Braindump: QUANTUMINSERT staring us right in our face? Intel Management Engine as the ultimate backdoor

Note: The “brain dump” series is akin to what the team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.

EricLaw [ex-MSFT]

This post is a “brain dump” as described by the Microsoft support team. I’m attempting to publish many an article held back by perfectionism, and to publish time-sensitive ideas; special thanks to my first semester freshman year writing teacher,  anybody


I’ve been thinking about the NSA’s office of Tailored Office Operations, and how  some of their exploits may work.

I’ve known for years that Intel’s Management Engine is a persistent bastard. It hitches on to many intel drivers and associated control applets. It can be remotely installed. Online “Store-bought” (preconfigured) computers offer the Management Engine as a feature for computers sold without an operating system. I didn’t understand that last bit (without an OS), but I figured that it was some ugly BIOS + OS magic that I didn’t  yet understand.  I only grasped the significance of the Management Engine a few days ago.

Over Winter Break, I’ve been busy catching up on reading. Particularly on Computer organization, Processor microarchitecture,  Translation Lookaside Buffers, page tables, processor datapaths & codepaths, kernel design, protection rings, the interaction of the kernel & the processor, and other really low-level things.

Yesterday I caught up on another concept, that of negative protection rings,  a concept mysterious and captivating as negative resistance, negative refraction indicesnegative gravitation (mirror 1), negative impedance, negative bulk moduli, and negative absolute temperature; a concept so exotic that I had neither conceived, nor would I ever so much as consider-but for derivation by formal reasoning.  Truly compelling, but I digress.

The idea of negative protection rings has, in fact, long been considered academically – considered that is. The incredible resources required to actually properly exploit (i.e. fully functioning rootkit) these lower rings ensures that said exploits are never within reach of the academic community.


The first negative protection ring is, in simplest of terms, a mechanism explicitly designed to operate outside of the operating system’s reach,  but not explicitly designed to do so maliciously. Ring -1 is hardware acceleration intended to allow OS virtualization at tolerable speeds, and in this role it is known as a Hypervisor. As a Hypervisor it’s job is to present a convincing image of actual hardware to the virtualized ‘guest’ OS, allowing the Hypervisor (the ‘host’) to share a single physical computer among multiple guest OSs. If each OS were to (try to) share control of the same hardware without a Hypervisor, they’d all crash and burn.

To properly do this, the Hypervisor needs complete control over the system, and needs to trap (‘patch in to’ &  ‘intercept’) anything that happens in the guest OS,  then deciding what it needs to do to satisfy the guest’s perception of a physical computer where there is none, without modifying the physical hardware OR any aspect of possible other guests. Formally, the specifications for proper virtualization are known as the “Popek and Goldberg virtualization requirements”, and theoretically allow for recursive virtualization. Intel implements hardware accelerated virtualization under the name VT-x, and AMD under AMD-V.

Known VT-x rootkits: Vitriol, SubVirt, BluePill


The second negative protection ring is where things get murky for software-only people (not me). This is where the firmware and microcode of individual components, and the mysterious ‘System management mode’ are concerned.

For the non-hardware people, there are between 5 and 20 ‘computers’ in a given consumer PC. Many of these are microcontrollers, often stylized ‘µC’; there’s one in your mouse, your keyboard, your touchpad, your hard drive, your laptop’s battery (yes, there is!), your SD card slot, your USB ports, your webcam, your fingerprint reader, the embedded hardware Real Time Clock ,  your laptop’s freefall sensor (an accelerator), and your screen (probably several).

These are not computers insofar as they have minimal processing capacity the µC in your mouse/touchpad probably lacks a Memory Management Unit, the webcam & the screen probably have far more sophisticated (albeit specialized) integrated circuits to handle their complex jobs. Each µC has firmware, an unavoidable design flaw that is exploitable. This firmware will survive hard drive formatting, BIOS reflashing, and anything else except for explicitly reprogramming their firmware. Of course, this firmware is rarely updated, and and users never find the time to reflash these devices.

In the 1980s/1990s these functions were often implemented in discrete logic chips, probably the still-famous 74xx series, and were packed as tightly as the through-hole construction could be packed.  However, with a hardware based design like the 74xx series, any possible bugs found after manufacturing are permanent.

There are far more complex processors embedded in your soundcard, your graphics card, and your wired/wireless networking card. These also have firmware, usually extremely complex firmware. Network card firmware can have an entire TCP networking stack, so they can take on the computationally intensive task that is networking. The firmware that controls each device ARE NOT DRIVERS.  The software you install when updating NVIDIA drivers is on the OS side, to allow the OS to communicate with the embedded processors in your graphics/sound/networking card.

Not all of these devices are publicly & properly documented, so they may have vulnerabilities far worse than are known. Even worse, there is a chance that they have back doors. These integrated circuits will likely remain undocumented. Reverse engineering of integrated circuits is a truly beautiful, a truly fascinating, a truly awe-inspiring process – but also a truly painstaking, truly dangerous, and otherwise impossibly hard task. THOSE (the linked) chips are some of the simplest chips, nowhere near the beauty of modern ICs.

There are a few companies that specialize in reverse engineering, Chipworks is one, but their reports are damned expensive. The bottom report here is ~$25000! It’s a shame, what they DO release is incredible.

This is the level where the mythical System Management Mode reigns king. System management mode does some of the things that ring negative three handles, but System Management Mode is more so at the physical processor hardware level. If you want to debug this stuff, you’ll need some logic analyzers and ridiculously tiny FET-amplified probes.

BIOS malware lurks around this ring – but because of the insecurity of pre-UEFI booting, it controls the system long before the protection rings become relevant. These are often known as ‘bootkits’, as they hook into the OS at boot time. The BIOS is usually stored on an 8 pin DIP ROM (desktop computers), and is updated more (albeit still rarely) often than firmware for other devices. The chip itself is rarely soldered to the motherboard (again, desktop computers), and instead it sits in a DIP socket, held firmly by friction; this makes it easy to reflash the BIOS with an arduino and a breadboard. Reflashing with an arduino and a breadboard can be more trustworthy if the BIOS itself is infected, as normally reflashing involves booting into the infected BIOS and thereby the BIOS embedded malware is in charge of reflashing itself (bad idea).

Exploits HAVE been demonstrated in an academic environment utilizing the embedded firmware, but rarely in the wild. BadBIOS, assuming it’s existence, probably operates at this level.

Correction: This kind of rootkit DOES exist, under a different name; laptop anti-theft software. Computrace Lojack is software which appears to be installed at

-3 and Beyond the Infinite

Protection ring negative three is where the nastiest demons hide.  This ring is the chipset itself- that is, the set of components that collectivley manages data flow between components. A little more than 4 years ago, The Invisible things Lab demonstrated a working ring -3 exploit, demonstrating code injection and scary remote management.

This slideshow requires JavaScript.

They also discovered that some ring -3 code would execute even if Active Management Technology/Management Engine is disabled in the BIOS.AMT_ROOTKIT

They also discover a bit of irony: Intel’s rootkit detection method exposes another route for rootkits to dig their tentacles into the hardware.

In the years since their presentation, The Invisible Things Lab has developed a number of hardware-level exploits to circumvent Intel’s other defenses (Trusted Execution Technology, VT-D, Authenticated Code modules, among others).  Most interestingly, they also point to some work by Loic Duflot & Yves-Alexis Perez that achieves remote exploitation of a network card’s firmware (a buffer overflow), and circumvent the disabled state of remote management. They demonstrate compromise of the host via the PCI bus that the network card is connected to.

This slideshow requires JavaScript.

Did I mention that this whole ring is invisible to not just the OS, but also the CPU itself! Another presentation, by Igor Skochinsky,  fantastically details more recent Management Engine technologies & capabilities, namely:  Remote administration, remote configuration, remote repair, remote keyboard + video + mouse,  IDE redirection (yes, the ATA storage interface!), serial over LAN (Out-of-band management), remote boot to network CD/HDD images, and Intel anti-theft (remote nuke, uses cell connection if available).

This slideshow requires JavaScript.

This slideshow requires JavaScript.

Igor is able to extract OS info from the Management Engine chip (ThreadX RTOS), discovers a number of hidden APIs, a factory mode for updating Management Engine software (“Host ME Region Flash Protection Override”), and a number of security features implemented in the time since The Invisible Things Lab’s presentation. It’s clear he’s an incredible Reverse engineer.

I thought Hex-Rays was a person for a few minutes there ;)

Oh, that’s why he’s such a good reverse engineer!

This is where the NSA’s office of Tailored Access Operations enters the stage.

In a number of recently-leaked NSA/CSS (Central Security Service) slides, methods of exploitation and persistence – System Management Mode (DEITYBOUNCE, IRONCHEF, SCHOOLMONTANA, SIERRAMONTANA, SOUFFLETROUGH, STUCCOMONTANA, SWAP), PCI implants (GINSU), firmware/ROM implants (HEADWATER, IRATEMONK,), I²C implants(WAGONBED), generic microcontroller implants(JUNIORMINT,  MAESTRO-II,TRINITY), and USB implants (COTTONMOUTH).


System Management Mode implant DEITYBOUNCE

System Management Mode implant IRONCHEF

System Management Mode implant SCHOOLMONTANA

System Management Mode implant SIERRAMONTANA

BIOS (bootkit?) implant SOUFFLETROUGH

System Management Mode implant STUCCOMONTANA

BIOS (bootkit?) implant SWAP

Microcontroller implant TRINITY – NOTE the ~$6K pricetag

PCI implant GINSU



Hard drive FIRMWARE implant IRATEMONK

Microcontroller implant JUNIORMINT

Microcontroller implant MAESTRO-II. Note the $4k pricetag.




mirror 1: (online: PDF, mirror: gravitationallyRepulsiveDomainWall)

Host-based over the Internet Provisioning

Zero-touch over the Internet Provisioning


Requiring hardware tap = need low-level access to support serial over Ethernet?

Politics & morality aside, TAO is pretty damned cool

CS6143, CS3204: Operating Systems

~ by Alexander Riccio on January 19, 2014.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Shelly L. Miller

I am an environmental engineer. I teach and research urban air pollution.

Lucky's Notes

Notes on math, coding, and other stuff


Abandoned places and history in the five boroughs

Open Mind

KIDS' LIVES MATTER so let's stop climate change

I learned it. I share it.

A software engineering blog by György Balássy

Kitware Inc

Delivering Innovation

The Electric Chronicles: Power in Flux

If someone ever tells you that you don't need more power, walk away. You don't need that kind of negativity in your life.

Ted's Energy Tips

Practical tips for making your home more comfortable, efficient and safe

love n grace

feel happy, be happy

Recognition, Evaluation, Control

News and views from Diamond Environmental Ltd.

greg tinkers

Sharing the successes and disasters.

Sam Thursfield

Software and technology from Galicia, Spain

Cranraspberry Blog

Sharing the things I love


Advances in biological systems.

The Embedded Code

Designing From Scratch

Sean Heelan's Blog

Software Exploitation and Optimisation


Connecting Research, Policy, and Practice in Education


A Group Complaint about Law, Liberty, and Leisure

Home & Kitchen Appliance Blog

Bad Science Debunked

Debunking dangerous junk science found on the Internet. Non-scientist friendly!

4 gravitons

The trials and tribulations of four gravitons and a physicist

Strange Quark In London

A blog about physics, citylive and much procastination

The Lumber Room

"Consign them to dust and damp by way of preserving them"

In the Dark

A blog about the Universe, and all that surrounds it

andrea elizabeth

passionate - vibrant - ambitious

Probably Dance

I can program and like games

a totally unnecessary blog

paolo severini's waste of bandwidth

Musing Mortoray

Programming and Life

PJ Naughter's space

Musings on Native mode development on Windows using C++

  Bartosz Milewski's Programming Cafe

Category Theory, Haskell, Concurrency, C++

Brandon's Thoughts

Thoughts on programming

David Crocker's Verification Blog

Formal verification of C/C++ code for critical systems

10 Minute Astronomy

Stargazing for people who think they don't have time for stargazing.

One Dev Job

notes of an interactive developer

Chief Cloud Architect & DevSecOps SME, Enterprise Architect, Agile Coach, Digital Transformation Leader, Presales & Tech Evangelist, Development Manager, Agilist, Mentor, Speaker and Author

TOGAF Certified Enterprise Architect • AWS Cloud Certified Solutions Architect • Azure Cloud Certified Solutions Architect • Scrum Alliance: Certified Scrum Professional (CSP), Certified Agile Leadership I (CAL 1), CSM, ACSM • Kanban Management Professional (KMP I & KMP II), Certified Enterprise Agility Coach (CEAC) • SAFe: Certified SAFe Architect, SAFe DevOps, Release Train Engineer (RTE), SAFe Consultant (SPC) • Certified Less Practitioner (CLP), Six Sigma (Greenbelt), Training from the Back of the Room (TBR) Trainer • Certified Agile Coach & Facilitator: ICP-ACF & ICP-ACC

The Angry Technician

No, the Internet is not broken.

Kenny Kerr

Creator of C++/WinRT and the Windows crate for Rust • Engineer on the Windows team at Microsoft • Romans 1:16

IT affinity!

The Ultimate Question of Life, the Universe, and Everything is answered somewhere else. This is just about IT.


The ramblings of a crazed mind

Molecular Musings

Development blog of the Molecule Engine

%d bloggers like this: