Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Can you get infected by Intel Management Engine?
Message
<blockquote data-quote="MacDefender" data-source="post: 905016" data-attributes="member: 83059"><p>SMM is quite different from the ME (management engine). Indeed, SMM (which roughly put has to be set up by the EFI firmware) is an almighty hypervisor where at any point in time the SMM interrupt can come in and the processor just goes executing code that was set up. It's like everything you can touch on your PC is actually just the guest of a virtual machine that your vendor set up.</p><p></p><p>The ME is a separate Minix chip as you said, but it has a far less direct path to memory. The ME has a carved out chunk of memory, by default the top 16MB of memory, and also has its own secure boot chain-of-trust. In that sense it's more similar to something like a Secure Enclave or TPM.</p><p></p><p>The other off-chip mystery chip on a lot of server-class machines is the BMC, which is like an integrated KVM solution. it usually is an ARM based ASPEED chipset that runs Linux. It has access to your BIOS settings, and some versions even speak the LPC bus protocol that delivers EFI to the processor when it powers on.</p><p></p><p>SMM code has the most direct access to your operating system. The ME theoretically does <strong>not </strong>have memory access, though it does have access to peripherals and in the past there were memory vulnerabilities around the 16MB remap region that allowed the ME to get access to other parts of memory, albeit painfully.</p><p></p><p>The ME is the least direct in terms of snooping on the operating system, though its ability to be a keyboard as well as access and change BIOS settings (and even flash the BIOS) means it often throws physical security out the window.</p><p></p><p>But either way, almost all of these components are on modern machines and they're all secret sauce from either Intel or your BIOS manufacturer. AMD machines have their own version of the same thing. Apple/Google/Qualcomm have even more mystery chips and coprocessors and their custom firmware running on it. This is one of those threats that you have very little control over, so it's not one I spend a lot of time worrying about as a customer.</p><p></p><p>As far as malware, I have no idea why malware would want to go through this much trouble. You would need to write malware that has very deep understanding of the Windows memory map and how the Windows kernel works, in order to locate user data or do other interesting things. That's so much effort compared to the 20 lines of obfuscated batch files that seems to be owning us left and right. I would say this attack vector is like a NSA/CIA threat model, not a malware threat model.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 905016, member: 83059"] SMM is quite different from the ME (management engine). Indeed, SMM (which roughly put has to be set up by the EFI firmware) is an almighty hypervisor where at any point in time the SMM interrupt can come in and the processor just goes executing code that was set up. It's like everything you can touch on your PC is actually just the guest of a virtual machine that your vendor set up. The ME is a separate Minix chip as you said, but it has a far less direct path to memory. The ME has a carved out chunk of memory, by default the top 16MB of memory, and also has its own secure boot chain-of-trust. In that sense it's more similar to something like a Secure Enclave or TPM. The other off-chip mystery chip on a lot of server-class machines is the BMC, which is like an integrated KVM solution. it usually is an ARM based ASPEED chipset that runs Linux. It has access to your BIOS settings, and some versions even speak the LPC bus protocol that delivers EFI to the processor when it powers on. SMM code has the most direct access to your operating system. The ME theoretically does [B]not [/B]have memory access, though it does have access to peripherals and in the past there were memory vulnerabilities around the 16MB remap region that allowed the ME to get access to other parts of memory, albeit painfully. The ME is the least direct in terms of snooping on the operating system, though its ability to be a keyboard as well as access and change BIOS settings (and even flash the BIOS) means it often throws physical security out the window. But either way, almost all of these components are on modern machines and they're all secret sauce from either Intel or your BIOS manufacturer. AMD machines have their own version of the same thing. Apple/Google/Qualcomm have even more mystery chips and coprocessors and their custom firmware running on it. This is one of those threats that you have very little control over, so it's not one I spend a lot of time worrying about as a customer. As far as malware, I have no idea why malware would want to go through this much trouble. You would need to write malware that has very deep understanding of the Windows memory map and how the Windows kernel works, in order to locate user data or do other interesting things. That's so much effort compared to the 20 lines of obfuscated batch files that seems to be owning us left and right. I would say this attack vector is like a NSA/CIA threat model, not a malware threat model. [/QUOTE]
Insert quotes…
Verification
Post reply
Top