New Attack Vector Shows Dangers of S3 Sleep Mode

Researchers at Black Hat Asia demonstrated how they can compromise the security of a machine as it powers down and wakes up.

Two researchers at Black Hat Asia last month gave computers a reason to sleep with one eye open in their demo of S3 Sleep, a new attack vector used to subvert the Intel Trusted eXecution Environment (TXT). A flaw in Intel TXT lets hackers compromise a machine as it wakes up.
Intel TXT is the hardware-based functionality that supports the dynamic root-of-trust measurement (DRTM) and validates the platforms trustworthiness during boot and launch. This attack targets trusted boot (tBoot), a reference implementation of Intel TXT normally used in server environments. tBoot is an open-source project that protects the virtual machine monitor (VMM) and operating system.
Senior security researcher Seunghun Han and security researcher Jun-Hyeok Park, both with the National Security Research Institute of South Korea, presented an exploit of the Lost Pointer vulnerability (CVE-2017-16837), a software flaw in tBoot. This specific attack vector has never been reported, the two said at Black Hat, and attackers only need root privilege to do it.
Researchers have investigated Intel TXT and tBoot before, the researchers explained. However, previous studies have only focused on the boot process. This one focuses on the sleeping and waking up sequence of tBoot, and how attackers could exploit a machine as it reactivates.
Securing the sleep states
Sure, you could avoid this kind of attack by keeping machines running constantly, so Han started their Black Hat session by pointing out the financial reasons for sleep mode. Power consumption is cost, Han explained. Many companies worry about power consumption for their products because lower power consumption means a lower electricity fee.
Shutting down machines dramatically reduces power consumption; however, reactivating all of their components poses a security risk. As the computer wakes up, restarting its many parts takes time and security devices might be temporarily shut down for part of the process.
PC, laptop, and server environments supporting advanced configuration and power interface (ACPI) have six sleeping states to gradually reduce power consumption as the machine shuts down. The states go from S0 to S5 as the CPU, devices, and RAM go into full sleep mode. Power to the CPU and devices is cut off at the S3 phase of sleep.
Because of power-off, their states need to be restored and reinitialized for waking up, says Han. If we intercept sleep and waking up, we can do something interesting.
There are boot protection mechanisms, Park says. The secure boot of the Unified Extensible Firmware Interface (UEFI) checks a cryptographic signature of the binary prior to execution, and stops it if the executable file lacks a valid signature. Measured boot measures a hash of the binary prior to execution and stores the measurement to the Trusted Platform Module (TPM).
TPM is a hardware security device widely deployed in commercial devices, Han says. Its designed with a random number generator, encryption functions, and Platform Configuration Registers (PCRs), which store hashes and can be used to seal data like Bitlocker, he explains.
The danger of sleep mode
When the system wakes up, it should turn on the security functions of the CPU and recover the PCRs of the TPM. However, because of the Lost Pointer flaw, tBoot doesnt measure all function pointers. Certain pointers in tBoot are not validated and can cause arbitrary code execution.
By exploiting the Lost Pointer flaw on a machine in S3 sleep mode, Han and Park found they can forge PCR values while a system sleeps and wakes up. If they can make the PCR variables whatever they want, attackers can subvert the Intel TXT security mechanism.
The researchers advise updating your tBoot to the latest version, or disabling the sleep feature in the BIOS, to protect against this kind of attack.
Related Content:
780 Days in the Life of a Computer Worm
Hudsons Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch
University Networks Become Fertile Ground for Cryptomining
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the
security track here
. Register with Promo Code DR200 and save $200.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Attack Vector Shows Dangers of S3 Sleep Mode