MINIX: Intel's Hidden In-chip Operating System

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

Three questions

1) Do AMD processors have similar vulnerabilities or is this an Intel issue only?

2) Why isn't Intel being held responsible to fix this, either by action of lawmakers or through lawsuits for providing a faulty product?

3) Shouldn't Intel either have to patch the vulnerabilities or issue a recall?

Re:Three questions

[rickb928]

What should Intel be fixing? MINIX is licensed under the Berkeley license, and apparently they are in compliance. If there is a known security vulnerability, it was not part of the reporting, so far. Perhaps we need to trust Intel that they have secured this adequately, and I know it is common practice to declare all security to be 'vulnerable', and that is assumed to be a best practice, but to enlarge that attitude and declare all such features as unacceptable due to undisclosed or, more correctly, unknown security breaches is naive.

Intel and others have delivered systems with these 'power off' or out of band management systems for decades. The risks are well understood by those who need to deal with them. Crying the sky is falling dilutes the real arguments, for instance the necessity of these features in consumer grade products, deployment via OS vendors such as Microsoft of widespread out of band management without explicit knowledge by consumers, and lack of useful management tools for SMB users who are not entirely aware of the risks.

Tanenbaum's root complaint seems to be he got little or no credit. Fair enough.

And if you don't understand how attractive an out of band management is, you don't need to. That doesn't make it less useful, just makes you unaware, and be glad you are. All that nasty stuff needed to make large organizations function is worthy of scrutiny, but best left to professionals, despite your closely held distrust of authority.

BSD uber alles!

BSD wins again, tough luck Linux using, GPL commie loooosers, the BSD license is once again behind the worlds #1 operating system. Boo yeah!

Re:BSD uber alles!

Yep, score one for corporate control.

Hear that, Tanenbaum? That's the sound of Intel screwing you with your own code.

The years of the Minux desktop

[sinij]

Apparently, we have been having years of Minux desktop all this time and never knew.

Re:So it's a backdoor///

[swillden]

Let's call this what it is: A variation of the "clipper chip" like the government tried to do years ago, except this is more powerful and way worse.

That's a mischaracterization so egregious it could be called a lie.

The ME (and AMD's analogous PSP) have nothing to do with government, and nothing to do with cryptography (though they make heavy use of it). Clipper was about enforcing a standardized encryption mechanism with a built-in backdoor specifically for law enforcement. Completely different thing.

ME and PSP are remote system management tools. Their purpose is to enable enterprises to remotely administer systems, including not only being able to remotely install a new operating system, but to strongly verify the installation from the running OS. The reason it's in all systems, not just systems targeted at enterprise use, is that it's more economical to have a single solution

That said... you are absolutely correct that these tools *could* be used by malicious parties, whether for corporate espionage, government intrusion or anything else, and they are incredibly powerful, and not understood nearly well enough outside of the teams at Intel and AMD who build them. I know some of the people at Intel who work on this stuff and I'm pretty confident that they're doing good work, and doing the right things... but the lack of transparency makes me really nervous.

Remote management tools make sense, but it should be possible for end users to disable them, or to take ownership of them and use them for their own ends. The details of exactly how they work, including their source code, should be published. Indeed, I think government should mandate the publication of low-level system management tools and firmware. We need a lot more academic research into the security and operation of these systems.

Re:So it's a backdoor///

[evolutionary]

You seem very confident (feels almost defensive), but ask yourself, why is it closed source yet using an open source core? Nothing to with government? How would you know that for sure without the source? It's been well documented that the government has approached virtually everyone, even Torvalds, asking for backdoors. Some said yes, some said now, some were likely given a deal they could not refuse. The first thing anyone tries to do in spying is to create doors people don't know about or rebranding it as something else. The admission of the purposes of the clipper chip was met with a lot of resistance. So the government agencies decided to keep other attempts a secret to reduce resistance. Rebranding is a classing way of hiding something in business. why not government. Unless you know what is in fact in the source it is impossible to say my hypothesis is "egregious" because only top people even know what it does. And why would you put something like "DRM" in something at that low and dangerous level. The DRM is as much as Intel will admit to. (and they may have their hands tied and gagged). Never confuse statements given to the public for media purposes as complete disclosure. If it's as innocent as you say, why hide it? We've had evidence leaked that proved government intentions to hook into all system domestic and foreign through hacks in software and hardware. And a backdoor of this nature is pretty consistent with what we've found from brave people who put their lives on the line to let the public know.

Re:Overblown -- oh and AMD isn't any better

[Khyber]

They were modded -1 because they're dead fucking wrong. The IME runs AT ALL TIMES IF PRESENT.

Re:Isn't this like a BIOS?

[ledow]

Do you know of a BIOS that runs when the computer is off?

This is beyond "when I get the magic packet IRQ from the Ethernet controller I will wake up" into "there's a full, general purpose OS running on every processor, talking to the network, interpreting traffic, able to intercept every memory access, and which we have no way to probe, investigate, debug or understand and which may well be auto-updating from the Internet on a regular basis without our consent".

Question: How do you generate a secure private key on a computer with this in? Literally, you can't.

With BIOS, the scope was so limited that it couldn't be used for such things, and was just "the code that the computer started at" (literally, a soft-reboot is "jump to address 0, the first line of the BIOS).

This is a full set of processors listening to everything your other processes do all the time no matter what OS you run or security you apply. And nobody knew what it was doing. And the governments have been removing it from their purchases for years by making Intel make chips without it.

If THAT ONLY wasn't reason enough to worry about what it could be doing, you clearly haven't understood what it could be doing.

Literally, this is a full-above-root compromise of every machine on the planet under Intel's sole control. Everything from microphones to connected devices to nearby wireless etc. could be turned against the user.

Doing that with "just a BIOS" was much harder, much more obvious (i.e. you could generally disassemble the firmware and/or inspect it step-by-step as it was running) and much less damaging.

Intel has a full computer in every chip on almost every motherboard on the planet. And nobody knows or understands why (because computers work just fine without such a feature, always used to, and still do when you disable such things by forceful means), nobody was really told about it, and it's taken years to discover even what architecture/OS it's running on, let alone what it's doing.

One virus exploiting one flaw in this and anyone can gain control of the planet over the Internet with NO WAY to clean it off or even detect it.