The SMM Rootkit Revisited: Fun with USB

Author

Schiffman, Joshua ; Kaplan, David

Author_Institution

Security Archit. R&D, Adv. Micro Devices, Inc., Austin, TX, USA

fYear

2014

fDate

8-12 Sept. 2014

Firstpage

279

Lastpage

286

Abstract

System Management Mode (SMM) in x86 has enabled a new class of malware with incredible power to control physical hardware that is virtually impossible to detect by the host operating system. Previous SMM root kits have only scratched the surface by modifying kernel data structures and trapping on I/O registers to implement PS/2 key loggers. In this paper, we present new SMM-based malware that hijacks Universal Serial Bus (USB) host controllers to intercept USB events. This enables SMM root kits to control USB devices directly without ever permitting the OS kernel to receive USB-related hardware interrupts. Using this approach, we created a proof-of-concept USB key logger that is also more difficult to detect than prior SMM-based key loggers that are triggered on OS actions like port I/O. We also propose additional extensions to this technique and methods to prevent and mitigate such attacks.

Keywords

data structures; input-output programs; invasive software; operating system kernels; peripheral interfaces; I/O registers; OS kernel; PS/2 key loggers; SMM rootkit; SMM-based key loggers; SMM-based malware; USB devices; USB-related hardware interrupts; host operating system; kernel data structures; proof-of-concept USB key logger; system management mode rootkit; universal serial bus; Hardware; Kernel; Keyboards; Linux; Program processors; Registers; Universal Serial Bus; Computer security; Embedded software; Universal Serial Bus;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security (ARES), 2014 Ninth International Conference on

Conference_Location

Fribourg

Type

conf

DOI

10.1109/ARES.2014.44

Filename

6980293