MINIX: Intel's Hidden In-chip Operating System

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

No mention of AMD?

[Zobeid]

Do AMD processors have any counterpart of this nonsense?

This is a little bit awesome, though.

[Seven+Spirals]

I've been a MINIX user for a long time. I was introduced to it in college in my operating systems course by the Tannenbaum book. This in-chip weirdness is, uhm, bizarre. However, MINIX is still interesting. It's one of the few microkernel based Unix variants and it's innards are particularly clean and easy to hack on due to it's heritage as a teaching OS. I don't know what the hell Intel was thinking, but don't blame MINIX. Go install it and use this as an excuse to get your own hands dirty. :-)

So it's a backdoor///

[evolutionary]

Let's call this what it is: A variation of the "clipper chip" like the government tried to do years ago, except this is more powerful and way worse. It's a backdoor that can potentially operate at a level few not in certain government departments or Intel top level developers can access. Perhaps it's time to give Intel the cold shoulder. Need to confirm if AMD has this backdoor OS in it's processors or not. Wonder how China and Russia respond to this sort of thing? Will we ever see an end of this screwing the end user for corporate and/or government interests?

Thank you.

Thank you for saying that it's off by default - everyone seems to just gloss over that one. More than that, there are only two ways to enable it:
  - using a keyboard shortcut during BIOS POST (physical access, the machine is already owned in any number of ways including just taking the drive out, why bother with AMT?)
or
  - enable it remotely through arbitrary privileged code execution on the machine (it's owned already) AND you have a certificate issued by a trusted CA specifically for AMT provisioning (costs money), and that certificate's domain matches the one being given out by DHCP at the time of provisioning (meaning the network is owned too). If you already own the machine to the point of executing whatever you like with admin-level permissions, and you own the network to the point of changing DHCP options, why bother with AMT?

For someone to get anywhere with AMT / vPro, they would already have exploited far easier routes to getting anything they could get through AMT / vPro. This is the reason we have seen exactly zero articles about people being exploited in the wild through AMT / vPro - anyone that knows what it actually is, and what it takes to run it, knows there are far easier ways in, and those easier ways are a predicate to using AMT to do whatever they could already do.

Re:Isn't this like a BIOS?

[zeugma-amp]

This is a full set of processors listening to everything your other processes do all the time no matter what OS you run or security you apply. And nobody knew what it was doing. And the governments have been removing it from their purchases for years by making Intel make chips without it.

This. Right here. The fact that governments have demanded hardware without it is reason enough NOT to trust that it is 'safe'.

Re:Overblown -- oh and AMD isn't any better

[BlueStrat]

You might want to check your facts here the networking capabilities you're referring to on Intel chipsets is only in the corporate configurations. The consumer based version of the ME does not have a networking stack so there is nothing to remotely control on these configurations.

You don't know that. Nobody but a limited subset within Intel knows if that's actually true or not.

It's a giant freaking security hole with largely unknown properties, therefor nearly impossible for end users to reliably mitigate. Nobody concerned at all with information security should ever run US-made CPUs or commercial operating systems (win/mac). US TLAs have poisoned the well with American hardware and commercial OSes.

Strat

Re:Overblown -- oh and AMD isn't any better

[daniel23]

And by the way, ME has been broken, full disclosure announced here:
https://www.blackhat.com/eu-17...

An exploit to access turned -off computers, presentation due in a month. Sweeeeet...