Braindump: QUANTUMINSERT staring us right in our face? Intel Management Engine as the ultimate backdoor

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.

–EricLaw [ex-MSFT]

This post is a “brain dump” as described by the Microsoft support team. I’m attempting to publish many an article held back by perfectionism, and to publish time-sensitive ideas; special thanks to my first semester freshman year writing teacher, anybody

THIS PAGE WILL BE COMPLETED IN THE NEXT FEW DAYS! WORK IN PROGRESS! UPDATE:NEARING COMPLETION

I’ve been thinking about the NSA’s office of Tailored Office Operations, and how some of their exploits may work.

I’ve known for years that Intel’s Management Engine is a persistent bastard. It hitches on to many intel drivers and associated control applets. It can be remotely installed. Online “Store-bought” (preconfigured) computers offer the Management Engine as a feature for computers sold without an operating system. I didn’t understand that last bit (without an OS), but I figured that it was some ugly BIOS + OS magic that I didn’t yet understand. I only grasped the significance of the Management Engine a few days ago.

Over Winter Break, I’ve been busy catching up on reading. Particularly on Computer organization, Processor microarchitecture, Translation Lookaside Buffers, page tables, processor datapaths & codepaths, kernel design, protection rings, the interaction of the kernel & the processor, and other really low-level things.

Yesterday I caught up on another concept, that of negative protection rings, a concept mysterious and captivating as negative resistance, negative refraction indices, negative gravitation (mirror 1), negative impedance, negative bulk moduli, and negative absolute temperature; a concept so exotic that I had neither conceived, nor would I ever so much as consider-but for derivation by formal reasoning. Truly compelling, but I digress.

The idea of negative protection rings has, in fact, long been considered academically – considered that is. The incredible resources required to actually properly exploit (i.e. fully functioning rootkit) these lower rings ensures that said exploits are never within reach of the academic community.

-1

The first negative protection ring is, in simplest of terms, a mechanism explicitly designed to operate outside of the operating system’s reach, but not explicitly designed to do so maliciously. Ring -1 is hardware acceleration intended to allow OS virtualization at tolerable speeds, and in this role it is known as a Hypervisor. As a Hypervisor it’s job is to present a convincing image of actual hardware to the virtualized ‘guest’ OS, allowing the Hypervisor (the ‘host’) to share a single physical computer among multiple guest OSs. If each OS were to (try to) share control of the same hardware without a Hypervisor, they’d all crash and burn.

To properly do this, the Hypervisor needs complete control over the system, and needs to trap (‘patch in to’ & ‘intercept’) anything that happens in the guest OS, then deciding what it needs to do to satisfy the guest’s perception of a physical computer where there is none, without modifying the physical hardware OR any aspect of possible other guests. Formally, the specifications for proper virtualization are known as the “Popek and Goldberg virtualization requirements”, and theoretically allow for recursive virtualization. Intel implements hardware accelerated virtualization under the name VT-x, and AMD under AMD-V.

Known VT-x rootkits: Vitriol, SubVirt, BluePill

-2

The second negative protection ring is where things get murky for software-only people (not me). This is where the firmware and microcode of individual components, and the mysterious ‘System management mode’ are concerned.

For the non-hardware people, there are between 5 and 20 ‘computers’ in a given consumer PC. Many of these are microcontrollers, often stylized ‘µC’; there’s one in your mouse, your keyboard, your touchpad, your hard drive, your laptop’s battery (yes, there is!), your SD card slot, your USB ports, your webcam, your fingerprint reader, the embedded hardware Real Time Clock , your laptop’s freefall sensor (an accelerator), and your screen (probably several).

These are not computers insofar as they have minimal processing capacity the µC in your mouse/touchpad probably lacks a Memory Management Unit, the webcam & the screen probably have far more sophisticated (albeit specialized) integrated circuits to handle their complex jobs. Each µC has firmware, an unavoidable design flaw that is exploitable. This firmware will survive hard drive formatting, BIOS reflashing, and anything else except for explicitly reprogramming their firmware. Of course, this firmware is rarely updated, and and users never find the time to reflash these devices.

In the 1980s/1990s these functions were often implemented in discrete logic chips, probably the still-famous 74xx series, and were packed as tightly as the through-hole construction could be packed. However, with a hardware based design like the 74xx series, any possible bugs found after manufacturing are permanent.

There are far more complex processors embedded in your soundcard, your graphics card, and your wired/wireless networking card. These also have firmware, usually extremely complex firmware. Network card firmware can have an entire TCP networking stack, so they can take on the computationally intensive task that is networking. The firmware that controls each device ARE NOT DRIVERS. The software you install when updating NVIDIA drivers is on the OS side, to allow the OS to communicate with the embedded processors in your graphics/sound/networking card.

Not all of these devices are publicly & properly documented, so they may have vulnerabilities far worse than are known. Even worse, there is a chance that they have back doors. These integrated circuits will likely remain undocumented. Reverse engineering of integrated circuits is a truly beautiful, a truly fascinating, a truly awe-inspiring process – but also a truly painstaking, truly dangerous, and otherwise impossibly hard task. THOSE (the linked) chips are some of the simplest chips, nowhere near the beauty of modern ICs.

There are a few companies that specialize in reverse engineering, Chipworks is one, but their reports are damned expensive. The bottom report here is ~$25000! It’s a shame, what they DO release is incredible.

This is the level where the mythical System Management Mode reigns king. System management mode does some of the things that ring negative three handles, but System Management Mode is more so at the physical processor hardware level. If you want to debug this stuff, you’ll need some logic analyzers and ridiculously tiny FET-amplified probes.

BIOS malware lurks around this ring – but because of the insecurity of pre-UEFI booting, it controls the system long before the protection rings become relevant. These are often known as ‘bootkits’, as they hook into the OS at boot time. The BIOS is usually stored on an 8 pin DIP ROM (desktop computers), and is updated more (albeit still rarely) often than firmware for other devices. The chip itself is rarely soldered to the motherboard (again, desktop computers), and instead it sits in a DIP socket, held firmly by friction; this makes it easy to reflash the BIOS with an arduino and a breadboard. Reflashing with an arduino and a breadboard can be more trustworthy if the BIOS itself is infected, as normally reflashing involves booting into the infected BIOS and thereby the BIOS embedded malware is in charge of reflashing itself (bad idea).

~~Exploits HAVE been demonstrated in an academic environment utilizing the embedded firmware, but rarely in the wild. BadBIOS, assuming it’s existence, probably operates at this level.~~

Correction: This kind of rootkit DOES exist, under a different name; laptop anti-theft software. Computrace Lojack is software which appears to be installed at

-3 and Beyond the Infinite

Protection ring negative three is where the nastiest demons hide. This ring is the chipset itself- that is, the set of components that collectivley manages data flow between components. A little more than 4 years ago, The Invisible things Lab demonstrated a working ring -3 exploit, demonstrating code injection and scary remote management.

This slideshow requires JavaScript.

They also discovered that some ring -3 code would execute even if Active Management Technology/Management Engine is disabled in the BIOS.

They also discover a bit of irony: Intel’s rootkit detection method exposes another route for rootkits to dig their tentacles into the hardware.

In the years since their presentation, The Invisible Things Lab has developed a number of hardware-level exploits to circumvent Intel’s other defenses (Trusted Execution Technology, VT-D, Authenticated Code modules, among others). Most interestingly, they also point to some work by Loic Duflot & Yves-Alexis Perez that achieves remote exploitation of a network card’s firmware (a buffer overflow), and circumvent the disabled state of remote management. They demonstrate compromise of the host via the PCI bus that the network card is connected to.

This slideshow requires JavaScript.

Did I mention that this whole ring is invisible to not just the OS, but also the CPU itself! Another presentation, by Igor Skochinsky, fantastically details more recent Management Engine technologies & capabilities, namely: Remote administration, remote configuration, remote repair, remote keyboard + video + mouse, IDE redirection (yes, the ATA storage interface!), serial over LAN (Out-of-band management), remote boot to network CD/HDD images, and Intel anti-theft (remote nuke, uses cell connection if available).

This slideshow requires JavaScript.

Igor is able to extract OS info from the Management Engine chip (ThreadX RTOS), discovers a number of hidden APIs, a factory mode for updating Management Engine software (“Host ME Region Flash Protection Override”), and a number of security features implemented in the time since The Invisible Things Lab’s presentation. It’s clear he’s an incredible Reverse engineer.

I thought Hex-Rays was a person for a few minutes there ;)

Oh, that’s why he’s such a good reverse engineer!

This is where the NSA’s office of Tailored Access Operations enters the stage.

In a number of recently-leaked NSA/CSS (Central Security Service) slides, methods of exploitation and persistence – System Management Mode (DEITYBOUNCE, IRONCHEF, SCHOOLMONTANA, SIERRAMONTANA, SOUFFLETROUGH, STUCCOMONTANA, SWAP), PCI implants (GINSU), firmware/ROM implants (HEADWATER, IRATEMONK,), I²C implants(WAGONBED), generic microcontroller implants(JUNIORMINT, MAESTRO-II,TRINITY), and USB implants (COTTONMOUTH).