of 13
All materials are licensed under a Creative
Commons “Share Alike” license.
http://creativecommons.org/licenses/by-sa/3.0/
1
Attribution condition: You must indicate that derivative work
"Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
SMRAM and Caching
2
Cache Basics
• Temporary storage located on the CPU
• Accesses to data/instructions in cache are much faster than
those to physical memory
• Caching is available in all operating modes, including SMM
• Caching type for a physical memory range is defined in
Memory-Type Range Registers (MTRRs)
• MTRRs are a type of MSR (Model-Specific Register) that can
be set to specify the type of CPU caching for ranges of
physical memory
• Typically configured by BIOS but can also be configured by
the operating system as needed
3
From Intel Vol. 3. Ch. "Memory Cache Control"
• Physical memory ranges can be defined as having one of these types of
caching properties
• The only one we’ll discuss is the one that was the subject of the dual
discovery by Duflot et al. and then later Wojtczuck et al.
– Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09-
duflot.pdf
– Attacking Memory via Intel CPU Cache Poisoning,
http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf
• The attack is brilliant in its simplicity
Memory Caching Types
4
From Intel Vol. 3. Ch. "Memory Cache Control"
Write-back (WB)
• The point of Write-back caching is to reduce the amount of
bus traffic between the processor and memory
• Reads come from cache lines on cache hits
• Writes are performed in the cache and not immediately
written/flushed to memory
• Both read and write misses cause cache fills
• Modified CPU cache lines are written back (write-back) to
memory at a later time*
*Read the Intel Software Developers Guide Volume 3
• Simply put, reading/writing from/to a memory region that uses
write-back caching will initially fill a line in the CPU cache
• Subsequent reads/writes from/to that address will be from/to
cache instead of memory
• Until the processor writes-back that cache to memory*
5
6
(D_LCK bit)
https://cansecwest.com/csw09/csw09-duflot.pdf
7
https://cansecwest.com/csw09/csw09-duflot.pdf
8
https://cansecwest.com/csw09/csw09-duflot.pdf
The fix: SMRR
• The preceding is a great example of how security researchers
can influence industry for the better. Damn fine job.
• System-Management Range Register (SMRR) was introduced
in Intel’s x64 architecture*
• Provides a PHYSBASE/PHYSMASK pair just like MTRRs
• Prevents the kind of attack that we just saw in the preceding
example
• SMRR restricts access to the address range defined in the
SMRR registers
• Defines the memory type (caching) for the SMRAM range
• SMRRs can be written to only when the processor is in SMM
• SMRR takes priority over MTRR in case of overlapping ranges
* This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
SMRR
• When the processor is in SMM:
– Memory accesses to this range will use the memory type defined in
SMRR_PHYSBASE
• When the processor is not in SMM:
– Memory reads return a fixed value (0xFF in my experience)
– Memory writes are ignored
– Memory type is Uncacheable
10
Verify SMRR Support: IA32_MTRRCAP
• SMRR is supported on a system if bit 11 in the
IA32_MTRRCAP MSR is set
• Verify next that it is being used
11
SMRR MSR Number
• If you try to read the SMRR of your system, be sure to verify its
location using the developers guide (MSR chapter)
• The MSR register addresses are non "architectural" and will
therefore differ between architectures
– That’s why they are called Model-Specific Registers
• RW-E does not appear to handle exceptions well since reading the
wrong MSR will crash your system
– As of latest version
For the reference
E6400 (Core2Duo)
12
Homework heads up
• Find the value of SMRR_PHYSBASE for your
particular hardware
13

More Related Content

What's hot

Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors pptSiddhartha Anand
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreadingFraboni Ec
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessorallankliu
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Arth Ramada
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processorMazin Alwaaly
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSaad Tanvir
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiectureHaris456
 
Lecture 6.1
Lecture  6.1Lecture  6.1
Lecture 6.1Mr SMAK
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory MultiprocessorsSalvatore La Bua
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor SchedulingoDesk
 
Multi core processors
Multi core processorsMulti core processors
Multi core processorsAdithya Bhat
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threadingbabuece
 
Memory Organization
Memory OrganizationMemory Organization
Memory OrganizationAcad
 

What's hot (15)

Multithreaded processors ppt
Multithreaded processors pptMultithreaded processors ppt
Multithreaded processors ppt
 
Hardware multithreading
Hardware multithreadingHardware multithreading
Hardware multithreading
 
Lecture24 Multiprocessor
Lecture24 MultiprocessorLecture24 Multiprocessor
Lecture24 Multiprocessor
 
Multiple processor (ppt 2010)
Multiple processor (ppt 2010)Multiple processor (ppt 2010)
Multiple processor (ppt 2010)
 
Computer architecture multi processor
Computer architecture multi processorComputer architecture multi processor
Computer architecture multi processor
 
Symmetric Multi Processor Multiprocessors
Symmetric Multi Processor MultiprocessorsSymmetric Multi Processor Multiprocessors
Symmetric Multi Processor Multiprocessors
 
Multi processing
Multi processingMulti processing
Multi processing
 
Graphics processing uni computer archiecture
Graphics processing uni computer archiectureGraphics processing uni computer archiecture
Graphics processing uni computer archiecture
 
Lecture 6.1
Lecture  6.1Lecture  6.1
Lecture 6.1
 
Shared-Memory Multiprocessors
Shared-Memory MultiprocessorsShared-Memory Multiprocessors
Shared-Memory Multiprocessors
 
Multiprocessor Scheduling
Multiprocessor SchedulingMultiprocessor Scheduling
Multiprocessor Scheduling
 
Multi core processors
Multi core processorsMulti core processors
Multi core processors
 
Hardware Multi-Threading
Hardware Multi-ThreadingHardware Multi-Threading
Hardware Multi-Threading
 
Multiprocessor system
Multiprocessor systemMultiprocessor system
Multiprocessor system
 
Memory Organization
Memory OrganizationMemory Organization
Memory Organization
 

Viewers also liked

AmysVividVision_v1_0
AmysVividVision_v1_0AmysVividVision_v1_0
AmysVividVision_v1_0Amy Smalarz
 
Memory,intelligence,AI and Web Design
Memory,intelligence,AI and Web DesignMemory,intelligence,AI and Web Design
Memory,intelligence,AI and Web DesignAnsar Gill
 
Programming for engineers in python
Programming for engineers in pythonProgramming for engineers in python
Programming for engineers in pythonFraboni Ec
 
Artefact 1 for submission 7
Artefact 1 for submission 7Artefact 1 for submission 7
Artefact 1 for submission 7rebecca sparks
 
2015 bioinformatics python_strings_wim_vancriekinge
2015 bioinformatics python_strings_wim_vancriekinge2015 bioinformatics python_strings_wim_vancriekinge
2015 bioinformatics python_strings_wim_vancriekingeProf. Wim Van Criekinge
 
2015 bioinformatics protein_structure_wimvancriekinge
2015 bioinformatics protein_structure_wimvancriekinge2015 bioinformatics protein_structure_wimvancriekinge
2015 bioinformatics protein_structure_wimvancriekingeProf. Wim Van Criekinge
 
How Marketo Uses Marketo
How Marketo Uses MarketoHow Marketo Uses Marketo
How Marketo Uses MarketoMarketo
 
Social Media: The Rising Star for Your Digital Marketing Strategy
Social Media: The Rising Star for Your Digital Marketing StrategySocial Media: The Rising Star for Your Digital Marketing Strategy
Social Media: The Rising Star for Your Digital Marketing StrategyMarketo
 

Viewers also liked (12)

AmysVividVision_v1_0
AmysVividVision_v1_0AmysVividVision_v1_0
AmysVividVision_v1_0
 
Memory,intelligence,AI and Web Design
Memory,intelligence,AI and Web DesignMemory,intelligence,AI and Web Design
Memory,intelligence,AI and Web Design
 
Linked list
Linked listLinked list
Linked list
 
Learning python
Learning pythonLearning python
Learning python
 
Programming for engineers in python
Programming for engineers in pythonProgramming for engineers in python
Programming for engineers in python
 
Artefact 1 for submission 7
Artefact 1 for submission 7Artefact 1 for submission 7
Artefact 1 for submission 7
 
Official Transcript
Official TranscriptOfficial Transcript
Official Transcript
 
2015 bioinformatics python_strings_wim_vancriekinge
2015 bioinformatics python_strings_wim_vancriekinge2015 bioinformatics python_strings_wim_vancriekinge
2015 bioinformatics python_strings_wim_vancriekinge
 
Seguridad Y Salud Ocupacional
Seguridad Y Salud OcupacionalSeguridad Y Salud Ocupacional
Seguridad Y Salud Ocupacional
 
2015 bioinformatics protein_structure_wimvancriekinge
2015 bioinformatics protein_structure_wimvancriekinge2015 bioinformatics protein_structure_wimvancriekinge
2015 bioinformatics protein_structure_wimvancriekinge
 
How Marketo Uses Marketo
How Marketo Uses MarketoHow Marketo Uses Marketo
How Marketo Uses Marketo
 
Social Media: The Rising Star for Your Digital Marketing Strategy
Social Media: The Rising Star for Your Digital Marketing StrategySocial Media: The Rising Star for Your Digital Marketing Strategy
Social Media: The Rising Star for Your Digital Marketing Strategy
 

Similar to Smm and caching

Board support package_on_linux
Board support package_on_linuxBoard support package_on_linux
Board support package_on_linuxVandana Salve
 
15CS44 MP & MC Module 4
15CS44 MP & MC Module 415CS44 MP & MC Module 4
15CS44 MP & MC Module 4RLJIT
 
Memory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationMemory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationSmit Luvani
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linuxSusant Sahani
 
Computer architecture for HNDIT
Computer architecture for HNDITComputer architecture for HNDIT
Computer architecture for HNDITtjunicornfx
 
ARM architcture
ARM architcture ARM architcture
ARM architcture Hossam Adel
 
Ct213 memory subsystem
Ct213 memory subsystemCt213 memory subsystem
Ct213 memory subsystemSandeep Kamath
 
BSP.pptx
BSP.pptxBSP.pptx
BSP.pptxtaruian
 
Exploring Of System Hardware
Exploring Of System HardwareExploring Of System Hardware
Exploring Of System HardwareMuhammad Nauman
 
Computer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationComputer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationSmit Luvani
 
Computer organisation ppt
Computer organisation pptComputer organisation ppt
Computer organisation pptchandkec
 
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsTaming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsHeechul Yun
 
ARM Processor architecture
ARM Processor  architectureARM Processor  architecture
ARM Processor architecturerajkciitr
 

Similar to Smm and caching (20)

Board support package_on_linux
Board support package_on_linuxBoard support package_on_linux
Board support package_on_linux
 
15CS44 MP & MC Module 4
15CS44 MP & MC Module 415CS44 MP & MC Module 4
15CS44 MP & MC Module 4
 
Memory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and OrganizationMemory Organization | Computer Fundamental and Organization
Memory Organization | Computer Fundamental and Organization
 
Memory (Computer Organization)
Memory (Computer Organization)Memory (Computer Organization)
Memory (Computer Organization)
 
Synchronization linux
Synchronization linuxSynchronization linux
Synchronization linux
 
It322 intro 2
It322 intro 2It322 intro 2
It322 intro 2
 
Computer architecture for HNDIT
Computer architecture for HNDITComputer architecture for HNDIT
Computer architecture for HNDIT
 
CA UNIT V..pptx
CA UNIT V..pptxCA UNIT V..pptx
CA UNIT V..pptx
 
ARM architcture
ARM architcture ARM architcture
ARM architcture
 
Ct213 memory subsystem
Ct213 memory subsystemCt213 memory subsystem
Ct213 memory subsystem
 
Rahman
RahmanRahman
Rahman
 
E.s unit 4 and 5
E.s unit 4 and 5E.s unit 4 and 5
E.s unit 4 and 5
 
BSP.pptx
BSP.pptxBSP.pptx
BSP.pptx
 
Exploring Of System Hardware
Exploring Of System HardwareExploring Of System Hardware
Exploring Of System Hardware
 
Computer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and OrganizationComputer Architecture | Computer Fundamental and Organization
Computer Architecture | Computer Fundamental and Organization
 
COA (Unit_4.pptx)
COA (Unit_4.pptx)COA (Unit_4.pptx)
COA (Unit_4.pptx)
 
Computer organisation ppt
Computer organisation pptComputer organisation ppt
Computer organisation ppt
 
12429908.ppt
12429908.ppt12429908.ppt
12429908.ppt
 
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time SystemsTaming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
Taming Non-blocking Caches to Improve Isolation in Multicore Real-Time Systems
 
ARM Processor architecture
ARM Processor  architectureARM Processor  architecture
ARM Processor architecture
 

More from Luis Goldster

Ruby on rails evaluation
Ruby on rails evaluationRuby on rails evaluation
Ruby on rails evaluationLuis Goldster
 
Ado.net & data persistence frameworks
Ado.net & data persistence frameworksAdo.net & data persistence frameworks
Ado.net & data persistence frameworksLuis Goldster
 
Multithreading models.ppt
Multithreading models.pptMultithreading models.ppt
Multithreading models.pptLuis Goldster
 
Business analytics and data mining
Business analytics and data miningBusiness analytics and data mining
Business analytics and data miningLuis Goldster
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data miningLuis Goldster
 
Data mining and knowledge discovery
Data mining and knowledge discoveryData mining and knowledge discovery
Data mining and knowledge discoveryLuis Goldster
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherenceLuis Goldster
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cacheLuis Goldster
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching worksLuis Goldster
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsLuis Goldster
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysisLuis Goldster
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with javaLuis Goldster
 

More from Luis Goldster (20)

Ruby on rails evaluation
Ruby on rails evaluationRuby on rails evaluation
Ruby on rails evaluation
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Lisp and scheme i
Lisp and scheme iLisp and scheme i
Lisp and scheme i
 
Ado.net & data persistence frameworks
Ado.net & data persistence frameworksAdo.net & data persistence frameworks
Ado.net & data persistence frameworks
 
Multithreading models.ppt
Multithreading models.pptMultithreading models.ppt
Multithreading models.ppt
 
Business analytics and data mining
Business analytics and data miningBusiness analytics and data mining
Business analytics and data mining
 
Big picture of data mining
Big picture of data miningBig picture of data mining
Big picture of data mining
 
Data mining and knowledge discovery
Data mining and knowledge discoveryData mining and knowledge discovery
Data mining and knowledge discovery
 
Cache recap
Cache recapCache recap
Cache recap
 
Directory based cache coherence
Directory based cache coherenceDirectory based cache coherence
Directory based cache coherence
 
Hardware managed cache
Hardware managed cacheHardware managed cache
Hardware managed cache
 
How analysis services caching works
How analysis services caching worksHow analysis services caching works
How analysis services caching works
 
Abstract data types
Abstract data typesAbstract data types
Abstract data types
 
Optimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessorsOptimizing shared caches in chip multiprocessors
Optimizing shared caches in chip multiprocessors
 
Api crash
Api crashApi crash
Api crash
 
Object model
Object modelObject model
Object model
 
Abstraction file
Abstraction fileAbstraction file
Abstraction file
 
Object oriented analysis
Object oriented analysisObject oriented analysis
Object oriented analysis
 
Abstract class
Abstract classAbstract class
Abstract class
 
Concurrency with java
Concurrency with javaConcurrency with java
Concurrency with java
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

Smm and caching

  • 1. All materials are licensed under a Creative Commons “Share Alike” license. http://creativecommons.org/licenses/by-sa/3.0/ 1 Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  • 3. Cache Basics • Temporary storage located on the CPU • Accesses to data/instructions in cache are much faster than those to physical memory • Caching is available in all operating modes, including SMM • Caching type for a physical memory range is defined in Memory-Type Range Registers (MTRRs) • MTRRs are a type of MSR (Model-Specific Register) that can be set to specify the type of CPU caching for ranges of physical memory • Typically configured by BIOS but can also be configured by the operating system as needed 3 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 4. • Physical memory ranges can be defined as having one of these types of caching properties • The only one we’ll discuss is the one that was the subject of the dual discovery by Duflot et al. and then later Wojtczuck et al. – Getting into SMRAM: SMM Reloaded, https://cansecwest.com/csw09/csw09- duflot.pdf – Attacking Memory via Intel CPU Cache Poisoning, http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • The attack is brilliant in its simplicity Memory Caching Types 4 From Intel Vol. 3. Ch. "Memory Cache Control"
  • 5. Write-back (WB) • The point of Write-back caching is to reduce the amount of bus traffic between the processor and memory • Reads come from cache lines on cache hits • Writes are performed in the cache and not immediately written/flushed to memory • Both read and write misses cause cache fills • Modified CPU cache lines are written back (write-back) to memory at a later time* *Read the Intel Software Developers Guide Volume 3 • Simply put, reading/writing from/to a memory region that uses write-back caching will initially fill a line in the CPU cache • Subsequent reads/writes from/to that address will be from/to cache instead of memory • Until the processor writes-back that cache to memory* 5
  • 9. The fix: SMRR • The preceding is a great example of how security researchers can influence industry for the better. Damn fine job. • System-Management Range Register (SMRR) was introduced in Intel’s x64 architecture* • Provides a PHYSBASE/PHYSMASK pair just like MTRRs • Prevents the kind of attack that we just saw in the preceding example • SMRR restricts access to the address range defined in the SMRR registers • Defines the memory type (caching) for the SMRAM range • SMRRs can be written to only when the processor is in SMM • SMRR takes priority over MTRR in case of overlapping ranges * This is one of the only architecture-dependent security mechanisms. So far up to this point all has been x32/x64 agnostic 9
  • 10. SMRR • When the processor is in SMM: – Memory accesses to this range will use the memory type defined in SMRR_PHYSBASE • When the processor is not in SMM: – Memory reads return a fixed value (0xFF in my experience) – Memory writes are ignored – Memory type is Uncacheable 10
  • 11. Verify SMRR Support: IA32_MTRRCAP • SMRR is supported on a system if bit 11 in the IA32_MTRRCAP MSR is set • Verify next that it is being used 11
  • 12. SMRR MSR Number • If you try to read the SMRR of your system, be sure to verify its location using the developers guide (MSR chapter) • The MSR register addresses are non "architectural" and will therefore differ between architectures – That’s why they are called Model-Specific Registers • RW-E does not appear to handle exceptions well since reading the wrong MSR will crash your system – As of latest version For the reference E6400 (Core2Duo) 12
  • 13. Homework heads up • Find the value of SMRR_PHYSBASE for your particular hardware 13

Editor's Notes

  1. Attribution condition: You must indicate that derivative work "Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”
  2. ***This is not going to be a discussion on CPU architecture, for details on caching I recommend 3 sources: Both the Intel and AMD Optimization Reference Manuals, and Agner Fog’s optimization references
  3. Todo, cite Loic's paper since they technically found it first