Nagisa

Level 4
Verified
As far as I know, there is a standalone chip on motherboards that Intel adds since 2008. That chip contains a minix based operating system and has all control on the hardware; direct access to RAM, ethernet, etc. All the time wheter the computer is running or not. It can't be disabled, or blocked by software firewall as it has its own operating system. They say it's kind of running at ring -3, so it has even higher privileges than system management control.


Is it possible to get infected by a malware that exploits this chip on older systems?
 

MacDefender

Level 11
Verified
SMM is quite different from the ME (management engine). Indeed, SMM (which roughly put has to be set up by the EFI firmware) is an almighty hypervisor where at any point in time the SMM interrupt can come in and the processor just goes executing code that was set up. It's like everything you can touch on your PC is actually just the guest of a virtual machine that your vendor set up.

The ME is a separate Minix chip as you said, but it has a far less direct path to memory. The ME has a carved out chunk of memory, by default the top 16MB of memory, and also has its own secure boot chain-of-trust. In that sense it's more similar to something like a Secure Enclave or TPM.

The other off-chip mystery chip on a lot of server-class machines is the BMC, which is like an integrated KVM solution. it usually is an ARM based ASPEED chipset that runs Linux. It has access to your BIOS settings, and some versions even speak the LPC bus protocol that delivers EFI to the processor when it powers on.

SMM code has the most direct access to your operating system. The ME theoretically does not have memory access, though it does have access to peripherals and in the past there were memory vulnerabilities around the 16MB remap region that allowed the ME to get access to other parts of memory, albeit painfully.

The ME is the least direct in terms of snooping on the operating system, though its ability to be a keyboard as well as access and change BIOS settings (and even flash the BIOS) means it often throws physical security out the window.

But either way, almost all of these components are on modern machines and they're all secret sauce from either Intel or your BIOS manufacturer. AMD machines have their own version of the same thing. Apple/Google/Qualcomm have even more mystery chips and coprocessors and their custom firmware running on it. This is one of those threats that you have very little control over, so it's not one I spend a lot of time worrying about as a customer.

As far as malware, I have no idea why malware would want to go through this much trouble. You would need to write malware that has very deep understanding of the Windows memory map and how the Windows kernel works, in order to locate user data or do other interesting things. That's so much effort compared to the 20 lines of obfuscated batch files that seems to be owning us left and right. I would say this attack vector is like a NSA/CIA threat model, not a malware threat model.
 

SpiderWeb

Level 3
Yes. But we are too obsessed with Intel ME. Did you know that your keyboard has a cache to store keystrokes? That chip can be compromised and every keystroke logged too.
Or your mouse's cache to keep track of your mouse movements:

I think there are many components in a computer more vulnerable than Intel ME, no need to go for the most difficult when there are easier targets. If you want to protect yourself you need have 3 choices:
1. Latest hardware from System76, Purism, ThinkPenguin and enable Firmware Protection in Windows 10
2. Use a Chromebook because Google Project Zero is obsessed with these vulnerabilities and hardening and signing/verifying every line of code in the components in Chromebooks with every boot.
3. Apple Silicon. They said screw it, the whole Intel architecture is swiss cheese so they made their own chip.
 
Top