Braindump: QUANTUMINSERT staring us right in our face? Intel Management Engine as the ultimate backdoor

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.

EricLaw [ex-MSFT]

This post is a “brain dump” as described by the Microsoft support team. I’m attempting to publish many an article held back by perfectionism, and to publish time-sensitive ideas; special thanks to my first semester freshman year writing teacher,  anybody

THIS PAGE WILL BE COMPLETED IN THE NEXT FEW DAYS! WORK IN PROGRESS! UPDATE:NEARING COMPLETION

I’ve been thinking about the NSA’s office of Tailored Office Operations, and how  some of their exploits may work.

I’ve known for years that Intel’s Management Engine is a persistent bastard. It hitches on to many intel drivers and associated control applets. It can be remotely installed. Online “Store-bought” (preconfigured) computers offer the Management Engine as a feature for computers sold without an operating system. I didn’t understand that last bit (without an OS), but I figured that it was some ugly BIOS + OS magic that I didn’t  yet understand.  I only grasped the significance of the Management Engine a few days ago.

Over Winter Break, I’ve been busy catching up on reading. Particularly on Computer organization, Processor microarchitecture,  Translation Lookaside Buffers, page tables, processor datapaths & codepaths, kernel design, protection rings, the interaction of the kernel & the processor, and other really low-level things.

Yesterday I caught up on another concept, that of negative protection rings,  a concept mysterious and captivating as negative resistance, negative refraction indicesnegative gravitation (mirror 1), negative impedance, negative bulk moduli, and negative absolute temperature; a concept so exotic that I had neither conceived, nor would I ever so much as consider-but for derivation by formal reasoning.  Truly compelling, but I digress.

The idea of negative protection rings has, in fact, long been considered academically – considered that is. The incredible resources required to actually properly exploit (i.e. fully functioning rootkit) these lower rings ensures that said exploits are never within reach of the academic community.

-1

The first negative protection ring is, in simplest of terms, a mechanism explicitly designed to operate outside of the operating system’s reach,  but not explicitly designed to do so maliciously. Ring -1 is hardware acceleration intended to allow OS virtualization at tolerable speeds, and in this role it is known as a Hypervisor. As a Hypervisor it’s job is to present a convincing image of actual hardware to the virtualized ‘guest’ OS, allowing the Hypervisor (the ‘host’) to share a single physical computer among multiple guest OSs. If each OS were to (try to) share control of the same hardware without a Hypervisor, they’d all crash and burn.

To properly do this, the Hypervisor needs complete control over the system, and needs to trap (‘patch in to’ &  ‘intercept’) anything that happens in the guest OS,  then deciding what it needs to do to satisfy the guest’s perception of a physical computer where there is none, without modifying the physical hardware OR any aspect of possible other guests. Formally, the specifications for proper virtualization are known as the “Popek and Goldberg virtualization requirements”, and theoretically allow for recursive virtualization. Intel implements hardware accelerated virtualization under the name VT-x, and AMD under AMD-V.

Known VT-x rootkits: Vitriol, SubVirt, BluePill

-2

The second negative protection ring is where things get murky for software-only people (not me). This is where the firmware and microcode of individual components, and the mysterious ‘System management mode’ are concerned.

For the non-hardware people, there are between 5 and 20 ‘computers’ in a given consumer PC. Many of these are microcontrollers, often stylized ‘µC’; there’s one in your mouse, your keyboard, your touchpad, your hard drive, your laptop’s battery (yes, there is!), your SD card slot, your USB ports, your webcam, your fingerprint reader, the embedded hardware Real Time Clock ,  your laptop’s freefall sensor (an accelerator), and your screen (probably several).

These are not computers insofar as they have minimal processing capacity the µC in your mouse/touchpad probably lacks a Memory Management Unit, the webcam & the screen probably have far more sophisticated (albeit specialized) integrated circuits to handle their complex jobs. Each µC has firmware, an unavoidable design flaw that is exploitable. This firmware will survive hard drive formatting, BIOS reflashing, and anything else except for explicitly reprogramming their firmware. Of course, this firmware is rarely updated, and and users never find the time to reflash these devices.

In the 1980s/1990s these functions were often implemented in discrete logic chips, probably the still-famous 74xx series, and were packed as tightly as the through-hole construction could be packed.  However, with a hardware based design like the 74xx series, any possible bugs found after manufacturing are permanent.

There are far more complex processors embedded in your soundcard, your graphics card, and your wired/wireless networking card. These also have firmware, usually extremely complex firmware. Network card firmware can have an entire TCP networking stack, so they can take on the computationally intensive task that is networking. The firmware that controls each device ARE NOT DRIVERS.  The software you install when updating NVIDIA drivers is on the OS side, to allow the OS to communicate with the embedded processors in your graphics/sound/networking card.

Not all of these devices are publicly & properly documented, so they may have vulnerabilities far worse than are known. Even worse, there is a chance that they have back doors. These integrated circuits will likely remain undocumented. Reverse engineering of integrated circuits is a truly beautiful, a truly fascinating, a truly awe-inspiring process – but also a truly painstaking, truly dangerous, and otherwise impossibly hard task. THOSE (the linked) chips are some of the simplest chips, nowhere near the beauty of modern ICs.

There are a few companies that specialize in reverse engineering, Chipworks is one, but their reports are damned expensive. The bottom report here is ~$25000! It’s a shame, what they DO release is incredible.

This is the level where the mythical System Management Mode reigns king. System management mode does some of the things that ring negative three handles, but System Management Mode is more so at the physical processor hardware level. If you want to debug this stuff, you’ll need some logic analyzers and ridiculously tiny FET-amplified probes.

BIOS malware lurks around this ring – but because of the insecurity of pre-UEFI booting, it controls the system long before the protection rings become relevant. These are often known as ‘bootkits’, as they hook into the OS at boot time. The BIOS is usually stored on an 8 pin DIP ROM (desktop computers), and is updated more (albeit still rarely) often than firmware for other devices. The chip itself is rarely soldered to the motherboard (again, desktop computers), and instead it sits in a DIP socket, held firmly by friction; this makes it easy to reflash the BIOS with an arduino and a breadboard. Reflashing with an arduino and a breadboard can be more trustworthy if the BIOS itself is infected, as normally reflashing involves booting into the infected BIOS and thereby the BIOS embedded malware is in charge of reflashing itself (bad idea).

Exploits HAVE been demonstrated in an academic environment utilizing the embedded firmware, but rarely in the wild. BadBIOS, assuming it’s existence, probably operates at this level.

Correction: This kind of rootkit DOES exist, under a different name; laptop anti-theft software. Computrace Lojack is software which appears to be installed at

-3 and Beyond the Infinite

Protection ring negative three is where the nastiest demons hide.  This ring is the chipset itself- that is, the set of components that collectivley manages data flow between components. A little more than 4 years ago, The Invisible things Lab demonstrated a working ring -3 exploit, demonstrating code injection and scary remote management.

This slideshow requires JavaScript.

They also discovered that some ring -3 code would execute even if Active Management Technology/Management Engine is disabled in the BIOS.AMT_ROOTKIT

They also discover a bit of irony: Intel’s rootkit detection method exposes another route for rootkits to dig their tentacles into the hardware.

In the years since their presentation, The Invisible Things Lab has developed a number of hardware-level exploits to circumvent Intel’s other defenses (Trusted Execution Technology, VT-D, Authenticated Code modules, among others).  Most interestingly, they also point to some work by Loic Duflot & Yves-Alexis Perez that achieves remote exploitation of a network card’s firmware (a buffer overflow), and circumvent the disabled state of remote management. They demonstrate compromise of the host via the PCI bus that the network card is connected to.

This slideshow requires JavaScript.

Did I mention that this whole ring is invisible to not just the OS, but also the CPU itself! Another presentation, by Igor Skochinsky,  fantastically details more recent Management Engine technologies & capabilities, namely:  Remote administration, remote configuration, remote repair, remote keyboard + video + mouse,  IDE redirection (yes, the ATA storage interface!), serial over LAN (Out-of-band management), remote boot to network CD/HDD images, and Intel anti-theft (remote nuke, uses cell connection if available).

This slideshow requires JavaScript.

This slideshow requires JavaScript.

Igor is able to extract OS info from the Management Engine chip (ThreadX RTOS), discovers a number of hidden APIs, a factory mode for updating Management Engine software (“Host ME Region Flash Protection Override”), and a number of security features implemented in the time since The Invisible Things Lab’s presentation. It’s clear he’s an incredible Reverse engineer.

I thought Hex-Rays was a person for a few minutes there ;)

Oh, that’s why he’s such a good reverse engineer!

This is where the NSA’s office of Tailored Access Operations enters the stage.

In a number of recently-leaked NSA/CSS (Central Security Service) slides, methods of exploitation and persistence – System Management Mode (DEITYBOUNCE, IRONCHEF, SCHOOLMONTANA, SIERRAMONTANA, SOUFFLETROUGH, STUCCOMONTANA, SWAP), PCI implants (GINSU), firmware/ROM implants (HEADWATER, IRATEMONK,), I²C implants(WAGONBED), generic microcontroller implants(JUNIORMINT,  MAESTRO-II,TRINITY), and USB implants (COTTONMOUTH).

DEITYBOUNCE

System Management Mode implant DEITYBOUNCE

System Management Mode implant IRONCHEF

System Management Mode implant SCHOOLMONTANA

System Management Mode implant SIERRAMONTANA

BIOS (bootkit?) implant SOUFFLETROUGH

System Management Mode implant STUCCOMONTANA

BIOS (bootkit?) implant SWAP

Microcontroller implant TRINITY – NOTE the ~$6K pricetag

PCI implant GINSU

FIRMWARE/ROM implant HEADWATER

HEADWATER

Hard drive FIRMWARE implant IRATEMONK

Microcontroller implant JUNIORMINT

Microcontroller implant MAESTRO-II. Note the $4k pricetag.

USB implant COTTONMOUTH-I

USB implant COTTONMOUTH-II

USB implant COTTONMOUTH-III

mirror 1: (online: PDF, mirror: gravitationallyRepulsiveDomainWall)

http://ark.intel.com/products/63984/Intel-BD82C602-PCH

http://www.intel.com/content/www/us/en/chipsets/c600-series-chipset-datasheet.html

http://www.dell.com/us/business/p/poweredge-t320/pd?layoutvariation=MasterPageFileVariation2

http://www.dell.com/learn/us/en/04/campaigns/servers

Host-based over the Internet Provisioning

Zero-touch over the Internet Provisioning

INTEL MANAGEMENT ENGINE IS A ROOTKIT, CAN BE REMOTLEY DEPLOYED,  HAS A WEBSERVER!

Requiring hardware tap = need low-level access to support serial over Ethernet?

Politics & morality aside, TAO is pretty damned cool

CS6143, CS3204: Operating Systems

~ by Alexander Riccio on January 19, 2014.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Open Mind

Science, Politics, Life, the Universe, and Everything

I learned it. I share it.

A software engineering blog by György Balássy

Untapped Cities

Rediscover your city: Urban discovery and exploration in NYC and around the world

Threatpost - English - Global - threatpost.com

The First Stop For Security News

Bit9 + Carbon Black Blog

#ArmYourEndpoints

The Electric Chronicles: Power in Flux

If someone ever tells you that you don't need more power, walk away. You don't need that kind of negativity in your life.

Ted's Energy Tips

Practical tips for making your home more comfortable, efficient and safe

love n grace

feel happy, be happy

Recognition, Evaluation, Control

News and views from Diamond Environmental Ltd.

greg tinkers

Sharing the successes and disasters.

Sam Thursfield's Blog

I want music in my life not questions!

Always In Motion | SAE International

A Safe, Green, Connected Blog from SAE International

Cranraspberry Blog

Sharing the things I love

Biosingularity

Advances in biological systems.

The Embedded Code

Designing From Scratch

Sean Heelan's Blog

Program analysis, verification and security

EduResearcher

Connecting Research, Practice, and Advocacy in Education

Popehat

A Group Complaint about Law, Liberty, and Leisure

Warner Stellian Appliance

Home & Kitchen Appliance Blog

Seth Warshaw

Millennial-Conservative Libertarian-History Nerd

Bad Science Debunked

Debunking dangerous junk science found on the Internet. Non-scientist friendly!

4 gravitons

The trials and tribulations of four gravitons and a postdoc

Strange Quark In London

A blog about physics, citylive and much procastination

The Lumber Room

"Consign them to dust and damp by way of preserving them"

In the Dark

A blog about the Universe, and all that surrounds it

andrea elizabeth

passionate - vibrant - ambitious

Probably Dance

I can program and like games

a totally unnecessary blog

paolo severini's waste of bandwidth

Musing Mortoray

Coding and stuff

PJ Naughter's space

Musings on Native mode development on Windows using C++

  Bartosz Milewski's Programming Cafe

Concurrency, C++, Haskell, Category Theory

Brandon's Thoughts

Thoughts on programming

David Crocker's Verification Blog

Formal verification of C/C++ code for critical systems

Fusion

Championing a young, diverse, and inclusive America with a unique mix of smart and irreverent original reporting, lifestyle, and comedic content.

10 Minute Astronomy

Stargazing for people who think they don't have time for stargazing.

One Dev Job

notes of an interactive developer

Enterprise Architect, IoT, Cloud, Mobile Apps, Technology Evangelist, Technical Pre-Sales, Business Evangelist, Speaker

Coder/Architect for IoT, Cloud Technologies and Mobile Apps, Azure Cloud, Amazon Cloud, Windows Phone 10 Apps, iPhone Apps, Scrum Master, Business Evangelist, Mobile apps developer in iOS and Windows 10 UWP, Azure IoT Hub, Machine Learning, Stream Analytics, Azure Mobile Service, APM Tools

C++/WinRT

Modern C++ for the Windows Runtime

The Angry Technician

No, the Internet is not broken.

Kenny Kerr

Author • Systems programmer • Creator of C++/WinRT • Engineer on the Windows team • Romans 1:16

IT affinity!

The Ultimate Question of Life, the Universe, and Everything is answered somwhere else. This is just about IT.

Eat/Play/Hate

The ramblings of a crazed mind

Molecular Musings

Development blog of the Molecule Engine

%d bloggers like this: