Title :
The SMM Rootkit Revisited: Fun with USB
Author :
Schiffman, Joshua ; Kaplan, David
Author_Institution :
Security Archit. R&D, Adv. Micro Devices, Inc., Austin, TX, USA
Abstract :
System Management Mode (SMM) in x86 has enabled a new class of malware with incredible power to control physical hardware that is virtually impossible to detect by the host operating system. Previous SMM root kits have only scratched the surface by modifying kernel data structures and trapping on I/O registers to implement PS/2 key loggers. In this paper, we present new SMM-based malware that hijacks Universal Serial Bus (USB) host controllers to intercept USB events. This enables SMM root kits to control USB devices directly without ever permitting the OS kernel to receive USB-related hardware interrupts. Using this approach, we created a proof-of-concept USB key logger that is also more difficult to detect than prior SMM-based key loggers that are triggered on OS actions like port I/O. We also propose additional extensions to this technique and methods to prevent and mitigate such attacks.
Keywords :
data structures; input-output programs; invasive software; operating system kernels; peripheral interfaces; I/O registers; OS kernel; PS/2 key loggers; SMM rootkit; SMM-based key loggers; SMM-based malware; USB devices; USB-related hardware interrupts; host operating system; kernel data structures; proof-of-concept USB key logger; system management mode rootkit; universal serial bus; Hardware; Kernel; Keyboards; Linux; Program processors; Registers; Universal Serial Bus; Computer security; Embedded software; Universal Serial Bus;
Conference_Titel :
Availability, Reliability and Security (ARES), 2014 Ninth International Conference on
Conference_Location :
Fribourg
DOI :
10.1109/ARES.2014.44
