Intel Management Engine (Intel ME)

Intel Management Engine (Intel of ME) is the subsystem as a part of systems on x86 platform focused on the solution of the different tasks connected with monitoring and service of the computer during its "dream" and in the course of work.

The system of Intel of ME is built in all modern computer platforms with chipsets of the company Intel Security of Firmwares^[1]: desktops, notebooks, servers, tablets. Intel of ME is the only operating system which:

• works when the computer is switched off (electricity on BP moves);
• has access to all contents of RAM of the computer;
• has out-of-band access to the network interface.

Principal component of Intel of ME - the microcontroller which is built in a chipset with the configured architecture. As basic model 32-bit ARCtangent-A4 is used.

Idea of interaction of Intel of ME, (2013)

Intel of ME is used at start of the PC and initial setup of the motherboard. Failure of Intel Management Engine or its forced shutdown (provided that more nothing failed on a payment or in the notebook) often affects operation of fans the maximum turnovers and lack of change of speed, depending on temperature of the cooled components (including Intel of ME is engaged in it). Or the computer is not started, switched off after some time frame after start^[2].

History

2018

It is found "it is impossible idle time" a method of cracking of notebooks on Intel processors

Researchers of F-Secure company revealed a serious problem with Intel Active Management Technology technology thanks to which malefactors can bypass local means of authorization on notebooks based on Intel processors. Experts note that for operation of this vulnerability there are enough half-minute and any specialized knowledge it will not be required^[3].

The malefactor will need physical access to the laptop interesting him. In the course of reset it is enough to malefactor to clamp CTRL+P and to enter the management console of Intel Management Engine BIOS Extension (MEBx). As it becomes clear, in MEBx there is a preset password "admin" which it is enough to change the preset password to BIOS, to configure remote access and to switch off authorization of AMT completely.

Further malefactors can get far off into the computer of the victim through a local network or because of its limits using the CIRA server (the server of remote access at the request of the client).

"The attack to inconceivable is simple performed by, but at the same time has enormous destructive potential, - the senior security consultant of F-Secure Harry Sintonen said. - In practice the malefactor through a local network can receive full control over the working notebook of the victim whatever extensive were the taken security measures".

2017

Intel eliminated the vulnerability in Management Engine found Positive Technologies

The Intel company published in November the bulletin of security^[4]in which announced release of a patch for elimination of vulnerability in a subsystem of Intel of ME which was detected by experts of Positive Technologies Mark Yermolov and Maxim Goryachim. Also the Intel company published a special tool which will help administrators of Windows and Linux systems to learn about whether their equipment is vulnerable.

Intel Management Engine is the closed technology which represents the microcontroller integrated into a chip by Platform Controller Hub (PCH) with a set of the built-in peripheral devices. Through PCH almost all communication of the processor with external devices therefore Intel of ME has access practically to all data on the computer is performed. Researchers managed to find an error which allows to execute the unsigned code in PCH on any motherboard for Skylake family processors above.

For example, malefactors can attack computers with the vulnerable version of Intel of ME, using this error of security and to set potentially in the code of Intel of ME of 'tab' (for example, spyware) which the majority of traditional means of protecting will not detect. Since 'tab' will function in this case on the separate chip, but not on CPU at which the majority of OS and traditional means of protecting work.

At the same time the main system can remain operable, thus the user can not suspect that on his computer spyware steady against reinstallation of OS and updating of BIOS functions.

The complete list of vulnerable processors is presented in the bulletin of security of Intel:

• Intel Core of generations 6, 7 and 8;
• Intel Xeon E3-1200 v5 и v6;
• Intel Xeon Scalable;
• Intel Xeon W;
• Intel Atom C3000;
• Apollo Lake Intel Atom E3900;
• Apollo Lake Intel Pentium;
• Celeron chips of the N and J series.

Errors in processors

In several series of Intel processors the error which is incidentally leading to "falling" of systems running Windows and Linux is revealed. ^[5] the Problem mentions processors of the series Kaby Lake, Skylake, Xeon v5, Xeon v6 and some models of Pentium and Core X v6 processors.

In Intel processors the errors leading to data loss are found

The error was found by the compiler writer of OCaml last year. Immediately informed on it Intel, and the producer of processors released corrections in a microcode and updated documentation to processors Skylake and Kaby Lake, having pointed to existence of a problem.

In difficult micro-architectural conditions the short cycles consisting less than of 64 instructions using the registers AH, BH, CH or DH and also corresponding to them wider registers (for example, RAX, EAX or AX for AH), can cause an unpredictable system behavior. It can occur only when both logical processors on one physical processor are active, said in documentation (see, for example, Errata SKZ7 for Core X processors ^[6] and Errata KBL095 for processors of the seventh generation ^[7])

Debian developers investigated a problem and showed that a system can inadequately behave, in the range from incorrect work of separate applications and before damage and data loss. As an intermediate measure it is recommended to disconnect multithreading (Hyperthreading) at the level of BIOS/UEFI (that, however, will inevitably lead to serious falling of performance) and to wait for the corresponding updates from computer makers.

It should be noted that a number of producers of systems based on Linux already managed to extend corrections for BIOS/UEFI, but it is still unclear when to wait for corrections from computer makers under Windows.

The error has no epidemic character, but even its accidental character creates a certain danger to users of computers based on the listed processors. Especially it concerns systems which should work uninterruptedly. For them shutdown of Hyperthreading technology will be the most reasonable solution at the moment.

2010

Since 2010 with transfer of a part of functional units of the north-bridge (a graphic core, the memory controller) in the CPU body, Intel of ME began to be built in all chipsets of production of Intel. At the same time the ME controller remained in the chipset body, in Platform Controller Hub (PCH) - chipsets of the 5th series above.

This subsystem is built in also server platforms of Intel, but under other name — Intel Server Platform Services (SPS). There was an emergence and in SoC (System-on-a-Chip) under the name of Intel Trusted Execution Engine (TXE).

The architecture of everyone modern мобильной/портативной/настольной/серверной the computer platform with chipset/SoC from Intel comprises the most reserved (from the user of a system) and the exclusive environment of execution — a subsystem of Intel of ME. Developing this architecture, the Intel company had to work seriously to protect from a compromise.

Subsystem of Intel of ME - an integral part of architecture of modern computer platforms (on the basis of chipsets/SoC Intel). Its compromise gives to the potential malefactor boundless opportunities of control over the platform:

• access to all contents of RAM (a system memory, memory of a hypervisor, SMRAM, ACRAM, the selected memory for a graphic core — GFX UMA),
• out-of-band access to the network interface (monitoring of all network traffic),
• remote control as part of regular functionality of AMT,
• rewriting of any regions of SPI flash memory.

At the same time the total absence of opportunities of detection of the malefactor is provided.

Intel of ME is protected. Basic principles of this protection:

• prohibition on use of the password by default, coercion to installation of the strong password (conforming to certain requirements);
• use of functions of enciphering in network protocols;
• control of integrity and authenticity of all executable code of a firmware;
• mechanisms of protection against operation of binary vulnerabilities.

2006

In 2006 the microcontroller was transferred to the chipset north-bridge (Graphics and Memory Controller Hub, GMCH). Then the subsystem was called by Intel Management Engine (ME) of version 2.0.

In 2006 in Intel of ME added features:

• full access to contents of RAM of the computer via the internal DMA controller,
• monitoring of a video flow on the monitor (only in case of use of the built-in graphic core).

Afterwards on this subsystem began to add different system functions (BIOS was engaged in some) for ensuring operability of the computer platform:

• part of the Advanced Control and Power Interface (ACPI) and Alert Standard Format (ASF) functions;
• Quiet System Technology (QST);
• Integrated Clock Control (ICC);
• Trusted Platform Module (TPM);
• ...

2005: Active Management Technology (AMT) of version 1.0

In 2005 the Intel company provided Active Management Technology (AMT) technology of version 1.0 — the solution for remote administration (management, inventory, updating, diagnostics, troubleshooting, etc.) and protection of desktop computer systems, similarity of the Intelligent Platform Management Interface (IPMI) technology which is used in servers.

Concept of architecture of Intel AMT1.0, (2005)

The architecture of AMT 1.0 is based on the microcontroller (Management Engine) integrated into the chipset having opportunities:

• out-of-band (out-of-band) access to the network interface (Ethernet) which it separates with the main CPU, but, having own controller of the data link layer, performs monitoring of all entering network traffic from which "cuts out" (through Packet Filter) the packets intended for it. This traffic is not visible to OS (existence and which status, by the way, does not influence work of AMT in any way) any more;
• the internal Web server with TLS enciphering;
• access to peripheral equipment, receiving and storage in a non-volatile memory (in the same place, where also its firmware) information on it.

The microcontroller begins work from the moment of power supply on the motherboard of a computer system from BP, before connection of the computer to the electric network and before start by the PC user.

Intel Management Engine is always included.

Notes