Skip to main content
SpringerLink
Log in

ACPI and SMI handlers: some limits to trusted computing

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Trusted computing has been explored through several international initiatives. Trust in a platform generally requires a subset of its components to be trusted (typically, the CPU, the chipset and a virtual machine hypervisor). These components are granted maximal privileges and constitute the so called Trusted Computing Base (TCB), the size of which should be minimal. The rest of the platform is only granted limited privileges and cannot perform security-critical operations. A few initiatives aim at excluding the BIOS from the TCB in particular (e.g., Intel® TxT and AMD SVM/SKINIT). However, the BIOS is responsible for providing some objects that need to be trusted for the computer to work properly. This paper focuses on two of these objects, the SMI handler and the ACPI tables, which are responsible for the configuration and the power management of the platform. We study to what extent these two components shall reasonably be trusted. Despite the protections that are implemented, we show that an attacker can hide functions in either structure to escalate privileges. The main contributions of our work are to present an original mechanism that may be used by attackers to alter the SMI handler, and to describe how rogue functions triggered by an external stimulus can be injected inside ACPI tables (in our case, the attacker will plug and unplug the power supply twice in a row). We also explore the countermeasures that would prevent such modifications.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. ACPI Component Architecture. Unix format test suite. http://www.acpica.org/downloads (2008)

  2. Advanced Micro Devices AMD64 virtualization: secure virtual machine architecture reference manual (2005)

  3. BSDDaemon, coideloko, and D0nAnd0n. System management mode hack: Using smm for other purposes. In: Phrack Magazine. http://www.phrack.org/issues.html?issue=65&id=7#article (2008)

  4. Bulygin Y.: Insane Detection of Insane Rootkits: Chipset-Based Approach to Detect Virtualization. Blackhat Briefings, USA (2008)

    Google Scholar 

  5. Duflot, L., Etiemble, D., Grumelard, O.: Security issues related to Pentium system management mode. In: CanSecWest Security Conference Core06. http://www.cansecwest.com/slides06/csw06-duflot.ppt (2006)

  6. Embleton, S., Sparks, S., Zou, C.: Smm rootkits: a new breed of os independent malware. In: Proceedings of 4th International Conference on Security and Privacy in Communication Networks (SecureComm) (2008)

  7. Embleton S., Sparks S.: The system management mode (smm) rootkit. BlackHat Briefings, USA (2008)

    Google Scholar 

  8. Grawrock D.: The Intel Safer Computing Initiative: Building Blocks for Trusted Computing. Intel Press, Oregon (2006)

    Google Scholar 

  9. Heasman, J.: Implementing and detecting an acpi bios rootkit. In: Blackhat Federal 2006. http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf (2006)

  10. Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.: Towards trustworthy computing systems: taking microkernels to the next level. In: ACM SIGOPS Operating Systems Review (2007)

  11. Hewlett Packard, Intel, Microsoft, Phoenix, and Toshiba. The acpi specification: revision 3.0b. http://www.acpi.info/spec.htm (2008)

  12. Intel Corp. Intel 82845 memory controller hub (mch) datasheet. http://www.intel.com/design/chipsets/datashts/290725.htm (2002)

  13. Intel Corp. Intel 82801eb i/o controller hub 5 (ich5) and intel 82801er i/o controller hub 5 r (ich5r) datasheet. http://www.intel.com/design/chipsets/datashts/252516.htm (2003)

  14. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 1: basic architecture. http://www.intel.com/design/processor/manuals/253665.pdf (2007)

  15. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 2a: instruction set reference, a-m. http://www.intel.com/design/processor/manuals/253666.pdf (2007)

  16. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 2b: instruction set reference, n-z. http://www.intel.com/design/processor/manuals/253667.pdf (2007)

  17. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3a: system programming guide part 1. http://www.intel.com/design/processor/manuals/253668.pdf (2007)

  18. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3b: system programming guide part 2. http://www.intel.com/design/processor/manuals/253669.pdf (2007)

  19. Intel Corp. Intel i/o controller hub 9 (ich9) family datasheet. http://www.intel.com/Assets/PDF/datasheet/316972.pdf (2008)

  20. Ivanlef0u. Smm. http://www.ivanlef0u.tuxfamily.org/?p=138 (2008)

  21. Mandriva. Mandriva linux one. http://www.mandriva.com/en/product/mandriva-linux-one (2008)

  22. Moore, R.: Why acpi is in the kernel, notes from 2001, 2001–2004. http://linux.derkeiler.com/Mailing-Lists/Kernel/2004-10/9399.html

  23. Petroni, N. Jr, Fraser, T., Walters, A., Arbaugh, W.: An architecture for specification-based detection of semantic integrity violations in kernel dynamix data. In: Usenix Security 2006: Proceedings of the 15th Usenix Security Symposium (2006)

  24. PCI-SIG. Pci local bus specification, revision 2.1 (1995)

  25. Rutkowska J., Wojtczuk R.: Preventing and Detecting xen Hypervisor Subversions. Blackhat Briefings, USA (2008)

    Google Scholar 

  26. Steinberg, U., Kauer, B.: Hypervisor-based platform virtualization. http://os.inf-tu.dresden.de/EZAG/abstracts/abstract_20080425.xml (2008)

  27. Trusted Computing Group. About the trusted computing group. https://www.trustedcomputinggroup.org (2007)

  28. Trusted Computing Group. Tpm specification version 1.2: Design principles. https://www.trustedcomputinggroup.org/specs/TPM/MainP1DPrev103.zip (2008)

  29. UEFI. Unified extensible firmware interface. http://www.uefi.org/home (2008)

Download references

Author information

Authors and Affiliations

  1. ANSSI, French Network and Information Security Agency, Paris, France

    Loïc Duflot, Olivier Grumelard, Olivier Levillain & Benjamin Morin

Authors
  1. Loïc Duflot
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Olivier Grumelard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Olivier Levillain
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Benjamin Morin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Loïc Duflot or Olivier Levillain.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Duflot, L., Grumelard, O., Levillain, O. et al. ACPI and SMI handlers: some limits to trusted computing. J Comput Virol 6, 353–374 (2010). https://doi.org/10.1007/s11416-009-0138-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0138-0

Keywords

Search

Navigation