Return to Video

34C3 - Inside Intel Management Engine

  • 0:00 - 0:16
    34c3 preroll music
  • 0:16 - 0:22
    Herald: Last year he presented how to get
    JTAG over USB at the 33C3. Today he will
  • 0:22 - 0:28
    tell us how to interrogate the Intel
    Management Engine in a similarly ingenious
  • 0:28 - 0:36
    and devious way. Please join me in
    welcoming Maxim Goryachy to 34C3.
  • 0:36 - 0:44
    Applause
  • 0:45 - 0:55
    Maxim Goryachy: Hello guys. I'm speaking
    about Intel debug capabilities at the CC
  • 0:55 - 1:03
    Conference for the second year in a row.
    Last time I talked about how new Intel
  • 1:03 - 1:12
    CPUs allow debug technology called Intel
    Direct Connect Interface or DCI and now
  • 1:12 - 1:25
    I'm going to talk how activates DCI for
    Intel Management Engine. (Sorry) DCI is a
  • 1:25 - 1:32
    private implementation of widely known
    industry standards for debugging hardware
  • 1:32 - 1:41
    and low level software from Intel. And
    addition I will talk about how it can be
  • 1:41 - 1:52
    used for research and how to use it in
    practice. Unfortunately my colleague Mark
  • 1:52 - 2:01
    couldn't come and I will introduce our
    research alone. And I think that you some
  • 2:01 - 2:10
    hungry and I will be quickly. Out our
    Management Engine research team at
  • 2:10 - 2:16
    Positive Technologies includes following
    researchers: my colleague Dmitry Sklyarov
  • 2:16 - 2:27
    and Mark Ermolov and myself. Mark Ermolov
    is my colleague. With him, with whom we
  • 2:27 - 2:33
    found Intel vulnerability in Intel
    Management Engine. He is a system
  • 2:33 - 2:39
    programmer and a reverse engineer and
    Dmitry Sklyarov a well known reverse
  • 2:39 - 2:46
    engineer who did 5 #research of the ME
    filesystem. He recovered Huffman codes for
  • 2:46 - 2:59
    version 11 of ME and you can find his tool
    for unpacking ME image and for parsing ME
  • 2:59 - 3:10
    file system on our Github pages. How you
    can see our previous talk related to ME
  • 3:10 - 3:17
    and our contacts so you can feel free to
    communicate with us for any question
  • 3:17 - 3:25
    you're interested about our research. How
    I have just said I will talk about what is
  • 3:25 - 3:32
    Intel ME, how it's implemented and how we
    activated JTAG for ME Core vulnerability
  • 3:32 - 3:41
    which Mark and I found. Then I disclose in
    details how our technique works and show
  • 3:41 - 3:55
    proven our achievements. How many people
    in this hall know what is ME? Oh cool! But
  • 3:55 - 4:05
    in here, a review. As a topic, the
    Management Engine is very popular now.
  • 4:05 - 4:09
    First it's almost fully undocumented and
    very powerful at the same time. For
  • 4:09 - 4:15
    example it has full access to your
    platforms hardware including CPU complex,
  • 4:15 - 4:23
    it has capabilities to intercept all that
    you are doing on your PC. For example
  • 4:23 - 4:34
    keyboard, he has access to keyboard to
    USB and of course PCI buses. It is also a
  • 4:34 - 4:47
    root of trust for many Intel security
    features like TPM, like DRM and APT. Intel
  • 4:47 - 4:52
    has chosen the following design for ME
    version 11: independent microcontroller,
  • 4:52 - 5:04
    own operating system based on Minix, built
    in Java Machine. It gets started before
  • 5:04 - 5:13
    main CPU. Its firmware has parts in PCH,
    beyond in memory and in SPI flash. Many
  • 5:13 - 5:19
    Intel technologies are implemented with
    help of Management Engine for example
  • 5:19 - 5:34
    Active Management Technology or PVT and we
    think that SGX, too. Another question how
  • 5:34 - 5:52
    many people in this hall know what is
    JTAG? Cool! But some review of JTAG. JTAG
  • 5:52 - 5:58
    stands for Joint Test Action Group and you
    can find its description in IEEE standards
  • 5:58 - 6:06
    which the details available in the
    standard itself. As the results of the
  • 6:06 - 6:16
    paper available on our blog where the
    design is described in close details. Out
  • 6:16 - 6:23
    often manufacture extend standard JTAG by
    adding their own functions. JTAG in Intel
  • 6:23 - 6:32
    processor is described rather poorly and
    some information can be found in documents
  • 6:32 - 6:46
    and patent. You can see our paper on the
    slide and starting with Skylake, Intel
  • 6:46 - 6:51
    introduced
    Direct Connect Interface technology
  • 6:51 - 6:56
    and you can find the description
  • 6:56 - 7:07
    of it in the documents and in our works.
    The diagrams show two types of connection:
  • 7:07 - 7:15
    using a specific device, a so-called Intel
    SVT Closed Chassis Adapter or a common
  • 7:15 - 7:23
    used USB3 debug cable. I would like to
    note that the target system in this case
  • 7:23 - 7:31
    doesn't require the use of a hardware
    agent. The drawback of this technology is
  • 7:31 - 7:38
    that it works out of box. Intel or Silicon
    Valley technology closed unintelligible
  • 7:38 - 7:51
    provides access to day fix features like
    JTAG and RAM control through USB3 ports on
  • 7:51 - 8:02
    platforms. It works through USB3 links but
    implements a private protocol and makes it
  • 8:02 - 8:08
    possible to manipulate the target system
    in deep sleep mode. It means that in this
  • 8:08 - 8:26
    mode you have independent links between
    JTAG adapter and PCH. USB3 host on DCI is
  • 8:26 - 8:33
    common USB3 debug cable which works as OTG
    device that means that a special device
  • 8:33 - 8:39
    appears on the host system and activation
    and commands are sent to device through
  • 8:39 - 8:47
    the common USB interface. As the device
    itself is integrated into PCH and it
  • 8:47 - 8:58
    transforms the command into JTAG. If you
    have JTAG for ME devices it means you have
  • 8:58 - 9:05
    almost full control of ME. Two main
    questions: Doesn't who provides of any
  • 9:05 - 9:10
    technique for debugging ME on public
    platforms? And the second: What does
  • 9:10 - 9:21
    software and hardware need for any
    debugging? Ok. The answer to the first
  • 9:21 - 9:28
    question: Yes they found a special
    partition called UTOK which allocated on
  • 9:28 - 9:41
    the special, on the SPI flash where
    storage ME. This partition has same
  • 9:41 - 9:48
    structures FPT and another partition of
    ME. Partition builts entry of available
  • 9:48 - 9:56
    debug capabilities. One of this records
    means types of unlock: Red or orange.
  • 9:56 - 10:05
    Please pay attention, it will be important
    later. And what is, what means DFx? DFx is
  • 10:05 - 10:13
    collective term for next to privation DFT
    designed for testability and DFD designed
  • 10:13 - 10:27
    for debugging. DFT is set of technique
    used for manufacturing defects finding of
  • 10:27 - 10:38
    integrated chips and standard DFT it
    generally buys it on ordinary boundaries
  • 10:38 - 10:49
    can detect comments but Intel extends it's
    DFT in its branded silicone view
  • 10:49 - 10:55
    technology. DFD joins all internal chip
    level logic used to organize Hardware
  • 10:55 - 11:02
    level debugging of course sequences
    executed by chips. DFx is connected to
  • 11:02 - 11:14
    internal world by a special thing called
    embedded day fix interface. This bridge
  • 11:14 - 11:20
    connects dayfix whith external industry
    interface like USB there is a special
  • 11:20 - 11:27
    device in interpret from controller hub
    called defects aggregator its function is
  • 11:27 - 11:45
    to control access to DFx. 2 types : orange
    types it means that vendors may use the
  • 11:45 - 11:55
    JTAG debugging for ICH for example and
    auto partition for orange unlock must be
  • 11:55 - 12:07
    signed by vendor scheme. This key stored
    in FPF fuses and more interesting is read
  • 12:07 - 12:18
    unlock because this unlock provides full
    access to besiege. The internal devices
  • 12:18 - 12:32
    unlocks JTAG for ME core and provides
    unlimited access to ME memory. Intel
  • 12:32 - 12:37
    management engine uses two devices for
    support Hardware debugging the fixed
  • 12:37 - 12:44
    aggregator management's defects
    functionality and the CSE zeroing register
  • 12:44 - 12:56
    from device called GEN and only
    BUP and ROM uses this device.
  • 12:56 - 13:03
    It is CSE zeroing register
    when we know only
  • 13:03 - 13:09
    about 1 bit.
    We called it Intel unlock
  • 13:09 - 13:26
    request and this register means that you
    asked the platform to do read unlock. More
  • 13:26 - 13:36
    interesting is DFx aggregator register and
    personal to register. Personality register
  • 13:36 - 13:45
    specifies type of unlock red or orange and
    consent used for allowed right to personal
  • 13:45 - 13:59
    to register. It means that consent
    register or it means that this bit to
  • 13:59 - 14:17
    allow write data in DFx personal to
    register and read and lock works in 2
  • 14:17 - 14:29
    steps. On the first, the BUP fun is
    finding who talked partition. If partition
  • 14:29 - 14:43
    found, the BUP checked is checking
    partition signatory and platform ID. Also
  • 14:43 - 15:03
    BUP checks time because the talk has time
    limitation and after that if all is okay,
  • 15:03 - 15:12
    BUP parses an entry in who talked
    partition called knobs if intel knob
  • 15:12 - 15:27
    unlock founded and platform is not already
    unlocked BOB set these aren't register and
  • 15:27 - 15:38
    do not reset in it. After set in ROM,
    check is checking TCS errant register and
  • 15:38 - 15:54
    if it's set, it to clean this register and
    switch on consent and personality it means
  • 15:54 - 16:12
    read and lock after that ROM is cleaning
    ME keys and working but if you have active
  • 16:12 - 16:18
    but if dci is active immediate doesn't
    latch the fix consent register. It means
  • 16:18 - 16:32
    that if you want to switch on JTAG you
    don't need to reboot ME. if you have the
  • 16:32 - 16:44
    second action inhales deply and how active
    how to wait read and lock without intel
  • 16:44 - 16:51
    keys on blockhead Europe we disclosed bug
    in BUP model. This function as you can see
  • 16:51 - 16:57
    has a vulnerability when it called other
    function reading in BUP CT file it gives
  • 16:57 - 17:05
    incorrect size of data to read instead of
    local buffer size the buffer DFS file read
  • 17:05 - 17:14
    function gets the size of the role file
    how we exploited this vulnerability you
  • 17:14 - 17:23
    can found in our presentation from
    blockhead and using the vulnerability we
  • 17:23 - 17:35
    also have activated attack for management
    engine and to research ME in internal of
  • 17:35 - 17:48
    in ME right activation without intel keys
    may be doing after 4 simple steps on the
  • 17:48 - 17:57
    first activate manufacture mode for target
    it means for DCI and set the size drop in
  • 17:57 - 18:03
    a flash descriptor and using the
    vulnerability to a lot well with 3 to
  • 18:03 - 18:20
    defects personal register and after that
    you you will have MEquerem? and you can do
  • 18:20 - 18:33
    research in internal semi but
    unfortunately you will have one problem
  • 18:33 - 18:44
    because you don't have software for
    debugging Keeney but it is small problem
  • 18:44 - 18:53
    and next let's talk about software part of
    technologists tech it's presented by DAL..
  • 18:53 - 19:00
    Intel DFX abstraction layer package
    it's alleged library exposes all power of
  • 19:00 - 19:10
    DFx software model as we found DAL
    heslage history supports various platform
  • 19:10 - 19:23
    and CPU architecture designed to work with
    different debug ports and hardware were we
  • 19:23 - 19:29
    know that DAL is a core of all
    instruments that Intel uses for testing
  • 19:29 - 19:38
    and debugging of its hardware and firmware
    components so it's provided with Intel
  • 19:38 - 19:48
    systems studio for example and can be
    download without an ID and DAL is almost
  • 19:48 - 20:02
    writen in C# and has same structure on the
    top DAL has console interface
  • 20:02 - 20:14
    and GUI interface and library
    layer and Driver transport and DFX on
  • 20:14 - 20:24
    target we found a patient from Intel in
    public description corelation of DFX exci
  • 20:24 - 20:34
    internal interfaces you can see our
    previous work to details about how
  • 20:34 - 20:49
    internal structure of dialogues DAL's
    architecture is based on notion there
  • 20:49 - 20:58
    are two type of nodes physical and logical
    physical nodes represents 3 of hardware
  • 20:58 - 21:09
    components organized from probe unit and
    including the following levels gdect e to
  • 21:09 - 21:16
    c bus and an other logical nodes
    represents certain functionalities that
  • 21:16 - 21:22
    can be used to perform debugging stuff and
    many problems at public version of DAL
  • 21:22 - 21:28
    doesn't include configuration for
    ME core however that didn't stop us
  • 21:28 - 21:47
    and we found the solution how I said DAL
    has some configuration and as
  • 21:47 - 21:53
    we investigated during reverse engineering
    of the DAL library each configuration is
  • 21:53 - 22:01
    included in encrypted XML files DAL uses
    aes cipher and key derivation function
  • 22:01 - 22:13
    pbkdf2 with fixed key and salt the first
    of lines of poem it is salt and ATP is
  • 22:13 - 22:23
    easy key the simple program on is a simple
    program allows the crypto device
  • 22:23 - 22:27
    configuration of DAL
    applause
  • 22:27 - 22:34
    Thank you.
    applause continues
  • 22:34 - 22:42
    Maybe another poems to decrypt,
    for example
  • 22:42 - 22:51
    microcode of CPU, I don't know.
    How there is no configuration of any
  • 22:51 - 22:57
    devices, we found that ME core is an LMT2
    devices and the configuration of this
  • 22:57 - 23:02
    device can be found in decrypted XML
    files, before anybody can write
  • 23:02 - 23:12
    configuration for ME. I don't know, for
    example on the slide you can see internal
  • 23:12 - 23:26
    structure of LP series of PCH. It is U
    series of cpu and at the top divided
  • 23:26 - 23:43
    on four part and on top connected parts
    in the end ME core. and how to do
  • 23:43 - 23:52
    custom configuration, four first
    steps: on the first decrypt XML files, the
  • 23:52 - 24:02
    second adds the following clients to top
    SPT XML and use DAL environment for any
  • 24:02 - 24:41
    debugging and it will make you computer
    personal again. Some demo. One moment.
  • 24:41 - 24:56
    Okay. It is version of systems studio
    and we decrypt files, with configuration
  • 24:56 - 25:18
    of DAL, and to edit to add some lines.
    The top is for each series of PCH and the
  • 25:18 - 25:35
    bottom for LP series. It is ME core, it is
    linked between ME core and unintelligible
  • 25:47 - 26:01
    We halt the execution, we load some,
    reloading some library, our library, we
  • 26:01 - 26:31
    set up reset breaks, it needs for to stop
    on the reset vector in ME. How you can see
  • 26:31 - 26:51
    GDT table and current instruction and the
    register value, LDT value and we are doing
  • 26:51 - 27:32
    a reset on ME and step in
    instruction in to ME. Then initialize
  • 27:32 - 28:17
    of segments and new GDT value, ok and okay
    and demo from black hat. it is our stand,
  • 28:17 - 28:54
    it is host platform, already halted, init
    settings for any core. Oh sorry. It is not
  • 28:54 - 29:12
    ME. The reset vector, how you can see in
    catcher interface it is
  • 29:12 - 29:26
    special device between which manufacture
    for for links between host CPU and ME and
  • 29:26 - 29:40
    now we read some read only register for
    CPU from (???????) and set the value of
  • 29:40 - 30:01
    this register from ME. The magic.
    applause
  • 30:01 - 30:07
    And then my demo
    is more interesting than my english
  • 30:07 - 30:54
    sorry and I have a live demo if internet
    will be good. One moment. It's my machine
  • 30:54 - 31:32
    at work and the internet is not good
    sorry. maybe maybe later. Okay. And our
  • 31:32 - 31:39
    achievement: JTAG activation, we we do
    JTAG - well achievement in respect to the
  • 31:39 - 31:49
    vulnerability, in addition we activate
    JTAG for ME. Also we dumped the ME startup
  • 31:49 - 32:02
    code and found the way to extract
    platform's key used by the flash file
  • 32:02 - 32:17
    system. It means that you can decrypt and
    integrate your files into ME and ME
  • 32:17 - 32:29
    doesn't detect it. And our links: on our
    GitHub page you can find our tools for ME
  • 32:29 - 32:37
    reversing researching and our blogs, where
    is our article, our reference and thank
  • 32:37 - 32:40
    you for your attention. Questions please.
  • 32:40 - 32:50
    applause
  • 32:50 - 32:54
    Herald: So anyone that has a question for
    Maxim please line up by one of the
  • 32:54 - 32:59
    microphones. They are 1, 2, 3, 4 on this
    side of the room and 5, 6, 7, 8 on that
  • 32:59 - 33:03
    side of the room. If you are watching
    online we have a signal angel, who is
  • 33:03 - 33:08
    monitoring the internet for all of your
    interesting questions and they will be
  • 33:08 - 33:12
    asked. So already here
    at microphone number one.
  • 33:12 - 33:18
    Mic 1: Okay so it mentions, you mention
    that you dumped the ROM. And previously,
  • 33:18 - 33:22
    as there were some rumors with ROM bypass
    available, did you compare the dumped
  • 33:22 - 33:24
    Maxim: Yeah.
    Mic 1: ROM against ROM bypass
  • 33:24 - 33:25
    Maxim: Yeah.
    Mic 1: and is it the same?
  • 33:25 - 33:26
    Maxim: No.
    Mic 1: No?
  • 33:26 - 33:38
    Maxim: We found there's some difference
    but it relates with that ME bypass code
  • 33:38 - 33:47
    starts into protected mode but a
    real ROM starts into real mode.
  • 33:47 - 33:52
    Mic 1: Okay, so otherwise it's
    functioning almost the same.
  • 33:52 - 33:59
    Maxim: Hmm, we found some difference in
    cryptography but I think it is not
  • 33:59 - 34:03
    important.
    Herald: So, if you if you are leaving
  • 34:03 - 34:06
    please be quiet, so the talk is still
    going on, we're still having questions and
  • 34:06 - 34:13
    answers and please be considerate of the
    people asking questions. Thank you. The
  • 34:13 - 34:20
    next one, from microphone number five.
    Mic 5: Yeah, so you set the personality
  • 34:20 - 34:27
    register to read and then you reset the ME
    and it will break at the reset. Is that
  • 34:27 - 34:33
    register persistence over reboots or you
    have to do the exploit and set it every
  • 34:33 - 34:37
    time?
    Maxim: Yeah, you need to do it every time.
  • 34:37 - 34:47
    This only persist between resets.
    Herald: Signal angel, is there's a
  • 34:47 - 34:51
    question from the internet.
    Signal Angel: Yes, they'd like to know
  • 34:51 - 34:54
    where to find the internal USB port on the
  • 34:54 - 34:59
    main board.
    Maxim: Sorry please repetition.
  • 34:59 - 35:06
    Sig Ang: The question is where to find the
    internal USB port on the main board for
  • 35:06 - 35:14
    the JTAG access.
    Maxim: How I know all USB ports now has
  • 35:14 - 35:23
    access to this functionality. You don't
    need to find its ports on your system. If
  • 35:23 - 35:35
    you have platform with Skylake you always
    has this functionality on your USB ports.
  • 35:35 - 35:49
    Oh, of course if this ports link directly
    to PCH, if if it is port- link- connected
  • 35:49 - 36:01
    where some another controller you probably
    don't have to stay on these ports.
  • 36:01 - 36:09
    Herald: Microphone, microphone number two.
    Mic 2: Does it work, means you can extract
  • 36:09 - 36:15
    any key from ME, for example key for SGX
    remote as a station?
  • 36:15 - 36:26
    Maxim: I didn't know. We are starting this
    research how ME relates with SGX and we -
  • 36:26 - 36:42
    I don't know how key in ME extract, derive
    and loaded and relate with SGX. I don't
  • 36:42 - 36:45
    know, sorry.
    Herald: Microphone number one.
  • 36:45 - 36:52
    Mic 1: Did you receive any any messages,
    any recognition about this from Intel?
  • 36:52 - 37:00
    Maxim: You mean that - did we share this
    information with Intel?
  • 37:00 - 37:06
    Mic 1: No, did they react to, did they
    react in any way to that?
  • 37:06 - 37:10
    Maxim: After our vulnerabilities they said
    "okay"
  • 37:10 - 37:13
    audience laughs
  • 37:13 - 37:15
    Mic 1: Okay, so nothing much
    except for patches?
  • 37:15 - 37:17
    Maxim: Yeah.
    Mic 1: Okay, thank you.
  • 37:17 - 37:20
    Herald: Signal angel, is there another
    question from the internet?
  • 37:20 - 37:28
    Sig Ang: Yeah - how can you disable the
    JTAG access? is just disabling the ME
  • 37:28 - 37:37
    enough or what do you have to do?
    Maxim: Sorry, you mean how Intel disabled
  • 37:37 - 37:45
    decide functionality for ME and
    Sig Ang: How can you fix it now, how could
  • 37:45 - 37:49
    the Intel fix it or how can you secure
    your own system?
  • 37:49 - 37:59
    Maxim: It is not, it is just feature it is
    not bug, sorry. You don't have any chance
  • 37:59 - 38:07
    a chance to switch on JTAG for in ME if
    you don't have UTAG or you don't have
  • 38:07 - 38:23
    vulnerability. And JTAG for ME switch on
    only inter BUP mode module - in inter-in
  • 38:23 - 38:31
    BUP module. If we have vulnerability in
    other module, for example in AMT, we
  • 38:31 - 38:46
    mustn't do it. And if you have to try -
    it's its feature, it is not bug. You can
  • 38:46 - 38:54
    switch off the HECI flash descriptor and
    to fix this side problem which we found in
  • 38:54 - 39:01
    last year, and it will be ok.
  • 39:01 - 39:04
    Herald: Microphone number four
    in the back.
  • 39:04 - 39:08
    Mic 4: I believe one of your previous
    slides mentioned that they incorporated a
  • 39:08 - 39:12
    Java Virtual Machine - why in god's earth
    did they do that?
  • 39:12 - 39:30
    Maxim: How I know; this it is DAL and it
    has some relative with jeeks when I know.
  • 39:30 - 39:36
    I didn't have details.
    Herald: So microphone number five.
  • 39:36 - 39:45
    Mic 5: The last slide mentioned the
    extraction of platform keys. So a simple
  • 39:45 - 39:54
    question - are they enough to sign a
    firmware update which you would modify so
  • 39:54 - 40:05
    that ME would accept it--
    Maxim: No, sorry. Please repeat.
  • 40:05 - 40:16
    Mic 5: Okay so let me rephrase
    Maxim: I understand. You, okay, the
  • 40:16 - 40:27
    firmware sign it by Intel public key. I
    don't have private key of Intel and this
  • 40:27 - 40:36
    key is not built-in into ME. It is
    platform it is only platform key - this
  • 40:36 - 40:47
    key for symmetric encryption files and
    sign it files on the file system. If you
  • 40:47 - 40:56
    have this key, you can only modify any
    file system. But unfortunately the
  • 40:56 - 41:09
    execution module start in in other places.
    Mic 5: Okay, I get it so now is the path
  • 41:09 - 41:14
    for castrating system from ME yet,
    thank you.
  • 41:14 - 41:19
    Herald: Signal angel?
    Signal Angel: Can you have only free
  • 41:19 - 41:23
    software running on the ME?
  • 41:23 - 41:27
    Maxim: Sorry,
    please repeat question, slowly.
  • 41:27 - 41:34
    Signal Angel: Can you have only free
    software running on the ME by modifying
  • 41:34 - 41:42
    the flash contents?
    Maxim: I don't understand, sorry. You mean
  • 41:42 - 41:51
    that how how how we can modify the file
    systems or not?
  • 41:51 - 41:56
    Signal Angel: Yeah replace the ME firmware
    with free code
  • 41:56 - 42:11
    Maxim: No no, unfortunately because we we
    mustn't to change the the chain between
  • 42:11 - 42:21
    ROM and BUP module. And we mustn't to
    change kernel of ME and BUP module. I
  • 42:21 - 42:33
    don't now how use it functionality for
    change in need to open source solution.
  • 42:33 - 42:42
    But of course you can to do you can do
    special device with detection finality
  • 42:42 - 42:50
    which to replace after reboot all ME from
    reset vector and executed. But it is some
  • 42:50 - 43:06
    quirks, somehow some - impossible, I think
    Herald: Microphone number two.
  • 43:06 - 43:12
    Mic 2: Are you aware anywhere the MINIX
    image has been leaked somewhere where
  • 43:12 - 43:15
    perhaps it could be
    downloaded and analyzed?
  • 43:15 - 43:23
    Maxim: Unfortunately the kernel of ME only
  • 43:23 - 43:36
    based on MINIX. And the Intel guys almost
    all to rewrite all, almost all kernel. And
  • 43:36 - 43:44
    on the reverse engineering. And maybe
    indeed you can get information from Intel
  • 43:44 - 43:52
    after signs NDA, I don't know.
    Herald: Microphone number eight.
  • 43:52 - 43:58
    Mic 8: Do you think it do you think it
    would ever be possible to add your own
  • 43:58 - 44:02
    public keys or are the Intel public keys
    for signing the firmware
  • 44:02 - 44:05
    stored in a ROM only?
  • 44:05 - 44:12
    Maxim: I'm sorry, you mean..
    Mic 8: Could you add your own public keys
  • 44:12 - 44:20
    for signing firmware with, or is not
    possible because the ME checks the public
  • 44:20 - 44:30
    key.
    Maxim: ME checks only hash of public key
  • 44:30 - 44:45
    and we know that ROM has that in ME major
    a lot version of any which signs on two
  • 44:45 - 45:08
    keys. We saw only one keys front from bus.
    And a ROM checked that check SHA from
  • 45:08 - 45:26
    public key exist in whitelist. ROM has
    hard-coded 8 hashes of keys and some lists
  • 45:26 - 45:40
    for some white list of all these hashes.
    And if you keys in this list you can run
  • 45:40 - 45:44
    your ME firmware
  • 45:44 - 45:47
    Mic 8: Okay but that
    list of hashes is in ROM?
  • 45:47 - 45:49
    Maxim: Yeah yeah.
    Mic 8: Okay, thank you.
  • 45:49 - 45:54
    Herald: Signal angel.
    Signal Angel: What is your general
  • 45:54 - 46:01
    impression of this security of ME - how
    vulnerable is it to attacks?
  • 46:01 - 46:13
    Maxim: Sorry, you mean how vulnerable you
    mean have an ability to help us do it?
  • 46:13 - 46:15
    Sorry.
    Signal Angel: You know, how vulnerable is
  • 46:15 - 46:20
    it to other attacks?
    Maxim: On other module, yeah?
  • 46:20 - 46:26
    Signal Angel: Sorry, on what?
    Maxim: In other module.
  • 46:26 - 46:32
    Herald: So I think the question is in
    general how good is the security of the
  • 46:32 - 46:35
    Intel ME?
    Maxim: So sorry..
  • 46:35 - 46:43
    Herald: In general, how good is the
    security of the Intel ME, altogether?
  • 46:43 - 46:50
    Maxim: I think it is because is
    independent researcher can use it for
  • 46:50 - 46:58
    dynamic analysis of any codes - it's it's
    cool I I think.
  • 46:58 - 47:05
    Herald: Microphone number seven.
    Mic 7: Do you have plans to research some
  • 47:05 - 47:10
    specific parts of the
    Intel ME in the future?
  • 47:10 - 47:19
    Maxim: Yeah of course. Intel will publish
  • 47:19 - 47:28
    an ME 11 version and I know that they
    changed Huffman tables for example. And
  • 47:28 - 47:38
    the next the next round of this game will
    start it.
  • 47:38 - 47:42
    Herald: Is there another
    question at microphone 7?
  • 47:42 - 47:52
    Mic 7: So if I understood you correctly,
    just to make sure, this means that you -
  • 47:52 - 48:00
    if you have a CPU of this Skylake
    architecture and a USB 3 port, you can
  • 48:00 - 48:07
    always get low-level access to the ME.
    Maxim: Exactly.
  • 48:07 - 48:12
    Mic 7: So, if I were to own such a chip,
    I would want that patched. What's the
  • 48:12 - 48:20
    usual path? Does the patch come in a
    Windows patch or a BIOS update or what is
  • 48:20 - 48:27
    it?
    Maxim: You have some some ways to use it.
  • 48:27 - 48:38
    If you have a SPI programmer, you you can
    rewrite flash. You mean how we can exploit
  • 48:38 - 48:45
    it?
    Mic 7: No, how does, sorry, how will Intel
  • 48:45 - 48:54
    distribute a patch for this vulnerability?
    Maxim: Oh, unfortunately because downgrade
  • 48:54 - 49:02
    always possible. Intel punched only error
    in BUP function.
  • 49:02 - 49:11
    But researcher or attacker
    can always to downgrade version or to
  • 49:11 - 49:17
    earlier ME and exploit it without any
    problem.
  • 49:17 - 49:27
    We are is SPI controller or a SPI
    programmer and maybe another way.
  • 49:27 - 49:32
    Mic 7: Okay, thank you.
    Herald: Microphone number one.
  • 49:32 - 49:37
    Mic 1: In the demo with video, we saw the
    connection between the two machines with
  • 49:37 - 49:44
    this blue box, but I think there's another
    one way to connect them with just a USB
  • 49:44 - 49:51
    cable. Is there anything you can do with
    the blue box that you can't do without it?
  • 49:51 - 50:00
    Maxim: Yeah we checked it - we use only
    USB3 debug cable. But it is not possible
  • 50:00 - 50:13
    for us because we need to to recover the
    state of work for loading in ME. I do it
  • 50:13 - 50:26
    but I don't like that because I need to
    stop execution for my research. It easy
  • 50:26 - 50:31
    for me and because
    we were using a blue box.
  • 50:31 - 50:33
    Mic 1: Thank you.
  • 50:33 - 50:37
    Herald: Signal angel.
    Signal Angel: Do you plan to publish
  • 50:37 - 50:45
    mask ROM dump in the future?
    Maxim: Yeah, we will plan to do it, yeah.
  • 50:45 - 50:52
    Herald: Signal angel again.
    Signal Angel: Just give me a moment.
  • 50:52 - 51:02
    Maxim: I didn't know, maybe when I
    come back to Moscow.
  • 51:02 - 51:10
    Herald: Any other burning questions?
    Please come up to one of the numbered
  • 51:10 - 51:19
    microphones. Then with that let's give
    Maxim of great warm well applause-
  • 51:19 - 51:22
    Maxim: Thank you much for your attention.
    Herald: Thank you so much Maxim.
  • 51:22 - 51:25
    Applause
  • 51:25 - 51:41
    34c3 outro
  • 51:41 - 51:47
    subtitles created by c3subtitles.de
    in the year 2020. Join, and help us!
Title:
34C3 - Inside Intel Management Engine
Description:

https://media.ccc.de/c/34c3/34c3-8762-inside_intel_management_engine

Positive Technologies researchers Maxim Goryachy and Mark Ermolov have discovered a vulnerability that allows running unsigned code. The vulnerability can be used to activate JTAG debugging for the Intel Management Engine processor core. When combined with DCI, this allows debugging ME via USB.

Maxim Goryachy Mark Ermolov

https://fahrplan.events.ccc.de/congress/2017/Fahrplan/events/8762.html
more » « less
Video Language:
English
Duration:
51:47

English subtitles

Revisions

Our website uses cookies for analysis purposes.