A worrisome threat?
126 views
Skip to first unread message
Sandy Harris
Aug 29, 2017, 4:54:59 PM8/29/17
to qubes-users
Does Qubes block this? If not, should it? In either case, how?
---------- Forwarded message ----------
From: Henry Baker <hba...@pipeline.com>
Date: Tue, Aug 29, 2017 at 7:51 AM
Subject: Re: [Cryptography] How to find hidden/undocumented instructions
To: crypto...@metzdowd.com
FYI --
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/
Intel ME controller chip has secret kill switch
Researchers find undocumented accommodation for government customers
By Thomas Claburn in San Francisco 29 Aug 2017 at 00:12
Security researchers at Moscow-based Positive Technologies have
identified an undocumented configuration setting that disables Intel
Management Engine 11, a CPU control mechanism that has been described
as a security risk.
Intel's ME consists of a microcontroller that works with the Platform
Controller Hub chip, in conjunction with integrated peripherals. It
handles much of the data travelling between the processor and external
devices, and thus has access to most of the data on the host computer.
If compromised, it becomes a backdoor, giving an attacker control over
the affected device.
That possibility set off alarms in May, with the disclosure of a
vulnerabilityin Intel's Active Management Technology, a firmware
application that runs on the Intel ME.
The revelation prompted calls for a way to disable the poorly
understood hardware. At the time, the Electronic Frontier Foundation
called it a security hazard. The tech advocacy group demanded a way
to disable "the undocumented master controller inside our Intel chips"
and details about how the technology works.
An unofficial workaround called ME Cleaner can partially hobble the
technology, but cannot fully eliminate it. "Intel ME is an
irremovable environment with an obscure signed proprietary firmware,
with full network and memory access, which poses a serious security
threat," the project explains.
On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark
Ermolov, and Maxim Goryachy said they had found a way to turn off the
Intel ME by setting the undocumented HAP bit to 1 in a configuration
file.
HAP stands for high assurance platform. It's an IT security framework
developed by the US National Security Agency, an organization that
might want a way to disable a feature on Intel chips that presents a
security risk.
The Register asked Intel about this and received the same emailed
statement that was provided to Positive Technologies.
"In response to requests from customers with specialized requirements
we sometimes explore the modification or disabling of certain
features," Intel's spokesperson said. "In this case, the
modifications were made at the request of equipment manufacturers in
support of their customer's evaluation of the US government's 'High
Assurance Platform' program. These modifications underwent a limited
validation cycle and are not an officially supported configuration."
Positive Technologies in its blog post acknowledged that it would be
typical for government agencies to want to reduce the possibility of
unauthorized access. It noted that HAP's affect on Boot Guard,
Intel's boot process verification system, remains unknown, though it
hopes to answer that question soon.
_______________________________________________
The cryptography mailing list
crypto...@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
---------- Forwarded message ----------
From: Henry Baker <hba...@pipeline.com>
Date: Tue, Aug 29, 2017 at 7:51 AM
Subject: Re: [Cryptography] How to find hidden/undocumented instructions
To: crypto...@metzdowd.com
FYI --
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/
Intel ME controller chip has secret kill switch
Researchers find undocumented accommodation for government customers
By Thomas Claburn in San Francisco 29 Aug 2017 at 00:12
Security researchers at Moscow-based Positive Technologies have
identified an undocumented configuration setting that disables Intel
Management Engine 11, a CPU control mechanism that has been described
as a security risk.
Intel's ME consists of a microcontroller that works with the Platform
Controller Hub chip, in conjunction with integrated peripherals. It
handles much of the data travelling between the processor and external
devices, and thus has access to most of the data on the host computer.
If compromised, it becomes a backdoor, giving an attacker control over
the affected device.
That possibility set off alarms in May, with the disclosure of a
vulnerabilityin Intel's Active Management Technology, a firmware
application that runs on the Intel ME.
The revelation prompted calls for a way to disable the poorly
understood hardware. At the time, the Electronic Frontier Foundation
called it a security hazard. The tech advocacy group demanded a way
to disable "the undocumented master controller inside our Intel chips"
and details about how the technology works.
An unofficial workaround called ME Cleaner can partially hobble the
technology, but cannot fully eliminate it. "Intel ME is an
irremovable environment with an obscure signed proprietary firmware,
with full network and memory access, which poses a serious security
threat," the project explains.
On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark
Ermolov, and Maxim Goryachy said they had found a way to turn off the
Intel ME by setting the undocumented HAP bit to 1 in a configuration
file.
HAP stands for high assurance platform. It's an IT security framework
developed by the US National Security Agency, an organization that
might want a way to disable a feature on Intel chips that presents a
security risk.
The Register asked Intel about this and received the same emailed
statement that was provided to Positive Technologies.
"In response to requests from customers with specialized requirements
we sometimes explore the modification or disabling of certain
features," Intel's spokesperson said. "In this case, the
modifications were made at the request of equipment manufacturers in
support of their customer's evaluation of the US government's 'High
Assurance Platform' program. These modifications underwent a limited
validation cycle and are not an officially supported configuration."
Positive Technologies in its blog post acknowledged that it would be
typical for government agencies to want to reduce the possibility of
unauthorized access. It noted that HAP's affect on Boot Guard,
Intel's boot process verification system, remains unknown, though it
hopes to answer that question soon.
_______________________________________________
The cryptography mailing list
crypto...@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Sandy Harris
Aug 29, 2017, 5:02:18 PM8/29/17
to qubes-users
As I probably should have known, Qubes developers are already well
aware of this. See for example:
https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
aware of this. See for example:
https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
Alex
Aug 30, 2017, 1:56:23 AM8/30/17
to qubes...@googlegroups.com
To give a little more context:
* Intel ME is a totally independent, totally opaque (officially at
least) stand-alone computer system attached to any recent x86/x86_64
chipset (reminds me of the Cordyceps "zombie fungi" family)
* It is able to reach various devices deemed "dangerous" in a computer
system (network adapters, ram, input devices) in a way that is both
unnoticeable and uncontrolled by the host system
* The software it runs can only be updated as a blob by customers, but
is signed and encrypted by Intel, so no insight nor customization is
available beyond some simple "variable-setting" tool
* While it may be useful for remote/centralized
provisioning/maintenance of large corporate networks (citation needed,
perhaps), it has quickly grown very large and complex (hence, linearly
buggier)
* The latest versions of ME are absolutely necessary for Intel-based
chipsets to perform basic boot functions (power management, initializations)
* The dangers of this tool fall into two categories: intentional remote
administration backdoors and unintentional exploitable bugs, both of
which cannot be checked for nor ruled out without considerable effort in
accessing the software (which has already been, partially, done - but
yet, I don't expect anyone decapping a south bridge chip any time soon!)
* The worst part is that this remote administration engine is
pre-installed into and (as of the latest versions) un-removable from any
recent Intel-chipset-based motherboard, even consumer-grade ones or
mobile-oriented ones (low cost tablets that are extremely unlikely to be
used by large corporations), prompting the question "is it really about
central administration/maintenance for corporate users?"
Because of this context it is usually regarded as a necessary evil, but
any security-minded Intel customer will try its best to disable as much
ME functionality as he/she can, hence the research that produced the
paper you linked to in your first post.
Please also note that any remote administration command can only be
received through networking, so proper firewalling (ipv6 may complicate
things - prepare your studies in advance) and monitoring may help great
lengths. Also, do avoid using x86-based firewalls/routers... ;)
--
Alex
wordsw...@gmail.com
Aug 30, 2017, 11:17:38 AM8/30/17
to qubes-users, alex...@gmx.com
> Please also note that any remote administration command can only be
> received through networking, so proper firewalling (ipv6 may complicate
> things - prepare your studies in advance) and monitoring may help great
> lengths. Also, do avoid using x86-based firewalls/routers... ;)
>
> --
> Alex
> received through networking, so proper firewalling (ipv6 may complicate
> things - prepare your studies in advance) and monitoring may help great
> lengths. Also, do avoid using x86-based firewalls/routers... ;)
>
> --
> Alex
Just to be clear for beginners - this means that if you're running Qubes on an x86 processor, you cannot trust Qubes as a firewall to prevent IME remote administration.
You would need a separate device to act as a firewall. Most routers have recently been shown to be compromised in similar ways. It will be difficult, but should be possible, to find a device that is secure given current knowledge.
Alex
Aug 30, 2017, 11:32:05 AM8/30/17
to qubes...@googlegroups.com
physical hardware, and that was the basis for "avoid x86 based firewalls".
There's no isolation benefit with a software firewall if the remote
administration packets are received by the local network adapter, since
the "zombie RAT fungus" (Intel ME) fiddles with PCI devices on its own.
--
Alex
Dominique St-Pierre Boucher
Aug 30, 2017, 11:53:25 AM8/30/17
to qubes-users, alex...@gmx.com
Does AMD or ARM motherboard have similar feature(like Intel ME)?
Thanks
Dominique
Alex
Aug 30, 2017, 12:03:09 PM8/30/17
to qubes...@googlegroups.com
https://www.reddit.com/r/security/comments/4ot223/do_amdprocessors_have_something_like_intel/
ARM itself is not a specific architecture nor a contained set of them;
for example, a quick google search reveals a thread with your question
on the Raspberry Pi forum:
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=151542
tl;dr: there does not seem to be some behind-the-scenes management
available for ARM, but this does not stop specific implementations from
having some weirdness like the VideoCore GPU in a RPi - in this case the
GPU "controls" the CPU (it manages CPU boot and manages all CPU RAM at
all times) and is an opaque device.
--
Alex
Reply all
Reply to author
Forward
0 new messages