2015-08-07

"The sinkhole attack is is used to drop a rootkit into SMRAM. Rootkit now invisible to the OS, ring 0, hypervisor, AV, and everything else."

Complete control of an Intel chip via SMM (called Ring -2 here, the first time I've heard it called that, and perhaps a bit anacronistic as SMM existed before the Hypervisor, which they're calling Ring -1). Fascinating tour through parts of the chip below the kernel we rarely have to think about.

"A forgotten patch to fix a forgotten problem on a tiny number of legacy systems 20 years ago… That opens up an incredible vulnerability on an entirely unrelated piece of the processor."
github.com/xoreaxeaxeax/sinkhole

Index
github.com/crawshaw
twitter.com/davidcrawshaw
david@zentus.com