For years we've seen SMM security bug after security bug. This has been a considerable problem for those who want to reason about the state of a machine's security starting from boot. In recent years there's been talk about deprivileging SMM, so that when a security bug in an SMM handler is found, its effect isn't as devastating to the overall security of the system. This requires a privileged SMM supervisor that can then correctly enforce SMM policy for SMM handlers. Both AMD and Intel have implemented such a supervisor;however, neither of them have released the implementation. Their supervisor is proprietary and as such hard to asses. Microsoft has recently created an SMM supervisor -part of their project MU- and open-sourced it.
This presentation will describe overall design and implementation details of this supervisor. It will also cover the results of a security review of this supervisor and draw several conclusions.
Ilja van Sprundel is experienced in secure code review, network and application testing. As IOActive's Senior Director of operating system security, he performs primarily gray-box penetration testing engagements on low-level software and firmware (specializing in low level internals, OS kernel internals, bootloaders, hypervisors, ...) that require customized fuzzing and source code review, identifying system vulnerabilities, and designing custom security solutions for clients.van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer's expectations. van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team's implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.