SENTER Sandman: Using Intel TXT to Attack BIOSes - request for slides / transcript

coderman coderman at
Mon Sep 22 17:05:17 PDT 2014

anyone have details on:

SENTER Sandman: Using Intel TXT to Attack BIOSes
At CanSecWest 2014 we presented the first prototype of Copernicus 2, a
trustworthy BIOS capture system. It was undertaken specifically to
combat our “Smite’em the Stealthy” PoC which can forge the BIOS
collection results from all other systems (including our own
Copernicus 1, the open source Flashrom, Intel Chipsec, etc).
Copernicus 2 makes use of the open source Flicker project from Jon
McCune of CMU which utilizes Intel Trusted Execution Technology in
order to build a trustworthy environment from which to run our BIOS
measurement code. We specifically chose TXT because it has the ability
to disable System Management Interrupts (SMIs) effectively putting the
SMM MitM, Smite’em, to sleep.

But if you’ve been following our work (specifically “Defeating Signed
BIOS Enforcement” and “Setup for Failure: Defeating UEFI SecureBoot”)
you will have seen that we have two other attacks where we leverage
the ability to suppress SMIs to break into some BIOSes. Thus the
Sandman cometh! We will explain how we could implement the PoC Sandman
attack using the same infrastructure as Copernicus 2. We will also
explain what can be done against this kind of attack, and how the
latest Copernicus 2 attempts to prevent opening the door to the
Sandman. We will also cover how Copernicus 1 and 2 can check for the
problems with BIOSes that make SMI-suppression attacks feasible, how
to tell if you’re vulnerable, and what you may be able to do about it.

More information about the cypherpunks mailing list