[cap-talk] "Security Issues related to Pentium System Management Mode"

[Jed at Webstart]

At 07:20 AM 5/3/2006, David Hopwood wrote:
>The following attack demonstrates the importance of applying fine-grained POLA
>to I/O register access in drivers:
>
>   Loïc Duflot,
>   Security Issues related to Pentium System Management Mode
>   <http://www.cansecwest.com/slides06/csw06-duflot.ppt>
>
>(The video subsystem in a capability OS would 
>never be designed like X, anyway,
>so this would at most allow a privilege 
>escalation if there were an exploitable
>bug in a display driver -- but we would like to 
>prevent even that, to the extent
>possible.)

When discussing a sample exploit against OpenBSD the author says (pg. 32):

"We assume that an attacker has found a way to 
execute code with superuser privileges."

Isn't that a bit extreme?  Is that perhaps because the X Server must execute
with superuser privileges?

I don't completely understand this attack.  Is it 
being suggested that this attack
works on the Unix systems that use X (as they say pg. 41, Linux 2.6, FreeBSD,
NetBSD, and OpenBSD, but not Windows XP)?

Is the "System Management Mode" the reason Pentium processors have
problems doing direct I/O beyond the 4GB boundary (e.g. pg. 14)?  That's
already a problem that's getting me to shy away from Pentium processors
for Virtual Machine applications (though AMD doesn't yet have processors in
the market with their "Pacific" that I know 
of).  Perhaps this exploit is another
reason to avoid Pentium processors (e.g. prefer 
AMD) for systems that require X?

--Jed http://www.webstart.com/jed/