
Introducing Ring -3 Rootkits: BIOS rootkit targeting vPro chipsets (2009) [pdf] - devconsole
https://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf
======
devconsole
Highlights from the slides:

Your CPU chipset is also standalone webserver. Most vPro chipsets (MCHs) have:

\- An Independent CPU (not IA32!)

\- Access to dedicated DRAM memory

\- Special interface to the Network Card (NIC)

\- Execution environment called Management Engine (ME)

Your chipset is a little computer. It can execute programs in parallel and
independently from the main CPU!

How might we design some malware that embeds itself into the chipset? Such
malware would be able to survive reboots, brick the hardware on demand, reboot
on demand, act as a MITM for all network traffic, inject vulnerabilities into
the host OS during bootup, etc.

Step 1: Search for an attack vector in any version of the Intel BIOS. If you
can find any attack vector in any version of the BIOS, you've won. For
example, if the latest Intel BIOS is v3.9.2, but you found an exploit in BIOS
v2.3.1, you've still won. Because...

Step 2: ... as the attacker, you can downgrade the victim's BIOS to any
previous version without any user consent! Any old version of the BIOS is of
course signed by Intel; all versions are. The chipset firmware allows any
valid signed BIOS to replace the current BIOS regardless of whether it's older
or newer than the current.

It was pretty shocking that the BIOS can be downgraded without any user
consent. Downgrading requires a reboot, but that's probably not a huge problem
in practice.

This article is from 2009, so at this point it's just an interesting piece of
history. But I wonder whether any of these issues still persist today, such as
the ability for userspace programs to downgrade/upgrade the BIOS at will?

~~~
pgeorgi
Once you find a bug in certain critical paths, you can write to flash at will,
no signatures required. AFAICS some Samsung and Lenovo users ran into one of
those when installing Linux.

As for the management engine (the CPU that drives the vPro stuff), it exists
in _all_ Intel chipsets since Series 5, vPro is just a certain configuration
of its firmware. It also has full access to RAM, some access to USB, network
and graphics.

~~~
sitkack
For reference

[http://en.wikipedia.org/wiki/Blue_Pill_(software)](http://en.wikipedia.org/wiki/Blue_Pill_\(software\))

[http://en.wikipedia.org/wiki/Joanna_Rutkowska](http://en.wikipedia.org/wiki/Joanna_Rutkowska)

------
t0mas88
So if I understand correctly this can be used to install a persistent hardware
rootkit on the chipset that listens for a "secret" knock procedure with TCP
(because it has access to the NIC) and then in response to the secret signal
modify the host OS kernel through DMA-access to disable for example all access
checks [1].

Imagine infecting a machine with this either before delivery (requires
physical access, but should be doable for FBI/NSA/foreign-counterpart) or in a
"rent a server" situation. Most providers will allow you to rent a full server
with root-access for a month and then cancel the contract. I'm assuming those
servers get re-used if they're not too old.

[1] Code to disable access checks through DMA has been around for a long time:
[http://www.breaknenter.org/projects/inception/](http://www.breaknenter.org/projects/inception/)

------
rjzzleep
you fight find this more recent work interesting:

[http://media.ccc.de/browse/congress/2013/30C3_-_5380_-_en_-_...](http://media.ccc.de/browse/congress/2013/30C3_-_5380_-_en_-
_saal_2_-_201312291830_-_persistent_stealthy_remote-
controlled_dedicated_hardware_malware_-_patrick_stewin.html)

> In this work we present a stealthy malware that exploits dedicated hardware
> on the target system and remains persistant across boot cycles. The malware
> is capable of gathering valuable information such as passwords. Because the
> infected hardware can perform arbitrary main memory accesses, the malware
> can modify kernel data structures and escalate privileges of processes
> executed on the system.

> The malware itself is a DMA malware implementation referred to as DAGGER.
> DAGGER exploits Intel’s Manageability Engine (ME), that executes firmware
> code such as Intel’s Active Management Technology (iAMT), as well as its OOB
> network channel. We have recently improved DAGGER’s capabilites to include
> support for 64-bit operating systems and a stealthy update mechanism to
> download new attack code.

edit: you still have to first get the malware in though

------
userbinator
This is another excellent example of when security-through-obscurity fails;
the vPro environment docs are presumably NDA-only (or never released outside
Intel), but reverse-engineers will figure things out anyway, and they're not
really willing to disclose how much they know...

None of my machines have vPro; I remember someone I know calling it "the
ultimate pre-installed RAT" when it first came out.

Another interesting little fact: Intel's wireless cards, at least the
3945/4965 generation, also use an ARC core to run their firmware.

~~~
mschuster91
Oh, the 4965 generation. I vaguely remember the days of the Linux driver
development, there were discussions to open-source the binary blob firmware.

IIRC this was ultimately abandoned due to the possibility of turning the 4965
into a pretty sophisticated SDR. What a shame!

~~~
yuhong
Reminds me of why older Broadcom wireless chips don't have official open
source drivers.

------
higherpurpose
Many of these exploits "we're just learning about now", have been discussed at
CCC, Defcon and Blackhat conferences in the past few years. It's just that
most people weren't aware of them. NSA, on the other hand, has paid much
attention to them.

Here's another one about hardware backdooring from 2012:

[https://www.youtube.com/watch?v=tV0YqJa-0OA](https://www.youtube.com/watch?v=tV0YqJa-0OA)

But when we discover a backdoor on Intel chips (not necessarily put there by
Intel) in 5 years, everyone will probably act in shock and awe that it was
possible.

------
jrabone
And yet the Intel product pages say

"Prevent attacks below the operating system

Intel vPro technology protects against difficult-to-detect, penetrating
rootkits and malware that threaten users working in cloud or virtual
environments. It combines several hardware-based features, including Intel®
Trusted Execution Technology (Intel® TXT)3 and Intel® Virtualization
Technology (Intel® VT)4 for centralized image management and administration,
secure network storage, and out-of-band protection—all beyond the firewall."

Irony? Or hopefully the current version of vPro as built-in to some Xeon
processors is a bit more hardened...

~~~
ChuckMcM
Kind of like buying a gun for self protection and then having an intruder get
hold of it and kill you with it. In a talk I gave to some Swiss banks about
security a looooong time ago I talked briefly about security measures as
vulnerabilities which are analogous to data protection bits being the source
of data corruption errors. You have to evaluate whether the system as a whole
with is more or less (or the same!) level of secure with the code you've added
for security.

~~~
sitkack
I hadn't really thought about ECC bits getting errors and thus corrupting the
thing they were supposed to protect.

Do you know if hardware uses [http://en.wikipedia.org/wiki/Reed-
Muller_Code](http://en.wikipedia.org/wiki/Reed-Muller_Code) for the ECC bits?

~~~
ChuckMcM
I believe they use Reed-Solomon encoding but as it is up to the memory
controller to implement it can change. The memory just provides the extra bits
for the software to use. In our fictional gun ownership example it would be
like the owner hiding _multiple_ guns around the house so that if one was
compromised by an intruder they could still defend themselves. :-)

------
X4
Are there any ways to defend against the attack?

I can only think of buying AMD Chips with CoreBios instead, which of I don't
know, if they may have similar issues. Maybe buy Tilera, or other manycore
chips instead?

This article with the title: "Expert Says NSA Have Backdoors Built Into Intel
And AMD Processors" raises some concerns, even though I don't know, if the
source can be trusted. [http://www.eteknix.com/expert-says-nsa-have-backdoors-
built-...](http://www.eteknix.com/expert-says-nsa-have-backdoors-built-into-
intel-and-amd-processors/)

~~~
userbinator
Not all Intel chipsets have vPro/ME.

E.g. this one doesn't:

[http://ark.intel.com/products/64015/Intel-
BD82X79-PCH](http://ark.intel.com/products/64015/Intel-BD82X79-PCH)

(Whether they actually do have the silicon and are just disabled somehow and
could be enabled/not is a different issue, however...)

~~~
pgeorgi
To check, I downloaded Asrock X79 Extreme4's BIOS update and looked into it.
It contains 2MB of ME firmware.

That's definitely not the vPro enabled version (which uses about 5MB), but
approximately matches the regular non-vPro versions in size.

Maybe the "ME firmware N/A" field is meant to mean "don't bother, we don't
want you to configure it"?

edit: updated with information from another bios update that isn't a diff

------
TazeTSchnitzel
Is this one place where the fabled BADBIOS could live?

~~~
jevinskie
Seems so. The independent CPU has access to system RAM, that is pretty much
game over. SMM (ring -2 in the slides) may be another good choice. [0]

[0]:
[https://en.wikipedia.org/wiki/System_Management_Mode](https://en.wikipedia.org/wiki/System_Management_Mode)

------
stcredzero
_Your chipset is a little computer. It can execute programs in parallel and
independently from the main CPU!_

So, basically, the "trusting trust" extends to even your chipset. Basically,
the majority of people are doomed to be the subjects of those controlling the
means of production. Most of those few who have the wherewithal to peer past
the curtain can easily be bribed and intimidated into cooperating.

Tinfoil hat on: I wonder if such vulnerabilities might have been concocted as
a means of sneaking backdoors into the technical projects of non-US countries?

------
jevinskie
Does anyone know if it is possible to get a dump of the firmware running on
the vPro? I'd like to take a look in IDA!

------
contingencies
Time to get off the x86 consumer hardware train. NetBSD anyone? :)

