SMM Rootkits: A New Breed of OS Independent Malware

The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine Based Rootkits (VMBRs). This paper draws attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode Based Rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits.