Showing results for 
Search instead for 
Did you mean: 

General Discussions

Esteemed Contributor III

Intel processors (again) allow for rootkits

Remember way back in 2009 when a proof of concept flaw was found in Intel processors which allowed for hard to detect rootkits, the same flaw Intel reported in 2005?

Intel CPU flaw allows for hard-to-detect rootkit - The Tech Report

Well, it appears they are at it again...

CyberArk: Windows 10 Vulnerable To Rootkits Via Intel's Processor Trace Functionality

Intel PT At Fault

The issue seems to be created by the Intel Processor Trace (IPT), which is an extension of the Intel architecture that captures information about software execution using dedicated hardware. The information is collected in data packets, which can be processed by a software decoder.

The packets include information such as: timing, program flow information (e.g. branch targets, branch taken/not taken indications) and program-induced mode related information (e.g. Intel TSX state transitions). The packets may first be buffered internally before they are transmitted to the memory subsystem or another output mechanism. Then, the debugging software can process the data and reconstruct the program flow.

Intel PT, which was introduced on the Broadwell generation of chips and expanded on Skylake, can trace any software that runs on the CPU, except for SGX-protected containers. The technology is used mainly for performance monitoring, code diagnostic, debugging, fuzzing, and malware analysis and detection.

However, an attacker can also exploit this technology to take control of a thread’s execution. The idea is to make the CPU branch to the malicious piece of code. One way to do this is to allocate extremely small buffers to the Intel PT packets. When the CPU runs out of buffer space, it will jump to the malicious piece of code that will create the “hook.”

No Short-Term Fix

Because this operation is executed in hardware, below the Windows operating system, CyberArk said that it would be “extremely difficult for Microsoft to detect and defeat this technique.”

In a reply to CyberArk, Microsoft stated:

“The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn’t meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I’ve closed this case.”

Microsoft may have realized that it can’t easily fix this with a simple update, as CyberArk also said. Therefore, it may have postponed the fix until either it creates a more advanced kernel protection architecture in a future version of Windows or until Intel finds a way to stop this type of attack in future chip generations. Until then, Windows 10 will likely continue to be vulnerable to rootkits enabled by malware that has already bypassed Windows Defender or other Windows protections.

Although I disagree. An easy fix would be to give full support for modern processors in Windows 8.1 and 7. If they can patch XP for WannaCry, they can patch 7 and 8.1 for Skylake and newer processors. Of course you could just run Ryzen instead.