Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve been in my “Important things to write about” queue for ~5 years. Alas, these topics are so broad and intricate that a proper treatment would take far more time than I have available at the moment.
This post is a “brain dump” as described by the Microsoft support team. I’m attempting to publish many an article held back by perfectionism, and to publish time-sensitive ideas; special thanks to my first semester freshman year writing teacher, anybody
THIS PAGE WILL BE COMPLETED IN THE NEXT FEW DAYS! WORK IN PROGRESS! UPDATE:NEARING COMPLETION
I’ve been thinking about the NSA’s office of Tailored Office Operations, and how some of their exploits may work.
I’ve known for years that Intel’s Management Engine is a persistent bastard. It hitches on to many intel drivers and associated control applets. It can be remotely installed. Online “Store-bought” (preconfigured) computers offer the Management Engine as a feature for computers sold without an operating system. I didn’t understand that last bit (without an OS), but I figured that it was some ugly BIOS + OS magic that I didn’t yet understand. I only grasped the significance of the Management Engine a few days ago.
Over Winter Break, I’ve been busy catching up on reading. Particularly on Computer organization, Processor microarchitecture, Translation Lookaside Buffers, page tables, processor datapaths & codepaths, kernel design, protection rings, the interaction of the kernel & the processor, and other really low-level things.
Yesterday I caught up on another concept, that of negative protection rings, a concept mysterious and captivating as negative resistance, negative refraction indices, negative gravitation (mirror 1), negative impedance, negative bulk moduli, and negative absolute temperature; a concept so exotic that I had neither conceived, nor would I ever so much as consider-but for derivation by formal reasoning. Truly compelling, but I digress.
The idea of negative protection rings has, in fact, long been considered academically – considered that is. The incredible resources required to actually properly exploit (i.e. fully functioning rootkit) these lower rings ensures that said exploits are never within reach of the academic community.
-1
The first negative protection ring is, in simplest of terms, a mechanism explicitly designed to operate outside of the operating system’s reach, but not explicitly designed to do so maliciously. Ring -1 is hardware acceleration intended to allow OS virtualization at tolerable speeds, and in this role it is known as a Hypervisor. As a Hypervisor it’s job is to present a convincing image of actual hardware to the virtualized ‘guest’ OS, allowing the Hypervisor (the ‘host’) to share a single physical computer among multiple guest OSs. If each OS were to (try to) share control of the same hardware without a Hypervisor, they’d all crash and burn.
Alexander Riccio 