Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.
This post is a “brain dump” as described by the Microsoft support team. I’m attempting to publish many an article held back by perfectionism, and to publish time-sensitive ideas; special thanks to my first semester freshman year writing teacher, anybody
THIS PAGE WILL BE COMPLETED IN THE NEXT FEW DAYS! WORK IN PROGRESS! UPDATE:NEARING COMPLETION
I’ve been thinking about the NSA’s office of Tailored Office Operations, and how some of their exploits may work.
I’ve known for years that Intel’s Management Engine is a persistent bastard. It hitches on to many intel drivers and associated control applets. It can be remotely installed. Online “Store-bought” (preconfigured) computers offer the Management Engine as a feature for computers sold without an operating system. I didn’t understand that last bit (without an OS), but I figured that it was some ugly BIOS + OS magic that I didn’t yet understand. I only grasped the significance of the Management Engine a few days ago.
Over Winter Break, I’ve been busy catching up on reading. Particularly on Computer organization, Processor microarchitecture, Translation Lookaside Buffers, page tables, processor datapaths & codepaths, kernel design, protection rings, the interaction of the kernel & the processor, and other really low-level things.
Yesterday I caught up on another concept, that of negative protection rings, a concept mysterious and captivating as negative resistance, negative refraction indices, negative gravitation (mirror 1), negative impedance, negative bulk moduli, and negative absolute temperature; a concept so exotic that I had neither conceived, nor would I ever so much as consider-but for derivation by formal reasoning. Truly compelling, but I digress.
The idea of negative protection rings has, in fact, long been considered academically – considered that is. The incredible resources required to actually properly exploit (i.e. fully functioning rootkit) these lower rings ensures that said exploits are never within reach of the academic community.
The first negative protection ring is, in simplest of terms, a mechanism explicitly designed to operate outside of the operating system’s reach, but not explicitly designed to do so maliciously. Ring -1 is hardware acceleration intended to allow OS virtualization at tolerable speeds, and in this role it is known as a Hypervisor. As a Hypervisor it’s job is to present a convincing image of actual hardware to the virtualized ‘guest’ OS, allowing the Hypervisor (the ‘host’) to share a single physical computer among multiple guest OSs. If each OS were to (try to) share control of the same hardware without a Hypervisor, they’d all crash and burn.
Continue reading ‘Braindump: QUANTUMINSERT staring us right in our face? Intel Management Engine as the ultimate backdoor’