Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday September 01 2017, @09:08AM   Printer-friendly
from the idle-hands-devil's-playthings dept.

Positive Technologies has posted an interesting article about disabling the Intel Management Engine 11 via an undocumented mode.

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.

[...] Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.

[...] Unfortunately, analysis of Intel ME 11 was previously impossible because the executable modules are compressed by Huffman codes with unknown tables. Nonetheless, our research team (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) managed to recover these tables and created a utility for unpacking images. The utility is available on our GitHub page.

Hey, the government isn't the only one who wants "high assurance" for their computers. We trolls and average peons would like to think our systems are secure as well.

But it gets better.

Intel allows motherboard manufacturers to set a small number of ME parameters. For this, the company provides hardware manufacturers with special software, including utilities such as Flash Image Tool (FIT) for configuring ME parameters and Flash Programming Tool (FPT) for programming flash memory directly via the built-in SPI controller. These programs are not provided to end users, but they can be easily found on the Internet.

From these utilities, you can extract a large number of XML files (detailed description of the process). These files contain a lot of interesting information: the structure of ME firmware and description of the PCH strap, as well as special configuration bits for various subsystems integrated into the PCH chip. One of the fields, called "reserve_hap", drew our attention because there was a comment next to it: "High Assurance Platform (HAP) enable".

[Ed Note - The fine article contains the following disclaimer:

Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.

You've been warned.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by bob_super on Friday September 01 2017, @06:38PM (3 children)

    by bob_super (1357) on Friday September 01 2017, @06:38PM (#562650)

    > Do you think the NSA hired a group of EEs to go through Intel's ME engine and review it for security issues and flaws?

    Definitely. Was that actually in question?
    And most of the binary blobs are there to mitigate the effects of bugs and flaws found by Intel and the NSA (most, not necessarily all). You can remove them and never hit the specific issue they address, and even blame Microsoft, Apple or whatever SW you're seeing crash if you do...

    But let's not have a rational answer get in the way of a good paranoia story

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Friday September 01 2017, @07:26PM (2 children)

    by Anonymous Coward on Friday September 01 2017, @07:26PM (#562679)

    > Definitely. Was that actually in question?

    You are aware the question was regarding the whole "ME engine" rather than just ME? That is, the whole ROM + separate chip switches... We're talking about millions of lines of code going through hundreds of thousands worth of compilers into millions of lines of HDL.

    The NSA did the same as when Microsoft extended their offer to review their code: They hired a dozen guys for a couple of months to go through the IP stack and document the magic packets so they'll be able to filter them out with a separate physical firewall.

    Moreover, why on earth would the NSA ever disclose security issues and give up their backdoors? If they have a turn-off switch to ME, they have nothing to be afraid of. If they don't, they can just put up a physical firewall to block the magic packets.

    > And most of the binary blobs are there to mitigate the effects of bugs and flaws found by Intel and the NSA (most, not necessarily all).

    Agreed. But only as it extends to Intel. The NSA has no reason to disclose flaws.

    > But let's not have a rational answer get in the way of a good paranoia story

    Go look over at wikileaks. There are hundreds of flaws discovered by the NSA that were kept a secret. And again, especially in this case where they can either close ME or filter the packets or both, they have no reason to disclose any of it.

    Gosh... Why does any of this needs explaining in 2017?

    • (Score: 4, Informative) by bob_super on Friday September 01 2017, @07:39PM (1 child)

      by bob_super (1357) on Friday September 01 2017, @07:39PM (#562682)

      > The NSA has no reason to disclose flaws.

      Funny that. I used to work for a company where the guys with a Clearance would talk to the NSA, and the next generation of parts happened to have tweaks to various features to mitigate unspecified security risks.

      The NSA is tasked with defensive action too, because you don't want your Reaper, Tomahawk or Minuteman to suddenly fly in the wrong direction (unless they're heading for 38°53′52″N 77°02′11″W or 38°53′23.29″N 77°00′32.81″W, obviously). They take that job very seriously, whatever Internet dwellers like us say about their Evil secretive ways.

      • (Score: 1, Insightful) by Anonymous Coward on Saturday September 02 2017, @09:23AM

        by Anonymous Coward on Saturday September 02 2017, @09:23AM (#562883)

        > to mitigate unspecified security risks.

        Or to enable others. But hey, don't look at a gift horse in the mouth, right?