This document summarizes research into attacking the security of Intel's Trusted Execution Technology (TXT). It describes how the researchers were able to bypass TXT's trusted boot process by attacking the System Management Mode (SMM), which has higher privileges than the code loaded via TXT. The researchers demonstrate that an infected SMM handler can modify the virtual machine monitor loaded using TXT, compromising the security guarantees of the trusted boot. Intel's proposed solution, SMM Transfer Monitor (STM), aims to sandbox SMM but has not yet been implemented, leaving systems vulnerable to the demonstrated attack.
The document proposes the Cloud Terminal architecture, which uses a Secure Thin Terminal (STT) client and Cloud Rendering Engine (CRE) to securely access applications hosted in the cloud. The STT isolates itself from the untrusted host OS using a microvisor and communicates with the CRE over an encrypted channel. Evaluations show the Cloud Terminal can securely run applications like banking with reasonable performance and scalability.
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalRishabh Dangwal
This document provides an overview of unified threat management (UTM) systems, including their evolution from firewalls and how they integrate multiple security functions. It discusses two approaches for developing UTM systems - the licensing and integrating approach used by multi-vendor UTMs, and the in-house development approach used by single vendor UTMs. It also describes the key components of UTMs, including specialized hardware like content processors, specialized software, and evolving security content.
A Pattern for Secure Graphical User Interface SystemsMarcel Winandy
This document presents a pattern for secure graphical user interface (GUI) systems. It describes motivational examples where users cannot be sure which application is currently in the foreground or that their input will be sent to the intended destination. The pattern mediates all user input and output through a secure user interface (SUI) system to ensure authenticity, integrity, and confidentiality. The SUI multiplexes input to and output from applications, adds visible labels for context, and supports invocation of trusted services. This structure aims to provide security while maintaining usability.
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
This document outlines a presentation on using virtual machine forking and memory replay techniques for malware fuzzing and behavior modeling. Key points include:
- VM forking allows quickly resetting VMs for fuzzing by sharing and duplicating memory pages between forks. This enables high throughput fuzzing.
- Memory replay replays recorded memory values accessed by an application to induce faults, as an alternative to random fuzzing which may not be effective.
- These techniques were implemented in proof-of-concept tools to demonstrate fuzzing unknown binaries and building behavior models without assumptions about malware tricks or payloads.
- The goal is to dynamically analyze malware without limitations of traditional analysis systems and gain insights into prevalent attack
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
The document discusses porting the RT Linux real-time operating system (RTOS) onto a Samsung S3Cmini2440 ARM9 board. It provides background on RTOSs, including that they guarantee tasks are completed within a specified time constraint. The document outlines the process for cross-compiling the RT Linux kernel to target the ARM architecture, adding the RT Linux patch, and using USB to transfer and boot the final RT image on the ARM board. It confirms the porting was successful if the RT image boots properly on the target hardware.
Advanced virtualization techniques for FAUmachinewebhostingguy
This document describes advanced virtualization techniques used in FAUmachine, a virtual PC developed by researchers. It presents a just-in-time compiler that can transform kernel mode code into code suitable for execution in a user mode simulator. This allows system-level binaries and operating systems like Windows to run virtually. It also describes a small host kernel modification to simplify system call redirection, improving virtual machine performance. Details are given on the just-in-time compiler and kernel extension, and their impact on performance is evaluated.
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
The document discusses using VM forking and hypervisor-based introspection on Xen to perform fuzz testing of kernels. It describes how VM forking allows quickly restoring VMs after each fuzz cycle by copying memory pages on demand. Coverage tracing is done by inserting breakpoints using virtual machine introspection. Crashes can be detected by breakpointing crash handlers. Examples are given of fuzzing with PCI devices passed through and detecting double fetches. The techniques were released as the open source Kernel Fuzzer for Xen Project.
The document proposes the Cloud Terminal architecture, which uses a Secure Thin Terminal (STT) client and Cloud Rendering Engine (CRE) to securely access applications hosted in the cloud. The STT isolates itself from the untrusted host OS using a microvisor and communicates with the CRE over an encrypted channel. Evaluations show the Cloud Terminal can securely run applications like banking with reasonable performance and scalability.
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalRishabh Dangwal
This document provides an overview of unified threat management (UTM) systems, including their evolution from firewalls and how they integrate multiple security functions. It discusses two approaches for developing UTM systems - the licensing and integrating approach used by multi-vendor UTMs, and the in-house development approach used by single vendor UTMs. It also describes the key components of UTMs, including specialized hardware like content processors, specialized software, and evolving security content.
A Pattern for Secure Graphical User Interface SystemsMarcel Winandy
This document presents a pattern for secure graphical user interface (GUI) systems. It describes motivational examples where users cannot be sure which application is currently in the foreground or that their input will be sent to the intended destination. The pattern mediates all user input and output through a secure user interface (SUI) system to ensure authenticity, integrity, and confidentiality. The SUI multiplexes input to and output from applications, adds visible labels for context, and supports invocation of trusted services. This structure aims to provide security while maintaining usability.
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
This document outlines a presentation on using virtual machine forking and memory replay techniques for malware fuzzing and behavior modeling. Key points include:
- VM forking allows quickly resetting VMs for fuzzing by sharing and duplicating memory pages between forks. This enables high throughput fuzzing.
- Memory replay replays recorded memory values accessed by an application to induce faults, as an alternative to random fuzzing which may not be effective.
- These techniques were implemented in proof-of-concept tools to demonstrate fuzzing unknown binaries and building behavior models without assumptions about malware tricks or payloads.
- The goal is to dynamically analyze malware without limitations of traditional analysis systems and gain insights into prevalent attack
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
The document discusses porting the RT Linux real-time operating system (RTOS) onto a Samsung S3Cmini2440 ARM9 board. It provides background on RTOSs, including that they guarantee tasks are completed within a specified time constraint. The document outlines the process for cross-compiling the RT Linux kernel to target the ARM architecture, adding the RT Linux patch, and using USB to transfer and boot the final RT image on the ARM board. It confirms the porting was successful if the RT image boots properly on the target hardware.
Advanced virtualization techniques for FAUmachinewebhostingguy
This document describes advanced virtualization techniques used in FAUmachine, a virtual PC developed by researchers. It presents a just-in-time compiler that can transform kernel mode code into code suitable for execution in a user mode simulator. This allows system-level binaries and operating systems like Windows to run virtually. It also describes a small host kernel modification to simplify system call redirection, improving virtual machine performance. Details are given on the just-in-time compiler and kernel extension, and their impact on performance is evaluated.
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
The document discusses using VM forking and hypervisor-based introspection on Xen to perform fuzz testing of kernels. It describes how VM forking allows quickly restoring VMs after each fuzz cycle by copying memory pages on demand. Coverage tracing is done by inserting breakpoints using virtual machine introspection. Crashes can be detected by breakpointing crash handlers. Examples are given of fuzzing with PCI devices passed through and detecting double fetches. The techniques were released as the open source Kernel Fuzzer for Xen Project.
Trusted Execution Technology is a set of hardware enhancements designed to help protect sensitive information from software-based attacks. It provides capabilities like protected execution environments, sealed storage, protected input/output, and attestation. These capabilities enable applications to run in isolated protected partitions, encrypt and store secrets tied to the hardware, and securely communicate with input/output devices. The technology aims to advance platform security and provide a safer computing environment for handling confidential information.
Demand-Based Coordinated Scheduling for SMP VMsHwanju Kim
Hwanju Kim, Sangwook Kim, Jinkyu Jeong, Joonwon Lee, and Seungryoul Maeng, “Demand-Based Coordinated Scheduling for SMP VMs”, International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Houston, Texas, USA, Mar. 2013.
1. The document provides steps for properly planting trees after a hurricane to aid in urban forest recovery, including digging wide holes, treating root defects, positioning the tree, backfilling soil, and mulching.
2. Key steps include looking for overhead wires, placing the root flare above soil, removing synthetic burlap and circling roots, and mulching widely without mounding at the trunk.
3. Proper planting techniques help establish trees and reduce stress after planting, improving survival rates in the urban forest.
Scheduler Support for Video-oriented Multimedia on Client-side VirtualizationHwanju Kim
Hwanju Kim, Jinkyu Jeong, Jaeho Hwang, Joonwon Lee, and Seungryoul Maeng, “Scheduler Support for Video-oriented Multimedia on Client-side Virtualization”, ACM Multimedia Systems (MMSys), Chapel Hill, North Carolina, USA, Feb. 2012.
1) The document discusses the construction of a large residential and commercial project called Shristi CBD in Bhopal, India.
2) Shristi CBD will be the tallest high-rise in the state, consisting of 9 towers over 15 acres with 22 floors.
3) Project management techniques like Earned Value Management and prefabricated construction methods are being used to help complete the project on time and on budget while improving quality.
Task-aware Virtual Machine Scheduling for I/O PerformanceHwanju Kim
Hwanju Kim, Hyeontaek Lim, Jinkyu Jeong, Heeseung Jo, and Joonwon Lee, “Task-aware Virtual Machine Scheduling for I/O Performance”, ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), Washington, DC, USA, Mar. 2009.
OS vs. VMM provides an overview of the similarities and differences between operating systems (OS) and virtual machine monitors (VMM). Both OS and VMM abstract hardware resources, but VMM provides virtualization while OS provides abstraction. Nested virtualization further complicates resource management by adding additional layers of indirection. Key issues in virtualization include trapping privileged OS operations, scheduling virtual CPUs, managing virtual memory translations, and achieving high performance I/O.
CPU Scheduling for Virtual Desktop InfrastructureHwanju Kim
This document discusses CPU scheduling techniques for virtual desktop infrastructure (VDI). It proposes a demand-based coordinated scheduling approach for scheduling multithreaded workloads on multiprocessor virtual machines (VMs). The key points are:
1. Coordinated scheduling of sibling virtual CPUs (vCPUs) in a VM is needed to effectively schedule multithreaded workloads, as uncoordinated scheduling can reduce inter-thread communication performance.
2. A coordination space consisting of space (physical CPU assignment) and time (preemption policy) domains is defined to coordinate vCPU scheduling.
3. In the space domain, a load-conscious balance scheduling approach assigns sibling vCPUs across physical CPUs based
This document discusses CPU virtualization and scheduling techniques. It covers topics such as deprivileging the operating system, virtualization-unfriendly architectures like x86, hardware-assisted virtualization using VMX mode, and proportional-share scheduling. It also summarizes research on improving VM scheduling by making it task-aware to prioritize I/O-bound tasks and correlate I/O events with tasks to boost their performance while maintaining inter-VM fairness. The document provides historical context on the evolution of virtualization technologies and research challenges in building lightweight and intelligent VMM schedulers.
Live VM migration allows virtual machines to be relocated between physical hosts with little to no downtime. There are two main approaches: pre-copy migration copies memory contents iteratively with little downtime, while post-copy migration copies CPU states first and then memory pages on demand to reduce total migration time. Several research projects use live migration techniques to improve data center efficiency: LiteGreen saves energy by consolidating idle desktop VMs, Jettison uses partial VM migration for quick consolidation, and Kaleidoscope proposes VM state coloring to enable fast micro-elasticity through live cloning of warm VMs.
Memory virtualization allows virtual machines to access virtual memory addresses that are translated to physical memory addresses. Hardware support for memory virtualization reduces overhead by offloading page table management to the CPU. Memory sharing between virtual machines reduces memory usage by identifying identical pages and having them share physical memory. Virtual memory overcommitment allocates more virtual memory than physical memory available by swapping out unused memory to disk. Techniques for memory sharing and overcommitment aim to improve memory utilization in virtualized systems.
This document discusses I/O virtualization and GPU virtualization. It covers:
- Two approaches to I/O virtualization: hosted and device driver approaches. Hosted has lower engineering cost but lower performance.
- Methods to optimize para-virtualized I/O including split-driver models, reducing data copy costs, and hardware supports like IOMMU and SR-IOV.
- Challenges of GPU virtualization including whether to take a low-level virtualization or high-level API remoting approach. API remoting is preferred due to closed and evolving GPU hardware.
- Hardware pass-through of GPUs for high performance but low scalability. Industry solutions for remote desktop
This document provides an introduction to virtualization including:
1) The benefits of virtualization like efficient resource utilization and strong isolation between virtual machines.
2) A brief history of virtualization from the 1960s mainframe era to modern ubiquitous cloud computing.
3) Popular use cases of virtualization including cloud computing, virtual desktop infrastructure, and mobile virtualization.
4) Basic terminologies that distinguish type-1 and type-2 virtual machine monitors as well as full and para-virtualization methods.
Intel TXT (Trusted eXecution Technology) provides hardware-based security enhancements that establish a trusted computing environment. It integrates new security features into processors, chipsets, and other platform components to measure critical software components at launch and verify they match approved codes before granting execution. This allows establishing an isolated and protected environment to securely migrate workloads between hosts. The technology aims to increase security and protection of sensitive data and systems from malicious software.
This document discusses dynamic root of trust measurement (DRTM) and related challenges. It summarizes several open source implementations of DRTM, including OSLO, Flicker, soft cards, bottle cap, and Trust Visor. It notes that these implementations aimed to reduce the trusted computing base and remove the slow trusted platform module from the critical path. The document also outlines some challenges with DRTM, such as attacks on the enabling technologies like Intel TXT, lack of operating system support, performance issues, and instability.
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
Trusted Execution Technology is a set of hardware enhancements designed to help protect sensitive information from software-based attacks. It provides capabilities like protected execution environments, sealed storage, protected input/output, and attestation. These capabilities enable applications to run in isolated protected partitions, encrypt and store secrets tied to the hardware, and securely communicate with input/output devices. The technology aims to advance platform security and provide a safer computing environment for handling confidential information.
Demand-Based Coordinated Scheduling for SMP VMsHwanju Kim
Hwanju Kim, Sangwook Kim, Jinkyu Jeong, Joonwon Lee, and Seungryoul Maeng, “Demand-Based Coordinated Scheduling for SMP VMs”, International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Houston, Texas, USA, Mar. 2013.
1. The document provides steps for properly planting trees after a hurricane to aid in urban forest recovery, including digging wide holes, treating root defects, positioning the tree, backfilling soil, and mulching.
2. Key steps include looking for overhead wires, placing the root flare above soil, removing synthetic burlap and circling roots, and mulching widely without mounding at the trunk.
3. Proper planting techniques help establish trees and reduce stress after planting, improving survival rates in the urban forest.
Scheduler Support for Video-oriented Multimedia on Client-side VirtualizationHwanju Kim
Hwanju Kim, Jinkyu Jeong, Jaeho Hwang, Joonwon Lee, and Seungryoul Maeng, “Scheduler Support for Video-oriented Multimedia on Client-side Virtualization”, ACM Multimedia Systems (MMSys), Chapel Hill, North Carolina, USA, Feb. 2012.
1) The document discusses the construction of a large residential and commercial project called Shristi CBD in Bhopal, India.
2) Shristi CBD will be the tallest high-rise in the state, consisting of 9 towers over 15 acres with 22 floors.
3) Project management techniques like Earned Value Management and prefabricated construction methods are being used to help complete the project on time and on budget while improving quality.
Task-aware Virtual Machine Scheduling for I/O PerformanceHwanju Kim
Hwanju Kim, Hyeontaek Lim, Jinkyu Jeong, Heeseung Jo, and Joonwon Lee, “Task-aware Virtual Machine Scheduling for I/O Performance”, ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), Washington, DC, USA, Mar. 2009.
OS vs. VMM provides an overview of the similarities and differences between operating systems (OS) and virtual machine monitors (VMM). Both OS and VMM abstract hardware resources, but VMM provides virtualization while OS provides abstraction. Nested virtualization further complicates resource management by adding additional layers of indirection. Key issues in virtualization include trapping privileged OS operations, scheduling virtual CPUs, managing virtual memory translations, and achieving high performance I/O.
CPU Scheduling for Virtual Desktop InfrastructureHwanju Kim
This document discusses CPU scheduling techniques for virtual desktop infrastructure (VDI). It proposes a demand-based coordinated scheduling approach for scheduling multithreaded workloads on multiprocessor virtual machines (VMs). The key points are:
1. Coordinated scheduling of sibling virtual CPUs (vCPUs) in a VM is needed to effectively schedule multithreaded workloads, as uncoordinated scheduling can reduce inter-thread communication performance.
2. A coordination space consisting of space (physical CPU assignment) and time (preemption policy) domains is defined to coordinate vCPU scheduling.
3. In the space domain, a load-conscious balance scheduling approach assigns sibling vCPUs across physical CPUs based
This document discusses CPU virtualization and scheduling techniques. It covers topics such as deprivileging the operating system, virtualization-unfriendly architectures like x86, hardware-assisted virtualization using VMX mode, and proportional-share scheduling. It also summarizes research on improving VM scheduling by making it task-aware to prioritize I/O-bound tasks and correlate I/O events with tasks to boost their performance while maintaining inter-VM fairness. The document provides historical context on the evolution of virtualization technologies and research challenges in building lightweight and intelligent VMM schedulers.
Live VM migration allows virtual machines to be relocated between physical hosts with little to no downtime. There are two main approaches: pre-copy migration copies memory contents iteratively with little downtime, while post-copy migration copies CPU states first and then memory pages on demand to reduce total migration time. Several research projects use live migration techniques to improve data center efficiency: LiteGreen saves energy by consolidating idle desktop VMs, Jettison uses partial VM migration for quick consolidation, and Kaleidoscope proposes VM state coloring to enable fast micro-elasticity through live cloning of warm VMs.
Memory virtualization allows virtual machines to access virtual memory addresses that are translated to physical memory addresses. Hardware support for memory virtualization reduces overhead by offloading page table management to the CPU. Memory sharing between virtual machines reduces memory usage by identifying identical pages and having them share physical memory. Virtual memory overcommitment allocates more virtual memory than physical memory available by swapping out unused memory to disk. Techniques for memory sharing and overcommitment aim to improve memory utilization in virtualized systems.
This document discusses I/O virtualization and GPU virtualization. It covers:
- Two approaches to I/O virtualization: hosted and device driver approaches. Hosted has lower engineering cost but lower performance.
- Methods to optimize para-virtualized I/O including split-driver models, reducing data copy costs, and hardware supports like IOMMU and SR-IOV.
- Challenges of GPU virtualization including whether to take a low-level virtualization or high-level API remoting approach. API remoting is preferred due to closed and evolving GPU hardware.
- Hardware pass-through of GPUs for high performance but low scalability. Industry solutions for remote desktop
This document provides an introduction to virtualization including:
1) The benefits of virtualization like efficient resource utilization and strong isolation between virtual machines.
2) A brief history of virtualization from the 1960s mainframe era to modern ubiquitous cloud computing.
3) Popular use cases of virtualization including cloud computing, virtual desktop infrastructure, and mobile virtualization.
4) Basic terminologies that distinguish type-1 and type-2 virtual machine monitors as well as full and para-virtualization methods.
Intel TXT (Trusted eXecution Technology) provides hardware-based security enhancements that establish a trusted computing environment. It integrates new security features into processors, chipsets, and other platform components to measure critical software components at launch and verify they match approved codes before granting execution. This allows establishing an isolated and protected environment to securely migrate workloads between hosts. The technology aims to increase security and protection of sensitive data and systems from malicious software.
This document discusses dynamic root of trust measurement (DRTM) and related challenges. It summarizes several open source implementations of DRTM, including OSLO, Flicker, soft cards, bottle cap, and Trust Visor. It notes that these implementations aimed to reduce the trusted computing base and remove the slow trusted platform module from the critical path. The document also outlines some challenges with DRTM, such as attacks on the enabling technologies like Intel TXT, lack of operating system support, performance issues, and instability.
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
EMULATING TRUSTED PLATFORM MODULE 2.0 ON RASPBERRY PI 2ijsptm
A computer hijacked by a malware may pretend that it is normal as usual and retrieve secrets from storage of itself and other victim computers. By adopting trusted computing technology a computer’s former health status cannot be forged. Computers can thus detect the change of health status of a hijacked computer and prevent the leakage of the secrets. As Trusted Computing Group (TCG) proposed Trusted Platform Module (TPM) specification, IBM implemented software TPM (sTPM) and utilities for engineer who wants to learn the operating principle of TPM. Meanwhile, the blooming of tiny size, but powerful, computers, e.g. Raspberry Pi 2 (Rpi2), attract ones to develop some dedicated applications on the computers. In this article, we report the verified steps for installing new sTPM version on RPi2. After the installation, we also test the functionality and evaluate the performance of the sTPM with some major TPM Commands. The real behaviour of and the traffic between the host computer and the emulated TPM can thus be learned easily.
Static Root of Trust for Measurement is essential for establishing trust at boot time. There are many implementations from different vendors (Secure Boot, Intel Boot Guard, Hardware Validated Boot, Hardware Assured Boot etc.). S-RTM proved its use for hardware, but what about virtual machines? This presentation discuss S-RTM for VMs in context of Qubes OS.
The document provides an overview of the trusted computing model and the trusted platform module, which aims to provide platform authentication, integrity reporting, and protected storage through a root of trust for measurement and reporting. It discusses challenges around verifying the underlying truth of attestations and whether trusted computing can meaningfully improve security, or if attackers will instead target firmware. The presentation concludes by identifying trusted computing as an interesting topic to follow and acknowledging input from a colleague that helped make the presentation possible.
Trusted _Computing _security mobile .pptnaghamallella
This document discusses trusted computing and the trusted platform module (TPM). It provides background on TPM, explaining that TPM is a hardware-based security chip that provides cryptographic and security functions. This allows increased trust that a computing system will behave as expected. The document covers how TPM works, providing sealed storage for keys and on-chip crypto. It also discusses the potential for abuse of features like attestation by software vendors. While TPM increases security, there are concerns about user privacy and control over their own devices.
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
Side of "Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices" ACSAC (Annual Computer Security Applications Conference) 2020
This document provides an overview of embedded operating systems (OSes). It discusses non-real-time OSes like Palm OS and embedded Linux distributions. It also summarizes over 20 commercial and open-source real-time operating systems (RTOSs) such as VxWorks, RTX, Nucleus, FreeRTOS, and eCos. These RTOSs support a variety of processor architectures and have different features around real-time performance, memory footprint, middleware, and pricing models. The document serves as a resource for choosing an appropriate OS for an embedded system.
Acpi and smi handlers some limits to trusted computingUltraUploader
This document discusses limits to trusted computing related to the System Management Mode (SMM) handler and the Advanced Configuration and Power Interface (ACPI) tables. It presents an original mechanism for attackers to alter the SMI handler to escalate privileges. It also describes how rogue functions could be injected into ACPI tables to be triggered by an external stimulus like unplugging and replugging the power supply. The paper explores countermeasures to prevent such modifications.
Operating system vulnerability and control أحلام انصارى
Vulnerabilities exist in operating systems like Linux, UNIX and Windows. A vulnerability is a weakness that allows an attacker to compromise a system's security. Vulnerabilities occur at the intersection of a system flaw, an attacker's access to the flaw, and their ability to exploit it. Common UNIX vulnerabilities include setuid problems, trojan horses and terminal troubles. Windows is vulnerable to password issues, peer-to-peer file sharing exploits, and Outlook/Outlook Express bugs. Linux has flaws like missing permission checks, uninitialized data, and memory mismanagement. Control is important for operating systems to balance robustness, predictability and efficiency. The trusted computing base (TCB) aims to enforce security by containing all elements
trusted computing for security confe.pptnaghamallella
Trusted Computing (TC) uses a Trusted Platform Module (TPM) hardware chip to enable secure computing technologies. The TPM provides hardware-based security features like memory curtaining, sealed storage, and remote attestation to verify the integrity and identity of software. TC aims to make computers trust software creators over users to prevent unauthorized access or software tampering. It is an open industry standard being adopted in operating systems and processors to enhance security for personal and enterprise computing.
Patented Keystroke encryption for consumer, business or enterprise device protection for any keyboard device ( mobile, tablet, PC). Please reach out to attend zero-day malware prevention demo.
Introduction of Trusted Network Connect (TNC)Houcheng Lee
The document discusses Trusted Network Connect (TNC), which is an open architecture for network access control developed by the Trusted Computing Group. TNC aims to control the integrity of systems connecting to a network by checking both who and what is accessing the network. It uses a client-server model where the TNC Client collects integrity measurements from the endpoint and sends them to the TNC Server for verification against policy rules. If any issues are found, the system may be quarantined or remediated before access is granted. The Trusted Platform Module is discussed as a way to establish the root of trust for integrity measurements collected by the TNC architecture.
The document discusses trusted computing and provides details on its architecture and uses. The trusted computing architecture uses a trusted platform module (TPM) to measure the boot process and software running on a device. It establishes a chain of trust from the hardware to the operating system and applications. While trusted computing aims to increase security and privacy, issues around its impact on privacy have prevented widespread adoption.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
A Survey Report on DDOS Attacking Tools, Detection and Prevention MechanismsIRJET Journal
This document summarizes a survey report on DDOS attacking tools, detection mechanisms, and prevention methods. It begins by introducing DDOS attacks and their increasing prevalence. It then describes several common DDOS attacking tools like Trinoo and Shaft in detail, including their mechanisms and a comparison. It discusses two main detection mechanisms - Snort, an open-source intrusion detection system, and time series analysis. Finally, it outlines a DDOS prevention protocol called DLSR that detects attacks and identifies attackers in three phases: detection, identification, and defense.
The document summarizes the NetTop project, which aimed to allow commercial off-the-shelf (COTS) technology to be used safely in high assurance applications. The project developed an architecture using virtual machine monitors (VMMs) to encapsulate and constrain the end-user operating system. It identified the VMware virtualization product as suitable for this due to its efficient operation on x86 hardware. The initial capability developed was a secure remote access solution over the internet. The architecture suggests a near-term approach that can address user requirements like multi-network access and data transfer between isolated networks.
This document discusses practical trusted computing solutions that can be deployed today to improve security. It describes how the Trusted Platform Module (TPM) is already widely available in computers and can be used to securely store encryption keys to protect data and authentication solutions. Trusted Network Connect (TNC) provides a framework for enforcing security policies and performing real-time health checks of devices connecting to networks. Practical solutions discussed include using the TPM with BitLocker encryption, protecting VPN keys, and enforcing network access policies with TNC-compatible products.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
1. Attacking Intel® Trusted Execution Technology
Rafal Wojtczuk Joanna Rutkowska
rafal@invisiblethingslab.com joanna@invisiblethingslab.com
---===[ Invisible Things Lab ]===---
Abstract
In this paper we present the results of our research into security of the Intel® Trusted
Execution Technology, part of the vProTM brand. We describe a practical attack that is
capable of bypassing the TXT's trusted boot process, a key building block for Intel's vision of
Trusted Computing. As part of the attack we also discuss practical attacks on SMM memory
in modern Intel systems.
keywords: Trusted Computing, Trusted Execution Technology, System Management Mode,
TXT, SMM, STM, BIOS, security, analysis, attacks.
1. Introduction and storing them in particular TPM registers. What
is extraordinary here is that TXT doesn't make any
Trusted Computing is becoming a part of our lives, assumptions about the state of the system before
whether we want it or not. These days almost every loading the software, thus making it possible for a
new laptop comes with an on-board Trusted user to ensure secure load of an OS or VMM, even
Platform Module (TPM). Some of the Microsoft's in a potentially compromised machine.
Palladium technologies made their way into Vista,
and Microsoft BitLocker is, without doubt, the most In other words, our system can be full of boot
successful, widely deployed product that is based sector viruses and BIOS rootkits, and god-knows-
on the idea of Trusted Computing[8]. what-else, and still TXT should allow to load a
clean VMM (or OS kernel) in a secure way, immune
On the hardware side, besides the famed TPM, we to all those malware present in the system. This
also have had the LaGrande technology. TXT-supported load process is called Late Launch,
LaGrande, recently renamed Trusted Execution and is implemented via a special new CPU
Technology (TXT)[4], is Intel's response to the instruction called SENTER. A good introduction to
Trusted Computing trend. TXT is currently part of Intel TXT architecture can be found in the David
the vPro™ brand[5], and for about a year now Grawrock's book[3]. For a detailed technical
users can buy a vPro/TXT compatible hardware in specification one should consult the Intel TXT
regular computer stores (the first one was the documentation[4].
DQ35J desktop board[7] that worked with certain
Core 2 Duo processors1). We shall stress that TXT has not been designed to
provide runtime protection, e.g. against a buffer
TXT is not an alternative to a TPM, in fact TXT overflow in a hypervisor code. TXT is supposed to
heavily relies on the TPM to provide basic services provide only the launch-time protection, i.e. ensure
like e.g. secure storage of measurements done by that the code we load, at the moment of loading, is
the TXT. Also, Palladium, or whatever it is called what we really intended to load.
these days, is not a competition to TXT. Intel TXT
can provide building blocks to e.g. Vista Bitlocker, It's worth mentioning AMD has its own version of a
arguably making it more secure than it is now. late launch, implemented via an SKINIT instruction.
We haven't looked at the AMD technology
The sole purpose of Intel TXT technology is to thoroughly yet, so we will refrain from commenting
provide a trusted way for loading and executing on this any further.
system software, e.g. Operating System kernel or
Virtualization Machine Monitor (VMM). This is The late launch is a pretty amazing technology,
achieved by performing software measurements when we think about. It promises to effectively
1TXT requires support from both the CPU and the chipset
1
2. provide all the benefits of a computer restart TXT's late launch functionality. Tboot is also part of
without actually restarting it. the mainstream opensource Xen hypervisor[12].
It is hard to overemphasize the potential impact Normally tboot should ensure that when a correct,
that a technology such as TXT could have on i.e. unmodified, Xen hypervisor is loaded, and only
computer security. One can immediately see it then, correct measurements will be loaded into
could provide basic building blocks that could be TPM registers. In practice this means that only a
later used to eliminate all the system-level chosen (trusted) version of the Xen hypervisor will
persistent malware2 — in other words we should be get access to certain secrets sealed in the TPM,
able to easily build systems (VMMs or even and/or will be able to positively authenticate itself to
standard OSes) that would be immune to attacks some peer (e.g. system administrator's laptop)
that try to compromise system binaries on disk, or using a special feature of a TPM called Remote
attack the system right from the bootloader or Attestation.
BIOS. Combining this with VT-x and VT-d
technologies, system developers (for the first time, With our attack we show that by infecting an SMM
at least as far as the "PC" platform is considered) handler, we can modify at will the just-loaded (and
have gotten extremely strong tools into their hands just-measured) VMM. In other words the attacks
that should allow them to create really secure completely bypass all the security functionality that
VMMs and OSes… is supposed to be provided by the TXT for the
purpose of trusted boot. This is a direct result of the
Let us now describe how we have attacked this SMM code surviving the late launch process in an
new exciting technology… unmodified form — whether compromised or not.
2. Attacking Intel TXT We describe the details of how to attack an SMM
handler in the next chapter.
TXT's key functionality, the late launch, is often
"advertised" as a way to load and start a piece of Intel's remedy to malicious SMM handler is called
trusted code (usually a VMM), no matter what is the STM, which stands for SMM Transfer Monitor. The
state of the system, at the moment just before purpose of STM is to sandbox the existing SMM
performing the launch. That is, however, not fully handler by virtualizing it using VT-x and VT-d
correct. In fact there is one piece of system technologies. STM should be thought of as of a
software that should be trusted… This system peer hypervisor to the VMM that is being loaded
software is a so called System Management Mode, using late launch. STM is supposed to be
which we discuss in more detail in the next chapter. measured during the late launch process.
SMM, being the most privileged type of software Unfortunately STM is, as of today, not available.
that ever executes on a CPU (see below), can We discuss this in more detail in the last chapter of
bypass security protections imposed by the late this paper.
launch process on a newly loaded VMM.
Unfortunately, the assumption that SMM can be 3. SMM Attacks
always trusted is incorrect, as we demonstrate here
with this research. SMM aka "Ring -2"
Indeed, one can imagine the following 2-stage System Management Mode is the most privileged
attack on the Intel TXT's late launch functionality: execution mode on x86/x86_64 architectures, even
more privileged than ring 0 mode and a hardware
1. Infecting the system's SMM handler, hypervisor (VT/AMD-v), often referred to as "ring
-1".
2. Compromising the just-securely-loaded code
(in our example the Xen hypervisor) from One reason for considering this code to be so
within the infected SMM handler. privileged, is that an SMM code can access the
whole system memory, including the kernel and
We have implemented a proof-of-concept code that hypervisor memory. Standard OS memory
demonstrates the above attack scheme against the protection mechanisms (Page Tables), as well as
Xen hypervisor loaded using tboot[6], the Intel's hypervisor memory virtualization (Shadow Paging,
open source implementation of trusted boot. Tboot Nested Paging/EPT, IOMMU/VT-d), do not work
provides trusted boot for Linux and Xen using Intel against the SMM code.
2 By a system-level malware we mean malware which is resident because of replacing/infecting crucial,privileged, nonvolatile code (e.g. a kernel binary, dll/sys
binary, or boot sector, or bios image)
2
3. Also, on Intel processors, an SMM code can Previous SMM-related research
"preempt" even the VT-x hypervisor, whenever an
SMI interrupt is signaled. There exists a way3 for Although there have been several publications, in
the hypervisor to establish a special entity, called the recent years, concerning the SMM-related
STM, that would be able to intercept those SMI security issues ([2], [10], [1]), they were all
interrupts, and we will discuss it later in this paper. concerned about the security implications resulting
from an attacker gaining access to the SMM
Consequently, it will be not much of an memory, without however focusing on how to
exaggeration to name SMM a "ring -2". bypass system SMM memory protection. That was
mostly because until recent years, it was
Difficulties with finding flaws in SMM straightforward to gain a read-write access to the
SMM memory by only setting appropriate chipset
A researcher willing to examine an SMM code for registers, so no special attack method was needed.
potential security problems faces a non-trivial
problem — the SMM memory is not accessible to Today most modern systems take special steps in
anyone except… the SMM itself. Thus there is no order to protect the SMM memory from even a
way for the attacker to get access to the actual read-only access from the OS, including the kernel
image of the SMM code. Without having access to and/or the hypervisor.
the (binary) code, one cannot, obviously, look for
potential flaws there. So, we came to a, somewhat Example #1: The Q35 remapping bug
discouraging, conclusion that:
During one of our presentations on Xen security at
Without having at least one bug in an SMM code the Black Hat conference in August 2008, we have
that could be exploited to read the SMM memory, mentioned a bug we found in a DQ35JO
one cannot... search for bugs in the SMM memory! motherboard 4 BIOS that allowed us to e.g. bypass
the Xen hypervisor memory protection. A few
That is indeed a nice example of a vicious circle weeks later Intel has released an updated BIOS
and partly explains why so little research has been that fixed the bug we exploited, and we have
done in the area of SMM attacks (see the published full details about the attack[9], together
discussion later). with a proof-of-concept code[11].
One might be tempted to think that an easy short- The attack exploits the Intel chipset's memory
cut to read the SMM code (and the whole BIOS), remapping (AKA memory reclaiming) feature and
would be to de-solder the SPI-flash chip from the allows to circumvent certain CPU- or chipset-
motherboard and read its memory using a special, imposed memory protection mechanisms. This
so called, programmer device. Unfortunately this includes ability to bypass an SMM memory
approach is not that straightforward as it might protection, allowing the attacker to gain full access
seem. It turns out that BIOS code, as seen on the to the SMM memory.
flash chip, is usually heavily packed with custom
packing algorithms and its unpacking presents as This bug, and a resulting attack, turned out to be
similar challenge as e.g. unpacking/deobfuscation crucial with our further SMM research. It allowed us
of modern malware, with the difference that code to analyze the SMM binary code and find further
emulation is extremely difficult to implement in the security problems there, which we describe below.
process of unpacking the BIOS code. After all a
BIOS code is supposed to be executed in a very Example #2: VU#127284
unusual I/O environment, which is hard to emulate
properly. On December 10th, 2008, we have reported the
discovery of a few new SMM bugs to Intel Product
Consequently we have taken a different approach, Security Response Center. All those SMM bugs
that is described later. Before we proceed, let's take result from a single design decision to implement
a quick look at the research done by other authors certain functionality in an unsafe way. This single
that involves SMM and security. design decision has lead to some 40+ places in the
SMM handler5 , where each might potentially
introduce code execution vulnerability in SMM
3 It is called "dual-monitor mode" by the Intel System Developers Manual.
4 Back then it was the most modern desktop motherboard from Intel available in shops.
5 We have looked at the DQ35JOE's motherboard's BIOS handler, with all the latest patches as of December 2008.
3
4. mode. We have successfully exploited only two of 4. The TXT design problem
those implementation errors. We have seen no
point in trying to exploit others. The correct solution We have mentioned above that a remedy to
to this problem should be based on redesigning the malicious SMM handlers is called an STM. We also
current SMM handlers. One should not confuse this said that no STM, as of today, is unfortunately
design mistake in the SMM handler with the design available on the market, which yields our attack
problem affecting the security of TXT, that we applicable to all current systems. One aim of our
discuss in the next chapter. research, besides having fun and all, is to stimulate
developers to create an STM.
Those recent SMM bugs have still not been
patched by Intel. Intel confirmed 6 the issue in So, here comes the first question about STM: who
"mobile, desktop, and server motherboards", should be in charge of creating an STM? We have
without providing any more details about which been told by Intel engineers that STM should be
exact models are vulnerable. We suspect it might created by OEMs, or BIOS vendors. Apparently
affect all recent Intel motherboards/BIOSes. STM should be part of a system BIOS, just like an
SMM is.
Intel estimates the firmware patches to be ready
before summer 2009. Intel requested that we This rises a second question though: if we do not
withhold the details about the SMM bugs until the trust OEMs to produce flawless SMM code(s), why
patches are available. We currently planning to should we trust them to create a flawless STM?
disclose them at the Black Hat USA 2009 After all, STM seems to us as something much
conference, that takes place at the end of July more complex than a typical SMM — STM is a
2009. hypervisor, a non-trivial hypervisor that should
provide memory, I/O and CPU virtualization to the
Intel told us that they have also notified CERT CC SMM handler. Moreover STM should work in
about this problem, because they believed similar parallel with an existing VMM(s), like e.g. Xen.
SMM bugs might be present in other vendors' There should be a way for the two hypervisors to
BIOSes. CERT CC has assigned the following talk to each other, which, in turn, should require a
tracking number to this issue: VU#127284. standardized inter-hypervisor protocol. Needless to
say, Intel does not provide any publicly available
Summary of the SMM issues
documentation on how to write a working STM 7.
With our two distinct attacks on the recent SMM
Intel claims8, however, that STM is not that difficult
handlers, we have shown that even the latest
to write and that Intel will provide detailed
systems don't correctly protect its most privileged
specification on how to write one in the near
software layer, i.e. the System Management Mode.
future 9. Intel argues that STM can be made more
In some aspects, an SMM code is even more
secure than a typical SMM because it might not
privileged than the hardware hypervisor, because it
need to be modified as often as SMM handlers are.
has access to the whole system memory, including
SMM needs to be "tuned" to each new
the hypervisor memory, but not vice versa.
motherboard/system, while an STM should be fairly
We should note, however, that our SMM attacks generic. This could allow to have just a few mature
still do not allow to e.g. re-flash the BIOS. Today, (and well audited) STMs in existence.
most BIOSes are well protected against re-flashing
The third question comes to mind however: if
with unsigned images. Also our attacks do not
indeed STMs were so easy to write, why would
affect the Intel AMT technology, which is
Intel still hadn't created one? After all, TXT-capable
independent from the main processor and does not
hardware has been available in shops for over a
rely on SMM security.
year now, and also the Intel's tboot project is more
than a year old.
6 Private communication between ITL (we) and Intel.
7 In fact the term STM is not defined in any of the Intel documents available on intel.com website. The term and its purpose is only introduced in the, already
mentioned, David Grawrock's book[3].
8 Private communication between ITL (we) and Intel.
9 Intel claims the specification is already available for select vendors under NDA.
4
5. Intel's counter-argument10 is that there has not [2]
Loic Duflot. Security Issues Related to Pentium
been enough "market demand" for an STM as of System Management Mode. Presented at
yet, and consequently OEMs have not been CanSecWest 2006, Vancouver, Canada, 2006.
interested in developing an STM. [3]
David Grawrock. The Intel Safer Computing
Initiative: Building Blocks for Trusted Computing
We cannot agree with this counter-argument,
however. First, we shall not forget that Intel is (Computer System Design). Intel Press, 2006.
also… an OEM/BIOS vendor — it does sell [4]
Intel Corp. Intel® Trusted Execution Technology.
motherboards and does make BIOSes for them. http://www.intel.com/technology/security/,
Second, when it comes to security, one should not [5]
Intel Corp. Intel® vPro™ Technology. http://
use "market demand" as an excuse. If we followed www.intel.com/technology/vpro/index.htm,
this line of reasoning, we might very well never [6]
Intel Corp. Trusted Boot (tboot). http://
started using the snprintf() function;) sourceforge.net/projects/tboot, 2007.
[7]
Intel Corp. Intel® Desktop Board DQ35JO. http://
Consequently, we should ask if that was indeed a www.intel.com/products/desktop/motherboards/
good idea to design TXT in such a way that it
dq35jo/dq35jo-overview.htm, 2008.
requires additional, probably quite complex, entity
[8]
Joanna Rutkowska. Why do I miss Microsoft
called STM to function correctly? Maybe it was a
mistake to allow TXT to function without STM? After BitLocker? http://
all the whole point about TXT was to get rid of the theinvisiblethings.blogspot.com/2009/01/why-do-
Static Root of Trust Measurement, in favor of the i-miss-microsoft-bitlocker.html, 2009.
Dynamic Trust Measurement. Assuming even that [9]
Joanna Rutkowska and Rafal Wojtczuk. Detecting
STM itself will not contain any flaws — it is unclear & Preventing the Xen Hypervisor Subversions.
to us whether integration of STM and TXT can be, Presented at Black Hat USA, Las Vegas, NV,
and will be, done securely; we cannot say more on USA, 2008.
the topic until we can evaluate an actual STM [10]
Sherri Sparks and Shawn Embleton. SMM
implementation. Rootkits: A New Breed of OS Independent
Malware. Presented at Black Hat USA, Las
5. Summary
Vegas, NV, USA, 2008.
[11]
Rafal Wojtczuk, Joanna Rutkowska, and
We have described a successful attack against
Intel Trusted Execution technology. We have also Alexander Tereshkin. Xen 0wning Trilogy: code
implemented a working proof-of-concept exploit and demos. http://invisiblethingslab.com/
that works against Xen loaded via tboot — Intel's resources/bh08/, 2008.
implementation of TXT-based trusted boot. [12]
Xen Hypervisor. http://xen.org/
Probably equally interesting as the TXT itself is
another aspect of our research — the novel
research into SMM attacks. SMM attacks have
more implications than just attacking TXT… SMM
compromises can also be used for creating
advanced rootkits, backdoors and trojans. SMM
bugs can also be used to compromise hypervisor
memory in virtualized systems, even such
advanced as Xen.
The details of our new SMM attacks will be made
available once Intel patches its firmware, most
likely we will present them at the Black Hat USA
conference in summer 2009. We will also make the
code of our TXT exploit available.
References
[1]
BSDaemon, Coideloko, and D0Nand0N. System
Management Mode Hack: Using SMM for "Other
Purposes". In Phrack Magazine, Vol 0x0c, Issue
0x41, 2008.
10 Private communication between ITL (we) and Intel.
5