intel amt stealth breakthrough
play

INTEL AMT. STEALTH BREAKTHROUGH Dmitriy Evdokimov, CTO Embedi - PowerPoint PPT Presentation

Dec 28, 2022 •38 likes •628 views

INTEL AMT. STEALTH BREAKTHROUGH Dmitriy Evdokimov, CTO Embedi Alexander Ermolov, Security researcher Embedi Maksim Malyutin, Security researcher Embedi About us Dmitriy Evdokimov CTO of Embedi d.evdokimov@embedi.com @evdokimovds Alexander

  1. INTEL AMT. STEALTH BREAKTHROUGH Dmitriy Evdokimov, CTO Embedi Alexander Ermolov, Security researcher Embedi Maksim Malyutin, Security researcher Embedi

  2. About us Dmitriy Evdokimov CTO of Embedi d.evdokimov@embedi.com @evdokimovds Alexander Ermolov researcher, reverse engineer, and information security expert a.ermolov@embedi.com @flothrone Maksim Malyutin programmer who has occasionally ended up dealing with information security m.malyutin@embedi.com @jesusfailed 2

  3. Real-time Q&A Ask us in twitter live, during the BlackHat session! Just use #askaboutintelamt hashtag in your question in twitter, and we will answer you at once! 3

  4. Agenda 1. Introduction to Intel 64 system 4. Spread out architecture 5. Full attack scenario 2. Intel ME/AMT architecture overview 6. Conclusions 3. Unauthorized remote access to Intel AMT system 4

  5. Introduction to Intel 64 system architecture

  6. System architecture overview The best known execution environments: Intel CPU • Intel ME • UEFI BIOS and Intel ME firmware (and a few other blobs) are system firmware stored on the common SPI flash memory. 6

  7. System firmware 7

  8. Execution privileges 8

  9. Intel ME/AMT architecture

  10. Intel ME architecture Intel ME is based on the MCU with ROM and SRAM. The most privileged and hidden execution environment: a runtime memory in DRAM, hidden from CPU • full access to DRAM • working even when CPU is in S5 (system shutdown) • out-of-band (OOB) access to network interface • undocumented communication protocol (MEI) • AMD have a similar technology presented in 2013 — the Platform Security Processor (PSP). 10

  11. Intel ME presence Intel ME is integrated into: PCH ME/AMT version Q-type chipsets since 960 series (2006) • 5 series chipset ME 6.x (AMT 6.x) Intel ME 2.x - 5.x o 6 series chipset ME 7.x (AMT 7.x) Any chipset since 5 series (2010) • 7 series chipset ME 8.x (AMT 8.x) Intel ME 6.x - 11.x o Intel TXE 1.x - 3.x 8 series chipset ME 9.x (AMT 9.x) o Intel SPS 1.x - 4.x o 9 series chipset ME 9.5.x/10x (AMT 9.5.x/10x ) Its name and firmware implementation is specific to a platform type: Desktop/Laptop Intel Management Engine (ME) 100 series chipset ME 11.x • 200 series chipset (AMT 11.x) Server Intel Server Platform Services (SPS) • Mobile Intel Trusted Execution Engine (TXE) • 11

  12. Intel ME RE problems Unknown ME ROM contents on production systems ME ROM images can be found inside Intel ME firmware pre-production debug images (used for debug ROM bypass capability) Code is partially compressed with Huffman, but the dictionary is unknown There is a reconstructed dictionary for ME 6.x - 10.x firmware (see unhuffme) Undocumented MEI communication protocol Some details are already reconstructed (see me_heci.py) Inaccessible ME UMA No method to disable Intel ME But there are ways to cut out unnecessary firmware components (see me_cleaner.py ) 12

  13. Reversing Intel ME me_unpack.py parse Intel ME firmware images and extract all partitions/modules me_util.py send commands to Intel ME through HECI Intelmetool check Intel ME status through HECI unhuffme unpack Huffman-compressed modules from Intel ME firmware image 6.x – 10.x MEAnalyzer a tool to analyze Intel ME firmware images unME11 unpack some Huffman-compressed modules from Intel ME firmware 11.x 13

  14. Useful links • “Rootkit in your laptop”, Igor Skochinsky "Intel ME: The Way of the Static Analysis", Dmitry Sklyarov • A. Kumar, «Active Platform Management Demystified: Unleashing the Power of Intel VPro (TM) Technology", • 2009, Intel Press. Xiaoyu Ruan, «Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with • Intel Embedded Security and Management Engine", 2014, APress. 14

  15. Intel ME firmware components There are main firmware components: bringup module • kernel • drivers and services (to support timers, network, heci, …) • and the applications, that implements different Intel technologies: PTT • AMT • ... • Depending on the technologies applied, the firmware types are: Ignition firmware (ME 6.x only) - the minimal contents • 1.5MB firmware - not full modules contents • 5MB firmware - full firmware contents • 15

  16. Intel AMT Architecture Intel AMT is an application inside Intel ME firmware. Access Control List (ACL) Management Access Monitor **Agent Presence Intel AMT features: Alarm Clock Boot Control • Web-Interface Certificate Management • SOL Discovery *Event Manager • IDE-R Hardware Assets **KVM Configuration • KVM **Network Administration Power It is a part of the “ vPro ” brand, so it is officially supported Power Packages **Redirection (SOL and USB-R) on the vPro-marked systems. Usually these systems have Q-type Remote Access Storage chipsets.. **Storage File System *System Defense Time Synchronization User Consent *Wireless * Posible interesting for attacker ** Intresting for attacker 16

  17. Intel AMT Access Intel AMT features can be accessed via a network or a local interface Intel AMT has two types of interfaces: network interfaces (Intel AMT Releases 2.5, 2.6, 4.0, and 6.0 and later releases support a wireless, along with a wired, network interface) and a local interface. TCP/UDP messages addressed to certain registered ports are routed to Intel AMT when those ports are enabled. Messages received on a wired LAN interface go directly to Intel AMT. Local applications can communicate with the Intel ME the same way network applications do: WS-Management over SOAP over HTTP This could be done using the Local Manageability Service.LMS). 17

  18. Intel AMT network Ports 5900 – AMT VNC-server without encryption; 16992 – AMT web-server, HTTP protocol; 16993 – AMT web-server, HTTPS protocol; 16994 – AMT redirection for SOL, IDE-R, KVM without encryption; 16995 – AMT redirection for SOL, IDE-R, KVM with TLS. Intel AMT authentication options: • Digest • Kerberos AMT Implementation and Reference Guide - Manageability Ports 18

  19. Unauthorized remote access to Intel AMT system

  20. Intel AMT logon page When accessed through a regular web-browser Intel AMT redirects us to a logon page and challenges with a password. 20

  21. Digest Authentication in Intel AMT As for RFC 2617, the first time the client requests the document, no Authorization header field is sent, so the server responds with 401 Unauthorized: $ mitmdump -p 8080 -dd Proxy server listening at http://0.0.0.0:8080 127.0.0.1:50186: clientconnect >> GET http://192.168.1.1:16992/index.htm Host: 192.168.1.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 << 401 Unauthorized 689b WWW-Authenticate: Digest realm="Digest:C8090000000000000000000000000000", nonce="+9GoAAZEAACYo+Ka4uJ0dCwoKCxAtTP2",stale="false",qop="auth" Content-Type: text/html Server: Intel(R) Active Management Technology 9.0.30 Content-Length: 689 Connection: close 127.0.0.1:50186: clientdisconnect 21

  22. Digest Authentication in Intel AMT When given a username and password, the client responds with a new request, including the Authorization header field: ... 127.0.0.1:50190: clientconnect >> GET http://192.168.1.1:16992/index.htm Host: 192.168.1.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Authorization: Digest username="admin", realm="Digest:C8090000000000000000000000000000", nonce="JOKoAAdFAAApQD4w/l+88v4fscE6y2Ke", uri="/index.htm", response="7a8df4aa68a83ba59855d7a433522cf7", qop=auth, nc=00000001, cnonce="6e8da33dda6b05d8" << 200 OK 2.42k Date: Wed, 5 Jul 2017 20:07:21 GMT Server: Intel(R) Active Management Technology 9.0.30 Content-Type: text/html Transfer-Encoding: chunked Cache-Control: no cache Expires: Thu, 26 Oct 1995 00:00:00 GMT 22

  23. Digest Authentication in Intel AMT Note the name of the fields sent in the Authorization Headers. These strings will help us to pin-point the auth-related functionality in the actual ME firmware. ... 127.0.0.1:50190: clientconnect >> GET http://192.168.1.1:16992/index.htm Host: 192.168.1.1:16992 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Authorization: Digest username="admin", realm="Digest:C8090000000000000000000000000000", nonce="JOKoAAdFAAApQD4w/l+88v4fscE6y2Ke", uri="/index.htm", response="7a8df4aa68a83ba59855d7a433522cf7", qop=auth, nc=00000001, cnonce="6e8da33dda6b05d8" << 200 OK 2.42k Date: Wed, 5 Jul 2017 20:07:21 GMT Server: Intel(R) Active Management Technology 9.0.30 Content-Type: text/html Transfer-Encoding: chunked Cache-Control: no cache Expires: Thu, 26 Oct 1995 00:00:00 GMT 23

Recommend

Research Agenda 2 Breakthrough Commercialization Post-breakthrough Pre-Breakthrough

Research Agenda 2 Breakthrough Commercialization Post-breakthrough Pre-Breakthrough

6/11/12 Emergence of Creative Breakthroughs using 1 Author-ity database Sen Chai Harvard Business School UIUC Workshop on Disambiguation June 2012 Research Agenda 2 Breakthrough Commercialization Post-breakthrough

359 views • 13 slides
10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by

10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by

10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by what it looks like Genesis 41:39-40 Then Pharaoh said to Joseph, You shall be in charge of my palace, and all my people are to submit to your

427 views • 11 slides
Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST diogo.monica@ist.utl.pt Thursday, August 29, 13 Summary Motivation Problem statement Stealth C&amp;C using browsers Final remarks

606 views • 32 slides
Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim

Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim

Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim Walton Jim Walton ZZZZZZZZZZZZZZZZZZZZZZZZZ Hey! Someone, wake up Its a Workin Day Why Breakthrough Change? Structural Deficit The Growing

535 views • 51 slides
Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer

Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer

Stealth Peptides Leading Mitochondrial Therapeutics Mitochondria Origin Mitochondria primer Origins of mitochondria o Prokaryotic cells including bacteria o Eukaryotic cells Slide 2 Stealth Peptides Mitochondria Function

256 views • 15 slides
The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA

The he ste stealth alth dish dish Mario Ar Arma mando Natali, I0NAA AA mario.natali@gmail.com ARI ARI Perugia EME Conference 2016, Venice Impedimentum pro occasione arripere Mario Armando Natali , I0NAA The stealt he stealth h dish

607 views • 19 slides
What were going to talk about Breakthrough (the brand) DaJie (the business)

What were going to talk about Breakthrough (the brand) DaJie (the business)

BREAKTHROUGH growing positive behaviours Rob Han Lina Bartuseviciute Liisa Yu Betty Tian Derrie Guan Tony Won What were going to talk about Breakthrough (the brand) DaJie (the business) Business model Action

860 views • 53 slides
Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info

Stealth Secrets of the Malware Ninjas By Nick Harbour Overview Intro Background Info Malware Forensics and Incident Response Anti-Forensics Executables Stealth Techniques Live System Anti-Forensics Process

907 views • 76 slides
Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel

Challenging the Intel Xeon: ARM and OpenPower Now you really have to optimize Mighty Intel Intel had a 99.2 percent market share in server chips (IDC, 2015 Quoted on InfoWorld) We started experimenting with SoCs two

838 views • 47 slides
Breakthrough A Sudden dramatic and important discover of development. A Aha moment.

Breakthrough A Sudden dramatic and important discover of development. A Aha moment.

Breakthrough A Sudden dramatic and important discover of development. A Aha moment. Breakthrough What bible stories of Breakthrough do you know? Name them! Break-in Break-down Break- In We need to allow God to break-in for our lives.

593 views • 16 slides
Breakthrough Therapy CMC Challenges Ganapathy Mohan, PhD Merck &amp; Company FDA/PQRI

Breakthrough Therapy CMC Challenges Ganapathy Mohan, PhD Merck &amp; Company FDA/PQRI

Breakthrough Therapy CMC Challenges Ganapathy Mohan, PhD Merck &amp; Company FDA/PQRI Conference October 2015 1 Topics Current state of Breakthrough Therapy Designation Mercks experience Closing thoughts 2 Drug Development

721 views • 20 slides
5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna

5G Cloud Native from RAN to Core Christian Maciocco, Intel Shilpa Talwar, Intel Saikrishna Edupuganti, Intel Muhammad (Asim) Jamshed, Intel 2020 Agenda Cloud Native Disaggregated Network Infrastructure Transition to 5G Near

639 views • 38 slides
Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21,

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21,

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21, 2006 firstname[dot]lastname[AT]francetelecom[dot]com Who Are We? Network security geeks (?) in R&amp;D labs Working for France Telecom -

610 views • 35 slides
HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University

HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University

HexPADS: a platform to detect stealth attacks Mathias Payer (@gannimo), Purdue University http://hexhive.github.io Deployed defenses focus on memory corruption (c) AP Photo/RIA Novosti, Alexei Druzhinin, Government Press Service (c)

317 views • 18 slides
Validation Labs with OpenStack Shuquan Huang, Intel IT Engineering Computing Weibo: @

Validation Labs with OpenStack Shuquan Huang, Intel IT Engineering Computing Weibo: @

Intel IT OpenStack Practice Validation Labs with OpenStack Shuquan Huang, Intel IT Engineering Computing Weibo: @ Intel Information Technology Intel Confidential Do Not Forward Agenda About Me Intel IT with OpenStack

405 views • 39 slides
Due to Code Placement in IA Zia Ansari zia.ansari@intel.com Intel Corporation 11/03/16 Agenda

Due to Code Placement in IA Zia Ansari zia.ansari@intel.com Intel Corporation 11/03/16 Agenda

Causes of Performance Swings Due to Code Placement in IA Zia Ansari zia.ansari@intel.com Intel Corporation 11/03/16 Agenda The purpose of this presentation Intel Architecture FE 101 Lets look at some example So can we do

289 views • 24 slides
Shannon-type Inequalities, Submodular Width, and Disjunctive Datalog Hung Q. Ngo (Stealth Mode)

Shannon-type Inequalities, Submodular Width, and Disjunctive Datalog Hung Q. Ngo (Stealth Mode)

Shannon-type Inequalities, Submodular Width, and Disjunctive Datalog Hung Q. Ngo (Stealth Mode) With Mahmoud Abo Khamis and Dan Suciu @ PODS 2017 Table of Contents Connecting the Dots Output Size Bounds and Information Theory Shannon-flow

2.22k views • 190 slides
intel.com/cloudforall Legal Disclaimer OpenStack is a registered trademark of the OpenStack

intel.com/cloudforall Legal Disclaimer OpenStack is a registered trademark of the OpenStack

intel.com/cloudforall Legal Disclaimer OpenStack is a registered trademark of the OpenStack Foundation in the United States, other countries or both. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other

325 views • 29 slides
Breakthrough Stem Cell Therapies for SCI Dr. Kim

Breakthrough Stem Cell Therapies for SCI Dr. Kim

Breakthrough Stem Cell Therapies for SCI Dr. Kim Anderson-Erisman &amp; Jennifer French October 23, 2014 Have a Question? www.NeurotechNetwork.org Helping

729 views • 23 slides
SC19 briefing notes J. Simone Intel Ponte Vecchio GPU and OneAPI SW Promotional keynote at Intel

SC19 briefing notes J. Simone Intel Ponte Vecchio GPU and OneAPI SW Promotional keynote at Intel

SC19 briefing notes J. Simone Intel Ponte Vecchio GPU and OneAPI SW Promotional keynote at Intel sponsored HPC Developer Conference by Raja Koduri: senior VP, chief architect, and GM of Architecture, Graphics, and Software at Intel Corporation.

191 views • 6 slides
Non-Perturbative Collider Phenomenology of Stealth Dark Matter Ethan T. Neil (CU Boulder/RIKEN

Non-Perturbative Collider Phenomenology of Stealth Dark Matter Ethan T. Neil (CU Boulder/RIKEN

Non-Perturbative Collider Phenomenology of Stealth Dark Matter Ethan T. Neil (CU Boulder/RIKEN BNL) for the LSD Collaboration USQCD All Hands Meeting May 1, 2015 L attice S trong D ynamics Collaboration Xiao-Yong Jin Joe Kiskis James Osborn

408 views • 24 slides
Intel 8086 Intel 8086 was launched in 1978. It was the first 16-bit microprocessor.

Intel 8086 Intel 8086 was launched in 1978. It was the first 16-bit microprocessor.

10/13/2010 Intel 8086 Intel 8086 was launched in 1978. It was the first 16-bit microprocessor. This microprocessor had major improvement over the execution speed of 8085. Gursharan Singh Tatla professorgstatla@gmail.com It is

268 views • 6 slides
Breakthrough Insight into DDR4/LPDDR4 Memory Greater Than 2400 Mb/s January 2015 Jennie

Breakthrough Insight into DDR4/LPDDR4 Memory Greater Than 2400 Mb/s January 2015 Jennie

Breakthrough Insight into DDR4/LPDDR4 Memory Greater Than 2400 Mb/s January 2015 Jennie Grosslight Product Manager Agenda Overview Benefits and challenges for DDR4 and LPDDR4 &gt;2400Mb/s Breakthrough Insight Gained from Logic

585 views • 40 slides
02.11.2018 When and Where will a Breakthrough Come? Technology breakthroughs often happens

02.11.2018 When and Where will a Breakthrough Come? Technology breakthroughs often happens

02.11.2018 When and Where will a Breakthrough Come? Technology breakthroughs often happens randomly and not linked to major initiatives INF3490/INF4490 Biologically inspired and projects. computing AI breakthroughs depend on the

727 views • 4 slides

More recommend