Intel’s x86 Hidden Control Mechanism

 Intel’s x86 Hidden Control Mechanism

Have you ever thought, “My computer has a mind of his own!” or said these words while working on it, “I didn’t tell him to do that!” If that’s the case (and I know from personal experience it’s true for me), then you probably won’t like to hear about what is hiding in your Intel’s processor chipset.

For the past couple of years, Intel has been making x86 processors that, apart from the advertised arithmetic logic unit (ALU) and the control unit (CU), also contain a secret microprocessor.

This 32-bit ARC microprocessor can be found in your chipset and its name is Intel Management Engine or just ME.

So, why is ME such a big deal? Well, because of what it can do. Without you even telling it to or even knowing about it.

That’s right; inside your computer is a microprocessor that “has a mind of its own”.

What’s the deal here? The deal is that, when you buy a computer with an Intel CPU (and that’s 79.4% vs. AMD’s 20.6% as of Q3 2018 according to Statista), you are also getting an extra microprocessor that can control your main processor. Whether you want it or not.

ME can Run Independently from the Main CPU

To make matters even more confusing (and a bit creepy), ME does not rely on the main CPU at all and works independently from it. That means, even if you put your computer to sleep and put it to a low-powered state (S3), ME can still work.

It gets even better. Some Intel chipsets have what is called Active Management Technology (AMT). This AMT is basically a successor of the older Intelligent Platform Management Interface (IPMI), but much more powerful, in that it can manage computers remotely. ME is capable of doing this by accessing any memory region and the main CPU doesn’t even have to know about these accesses.

But that’s not even the biggest problem. The big problem here is that ME is a Ring -3. What does that mean and what are “rings”?

Rings are layers of security or mechanisms used to protect computer system and data from malicious behaviour.  The original purpose of these rings, labeled 0 to 3 was to separate the kernel from the user mode and prevent the user mode code from interfering with the kernel. Between ring 0 (kernel) and ring 3 (applications), you’ll also find rings 1 and 2, which are there for device and OS drivers and have more privileges than ring 3, but not as much as ring 0.

However, ME runs on ring -3 as we already stated. That means it has the most privileges in a way that also means it is the most vulnerable and a skilled hacker could exploit it as a backdoor. Or, as hacker Damien Zammit said back in 2016,

“When these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks.”

Of course, Intel has denied that ME can be used as a backdoor, saying:

Intel does not put backdoors in its products nor do our products give Intel control or access to computing systems without the explicit permission of the end user. In short, Intel does not participate in efforts to decrease security in technology.

Researchers Find ME Vulnerabilities

But this didn’t satisfy the security community all that much and soon enough, efforts have been made to see if the ME could be disabled. For a long time, this wasn’t even possible but thanks to NSA of all people, it can now be done.

Namely, Mark Ermolov and Maxim Goryachy from Positive Technologies found an undocumented High Assurance Platform (HAP) program inside the firmware. Oh yes, HAP was developed by the NSA in case you didn’t know that.

What the two researchers found was a field named “reserve HAP”. This undocumented field could be used to set the HAP to “1” (true). What this basically means is that it can be used to disable ME.

Intel Finds Several Security Flaws

Thanks to this, Intel said it has “identified several security vulnerabilities that could potentially place impacted platforms at risk” and also said that it has performed a security review of their Management Engine (ME), Server Platform Services (SPS) and Trusted Execution Engine (TXE).

According to Intel itself, these security flaws could allow hackers to impersonate any of these three mechanisms and “”load and execute arbitrary code outside the visibility of the user and OS”.

Then, in December last year, Intel put a hardware lock on its ME code in order to prevent downgrade attacks and defend against patch rollbacks. According to a Intel Technical Advisory as of ME version 12, the chip’s Security Version Number (SVN) “will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN”.

Once the Field Programmable Fuses are set, they basically become Read-Only Memory (ROM) and you can’t change them. This then allows the security measures of the computer to detect what version of the firmware it is running and therefore prevent a version rollback.

Of course, hackers can still use fault injection attacks or simply physically alter it. It looks like we’ll have to wait a little longer for a full-proof solution when it comes to ME chipsets.

Oh, and if you’re thinking of disabling ME yourself, you can’t. In anything newer than the Intel Core 2 series, if the system is designed to have ME but can’t find it or it’s corrupted in any way, the system will simply not boot.

In other words, it can be done, but it’s one of those “do it at your own risk” situations. Namely, if you are not afraid of destroying your computer for good.


Related post

Leave a Reply

Your email address will not be published. Required fields are marked *