
Secrets of Intel Management Engine – Hidden code in your chipset - mmastrac
http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub
======
ollybee
My second thought on reading this was how can a server be PCI compliant with
Intel management engine installed? but a quick search shows that Intel have
thought of this:
[http://www.intel.co.uk/content/dam/www/public/us/en/document...](http://www.intel.co.uk/content/dam/www/public/us/en/documents/white-
papers/vpro-pci-dss-retail-paper.pdf)

My first thought was that it seems increasingly clear that Stallman has been
right all along.

~~~
morganvachon
> My first thought was that it seems increasingly clear that Stallman has been
> right all along.

The problem is that being philosophically right doesn't always mean being
practically right. In order to create the perfect Stallman-esque machine, one
would have to design everything from the logic chips up from scratch, because
in the end, no third party can be trusted. He says this himself about the
Loongson system he uses daily; he considers it a compromise but one heavily
weighted in his favor.

In short, Stallman has been right all along, but there's little we can do
about it from a practical standpoint.

~~~
throwaway2048
We can certainly do a lot better than this, an attitude of "unless its perfect
its futile to even try" is defeatist bullshit, and not what Stallman endorses
at all.

~~~
sinetek
there's plenty we can do. Bunnie's Novena laptop is a great example of moving
in the right direction. It all depends on speed I guess; you could have a
completely open hardware laptop using an FPGA, but speed would be an issue for
sure

~~~
sp332
The Novena has a quad-core Cortex A9 as well as the FPGA. A lot of people who
buy it probably won't use the FPGA at all. In fact, the Spartan-6 FPGA might
have more secrets than the CPU.

------
jesrui
Slides can be downloaded without registration at
[http://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf](http://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf)

~~~
jcr
The video of Igor's talk at Recon 2014 is here:

[https://www.youtube.com/watch?v=Y2_-VXz9E-w](https://www.youtube.com/watch?v=Y2_-VXz9E-w)

------
WhitneyLand
tldr: Intel's remote management capabilities are obscurely baked into every
chipset. The ME has out of band access to the network card and main memory.
Since ME also has its own flashable memory in principle a machine could be
compromised in a nearly undetectable way. The presentation shows that a lot of
interesting details of ME have been brought to light but it has also withstood
a first round of attacks. No rootkit has yet been shown to be practical.

~~~
bhouston
It just has to be a matter of time until it is cracked. I am surprised Intel
did this.

~~~
cfrantz2
I believe it has already been cracked. See "Persistent, Stealthy, Remote-
controlled Dedicated Hardware Malware" from 30c3:
[https://www.youtube.com/watch?v=Ck8bIjAUJgE](https://www.youtube.com/watch?v=Ck8bIjAUJgE)

------
userbinator
Wow. SPARC and Java, two things you wouldn't ever expect Intel hardware to
ship with! The mention of SOAP-based protocols is also rather surprising,
since they have rather high overhead, and this means ME is not just a little
8051-class MCU but almost a fully-featured PC itself...

The amount of complexity - and the opportunities to hide things in that - has
increased so much compared to earlier PCs that in some ways I think the
development of computer systems is headed on a rather treacherous path. When
systems are so complex that no single person can understand them entirely,
it's easier to make them behave against their owner's will.

~~~
lambda
Not SPARC, ARC:
[https://en.wikipedia.org/wiki/ARC_International](https://en.wikipedia.org/wiki/ARC_International)

~~~
calvin_
actually, also SPARC

------
icarusmad
ARC[1], not SPARC. It evolved from the SuperFX chip used in some SNES games.

[1]:
[http://en.wikipedia.org/wiki/ARC_International](http://en.wikipedia.org/wiki/ARC_International)

~~~
userbinator
The earlier ME versions used an ARC. The later ones use a SPARC.

Look at slide 50.

~~~
edmccard
Slide 16 says that ME v1.x used an ARCTangent-A4 and that ME v2.x uses an ARC
600.

------
wyager
Wikipedia article:
[http://en.wikipedia.org/wiki/Intel_Active_Management_Technol...](http://en.wikipedia.org/wiki/Intel_Active_Management_Technology)

It's absolutely horrifying. There's no way this is secure.

------
cm3
Is it part of vPro or available in every cpu? Can it be disabled like TSX?

~~~
pgeorgi
The ME is on _every_ CPU, and you can't easily disable it (there are ways, but
it's unclear how much really shuts down, and you might lose power management
features).

vPro is merely the larger ME firmware: The small one is 1.5-2MB, the vPro one
is 5-7. A non-vPro mainboard probably comes without a SOAP-capable webserver
(although I wonder what they need 1.5MB of code for), but the chip to run it
is all there.

~~~
cm3
Oh no. I thought I could select the right chip like you can do to dodge TSX
and HT.

What if I get an AMD CPU? Do those also have an IPMI in disguise inside the
CPU package wired to a network interface?

~~~
stefantalpalaru
> What if I get an AMD CPU? Do those also have an IPMI in disguise inside the
> CPU package wired to a network interface?

AMD implements something similar with DASH in some of its APUs:
[http://www.amd.com/Documents/out-of-band-client-
management-o...](http://www.amd.com/Documents/out-of-band-client-management-
overview.pdf)

On page 10 in that PDF it says:

> DASH support is available in numerous client platforms, including the HP
> Elitebook 700 series, HP EliteOne 705, HP EliteDesk 705 Mini, HP EliteDesk
> 705, HP 6305 and Lenovo M78 ThinkCentre. Support is also available in
> management consoles, including the Symantec/Altiris Client Management Suite
> v7.5, and Microsoft System Center Configuration Manager (SCCM)*.

~~~
pgeorgi
The interesting thing is that they refer to NIC vendors all the time - as if
that feature is integrated with the ethernet controller (plus some help of the
chipset to keep it alive when everything else is off).

However AMD has its own share of extra processors within the CPU and chipset,
of which we (at coreboot) know of at least two: SMU and IMC. The firmware for
both is still measured in kilobytes, and they seem to have limited access to
hardware resources. (for SMU, see
[http://media.ccc.de/browse/congress/2014/31c3_-_6103_-_en_-_...](http://media.ccc.de/browse/congress/2014/31c3_-_6103_-_en_-
_saal_2_-_201412272145_-_amd_x86_smu_firmware_analysis_-_rudolf_marek.html))

Newer chipsets (than kaveri/kabini) come with TrustZone (that ARM stuff) and a
"Platform Security Processor", which indicates that there's at least one new
processor, likely ARM based.

~~~
cm3
Good to know I can freely choose between AMD and Intel chips then. Let's hope
lowRISC doesn't implement a similar attack vector.

------
astrange
Why would the newest version of the ME use SPARC ISA? Does someone out there
need register windows?

~~~
lambda
Where did everyone get SPARC from? The slides clearly say ARC, not SPARC.

~~~
wiml
Different versions of this slideshow have different information. The table
titled "ME Core Evolution" (slide 15/16), for example, shows two generations
in the version on slideshare, but three generations in the PDF on recon.cx.
There is also more discussion of the SPARC architecture in the PDF version.

I did wonder if SPARC refers to the Sun architecture, or if it's an evolution
of ARC that simply collides with the other name. He doesn't mention having
successfully disassembled any of the BayTrail/TXE versions' firmware yet.

~~~
astrange
From the pdf version linked at:
[https://news.ycombinator.com/item?id=8813925](https://news.ycombinator.com/item?id=8813925)

The author clearly believes it's SPARC in Bay Trail, since he seems surprised
by it. A coincidence does seem pretty likely but you'd think Oracle would
object.

~~~
pgeorgi
SPARC is maintained by SPARC International, so Oracle doesn't have too much to
say about that.

However, Intel isn't part of that group (at least according to the website),
and that doesn't fit their MO when adopting external technology.

------
gweinberg
My last few computers have used AMD chips. I think I will stick with those.

~~~
cm3
As noted in another comment AMD has something similar.

------
Maakuth
What, SPARC and Java in Intel motherboards? Is this some elaborate gag on
Sun/Oracle? I hope they'll demo it by running Solaris there for good measure.

~~~
lambda
ARC, not SPARC. Did the title on HN say "SPARC" originally or something?
Because the slides never mentions SPARC, they discuss ARC, an embedded ISA.

~~~
Maakuth
Somewhat different set of slides[1] was linked in the comments here, it
appears the latest chipsets uses SPARC indeed. 1:
[http://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf](http://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf)

------
pdkl95
"Can be active even when the system is hibernating or turned off (but
connected to mains)"

On top of the security issues, it seems Intel owes a _lot_ of people some
reimbursements for their share of the power bill. Unfortunately, I suspect
this theft of electricity will be quietly swept under the rug and forgotten
about.

