System Management Mode Speculative Execution Attacks

System Management Mode

System Management Mode Speculative Execution Attacks

System Management Mode (SMM, sometimes called ring -2) is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer’s firmware, or a hardware-assisted debugger, is then executed with high privileges.

Discovered a new application of speculative execution attacks, bypassing hardware-based memory protections. Vulnerabilities affecting speculative execution of modern processor architectures were first discovered in 2017 by Jann Horn of Google Project Zero and other security researchers. This class of vulnerabilities allows local unprivileged attackers to expose the contents of protected memory by exploiting the microarchitectural capabilities of modern out-of-order CPUs such as caching, instruction pipeline or speculative execution. We expanded on this method to gain access to the highly privileged System Management Mode (SMM) memory.


System Management Mode



Because System Management Mode generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg. hypervisor, operating system, or application). Thus far, the Spectre and Meltdown vulnerabilities were demonstrated to affect software, such as operating systems, hypervisors or even applications within protected SGX enclaves. However, the effect on firmware has not previously been shown. While there are many different kinds of firmware present in every system, we wanted to investigate host processor firmware first.




The processor executes the main system firmware, often referred to as BIOS or UEFI, when the system boots. Much of this firmware only runs at boot time; however, there is also a portion that runs in parallel with the OS in a special x86 mode known as System Management Mode (SMM). This runtime part of firmware (often referred to as SMI Handler) has long been of interest to security researchers and a target for advanced attackers, since this code has high privileges and operates outside the view of other software including the OS and any security applications.




These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as System Management Mode memory. This can expose System Management Mode code and data that was intended to be confidential, revealing other System Management Mode vulnerabilities as well as secrets stored in SMM. Additionally, since we demonstrate that the speculative memory access occurs from the context of System Management Mode, this could be used to reveal other secrets in memory as well.




Bypassing System Management Mode Range Registers

Based on the attack scenario above, we ran the following experiment:

  1. We found a conditional branch validating the index into an array in one of the SMI handlers. This index should be the one controlled by the OS-level attacker.
  2. For the sake of a proof-of-concept, it is possible to inject the “vulnerable” function, as in the following example victim_function. The goal of this experiment was to demonstrate the impact of original Spectre attacks on memory protections like range registers.
  3. We triggered the vulnerable code in the SMI handler (by calling SW SMI or other SMM interfaces) with out-of-bounds array access, which caused speculative execution and the loading of data from an arbitrary SMRAM location to the data cache.
  4. We recovered the SMRAM data by measuring access time to different non-SMRAM locations in the data cache using one of the cache timing side-channel techniques.

As a result of running the above experiment, we’ve successfully recovered data that was stored in SMRAM and protected by SMRR. This proof-of-concept exploit is a modified Spectre variant 1 PoC exploit running with kernel-mode privileges.





Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Amazon Web Services Training in Hyderabad

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:




Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you