July 14th, 2008
Remote code execution through Intel CPU bugs
Kris Kaspersky, author of numerous books on reverse engineering and software engineering, will be presenting his
research on remote code execution through Intel CPU bugs at the upcoming Hack in the Box Security Conference in Malaysia. If his proof of concept code consisting of JavaScript or TCP/IP packet attacks on Intel based machines succeeds, given Intel’s dominant market share on the market the potential outbreak could be enormous since as he claims, the PoC is OS independent, namely all operating systems running Intel chips are said to be vulnerable. Here’s an abstract from his upcoming presentation :
“Intel CPUs have exploitable bugs which are vulnerable to both local and remote attacks which works against any OS regardless of the patches applied or the applications which are running. In this presentation, I will share with the participants the finding of my CPU malware detection research which was funded by Endeavor Security. I will also present to the participants my improved POC code and will show participants how it’s possible to make an attack via JavaScript code or just TCP/IP packets storms against Intel based machine. Some of the bugs that will be shown are exploitable via common instruction sequences and by knowing the mechanics behind certain JIT Java-compilers, attackers can force the compiler to do what they want (for example: short nested loops lead to system crashes on many CPUs). I will also share with the participants my experience in data recovery and how CPU bugs have actually contributed in damaging our hard drives without our knowledge. “
Intel will be keeping an eye on his upcoming research :
“George Alfs, a spokesman for Intel, said he has not yet seen Kaspersky’s research, nor has he spoken to him about it. “We have evaluation teams always looking at issues. We’ll certainly take a look at this one,” said Alfs. “All chips have errata, and there could be an issue that needs to be checked. Possibly. We’d have to investigate his paper.”
BIOS based rootkits are nothing new with John Heasman’s research into Implementing and Detecting a PCI Rootkit, published in 2006. And with the possibility of malware hiding at the lowest possible level already a fact, what will be very interesting to monitor is a universal remote code execution based on chip’s manufacturer. Everything is possible, the impossible just takes a little longer.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
