PDF《TXT》

Attacking Intel TXT? via SINIT code execution hijacking Rafal Wojtczuk rafal@invisiblethingslab.

com Joanna Rutkowska [email protected] November

2011 Abstract We present a software attack against Intel? TXT that exploits an implementation problem within a so called SINIT module. The attack allows to fully bypass Intel TXT, Intel Launch Control Policy (LCP), and additionally also provides yet-another-way to compromise SMM code on the platform.

1 What is Intel TXT? For a basic introduction to Intel? Trusted Execution Technology (TXT), the reader is referenced to our previous paper on this topic [1], or alternatively, for a much more complete and in-depth introduction, to the updated book by David Grawrock [3], and also to the MLE Developer'

s Guide [4].

2 Prior work on attacking Intel TXT In early

2009 our team presented an attack against Intel TXT that exploited a design problem with Sys- tem Management Mode (SMM) being over privileged on PC platforms and able to interfere with TXT launch [1]. A year later we demonstrated a di?erent attack against Intel TXT, this time exploiting an implemen- tation bug in a so called SINIT module, an internal part of the Intel TXT infrastructure. The attack worked by tricking SENTER into mis-con?guring VT-d setup, so that the attacker could compromise the newly loaded hypervisor using a DMA attack[2].

3 On Attacking Intel TXT The attack presented in this paper assumes, as usual, that the attacker can execute code before the TXT launch, i.e. before the SENTER instruction. The attacker'

s goal is to either 1) be able to compromise the newly loaded hypervisor, even though is has just been securely loaded by TXT (and this is exactly how our previous two attacks worked), or 2) be able to load arbitrary hypervisor, yet make it seem as if it was a trusted one by making all the PCR hashes to be correct. This is how the attack presented today works. Our new attack exploits a bug in an SINIT module. Before describing the bug, let'

s make a quick recap on what is the role of SINIT in Intel TXT.

4 About Authenticated Code (AC) modules and SINIT SINIT is an important binary module that is used by Intel TXT. SINIT binaries are distributed by In- tel for speci?c chipsets/processors, and the task of an SINIT module is to prepare the platform for entering the TXT secure mode.1 SINIT module is loaded and 1One can download SINIT modules from http://software.intel.com/en-us/articles/

1 executed by the SENTER instruction. SINIT must be digitally signed by Intel for the SENTER instruc- tion to load and execute it. SINIT is thus also called an Authenticated Code Module (AC Module). There is at least one other example of an AC Module dis- tributed by Intel, the SCLEAN AC Module, that can be loaded by ENTERACCS instruction and is sup- posed to be used by a TXT-aware BIOS to wipe the system memory in the event of an unexpected system shutdown.2 An AC Module, such as an SINIT, when loaded us- ing the SENTER or ENTERACCS instructions3 , ex- ecutes in a specially protected and privileged envi- ronment. There seem to be some di?erences between the environment provided by the ENTERACCS vs that provided by the SENTER instruction, and so we focus further on the latter case, and we will call this special privileged environment, or mode of exe- cution, an SINIT mode . One task of the SINIT module is to read and parse platform con?guration as exposed by the BIOS ACPI tables, and speci?cally by the ACPI DMAR table that describes the VT-d con?guration of the plat- form.4

5 The SINIT bug SINIT code is written in a regular x86 assembly, so it is possible to disassemble it using standard x86 tools for binary analysis. Below is a fragment of the intel-trusted-execution-technology/ 2If (an incorrectly implemented) BIOS doesn'