System Management Mode Speculative Execution Attacks

We have discovered a new application of speculative execution attacks, bypassing hardware-based memory protections. Vulnerabilities affecting speculative execution of modern processor architectures were first discovered in 2017 by Jann Horn of Google Project Zero and other security researchers. This class of vulnerabilities allows local unprivileged attackers to expose the contents of protected memory by exploiting the microarchitectural capabilities of modern out-of-order CPUs such as caching, instruction pipeline or speculative execution. We expanded on this method to gain access to the highly privileged System Management Mode (SMM) memory.

Continue reading “System Management Mode Speculative Execution Attacks”

Introducing Eclypsium

Today, we are proud to announce a new approach to enterprise security that protects the firmware and hardware at the heart of our devices. For everything from laptops to servers to network devices, we find the areas where you are vulnerable and actively defend against attacks in the firmware. This is specifically the area where the most innovative attackers have been focusing recently, and until today, where defenders have lagged behind. This is an incredibly exciting time for the industry, and I would like to thank our investors Andreessen Horowitz, Intel Capital, Ubiquity Ventures, and our individual investors for believing in Eclypsium. In the next few paragraphs I’ll try to quickly explain what is driving us on this journey.

Hardware and firmware-level attacks that live below the level of the operating system are a glaring blind spot that is reshaping enterprise security. For the entire history of modern information security, the battle has largely been waged from the operating system up. Antivirus software and malware continuously battle for control of the host OS, and when an infection is suspected, the common response is to simply reimage the machine. This approach is blind to vulnerabilities in firmware or hardware, which live below the level of the OS and fails both at protection and remediation of an actual attack.

The main motherboard, network cards, management controllers, storage devices and dozens of other components at the heart of our devices all rely on firmware developed by different manufacturers and can be compromised. This is true for any type of device and OS ranging from laptops to the servers that run our applications in enterprise, to the network appliances that operate our network infrastructure, to industrial systems that operate our critical infrastructure. It is a large attack surface and devices can be backdoored in the supply chain before you ever pull it out of the box.

Most organizations don’t have the inhouse expertise to find vulnerabilities or firmware backdoors and implants. Worse still, most firmware is rarely updated and upgrades are often manual and tricky procedures. So if an attacker can compromise the firmware on the device, he is often beyond the reach of traditional security. He often will have fundamental control over the device and its data while remaining invisible and persistent enough to survive even a complete OS reinstall. The recent DHS alert of state-sponsored attacks targeting enterprise network infrastructure show that these threats have become mainstream and are an immediate issue for all enterprises.

And that is the point – these attacks are all about persistence. Unlike the countless variants of evolving malware, infrastructure-level attacks are about persistence of an advanced attack. They are more rare by nature than commodity malware, but they are likewise far more valuable to an attacker and costly to an organization.

This problem has been the central focus of my research from my days leading the Advanced Threat Research team at Intel to founding CHIPSEC, and has culminated in our work here at Eclypsium. We have built a new layer of security that defends an organization’s firmware and infrastructure and protects them from backdoors and implants. We detect devices that have vulnerable hardware or firmware, detect and isolate devices with implanted firmware, and protect your critical hardware from compromise or physical damage by an attack. We apply this approach both in the enterprise, in data centers, and within the hardware supply chain itself.

We are currently engaged in product testing with select organizations, our focus at the moment is ensuring these initial deployments are successful and continuing to learn from additional real-world deployments. Over the coming weeks and months, we will be ramping up our ability to support more organizations, and will be sharing more details about the product. Please reach out to us if you would like to learn more, and we hope you will join us on this journey.