Info about ME
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." --- Sun Tzu
We should know our enemeies from RING 3/0/-1/-2 and espeically the "devil" from RING -3 world.
- Introducing Ring -3 Rootkit - 2009-08
- A Quest To The Core - 2009-09
- Security Evaluation of Intel's Active Management Technology - 2010
- Intel AMT/ME Meet Intel's hardware backdoor - 2012-09
- Rootkit in your laptop - 2012-10
- Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware - 201312, presentation video at 30C3.
- Intel ME Secrets - 2014-06, video1, video2
- Intel ME: Two Years Later - 2014-10
- Reversing firmware using radare2 - 2014-10
- Intel ME: The Way of the Static Analysis - 201703, presentation video
- Intel AMT: Using & Abusing the Ghost in the Machine - 201710, video
- How to Hack a Turned - Off Computer, or Running Unsigned Code in Intel Management Engine - 201712, white paper.
- [Intel ME: Flash File System Explained: https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf - 201712], whiter paper.
- Inside Intel Management Engine - 201712
- Intel ME: Myths and reality - 201712
- Intel ME Security keys Genealogy, Obfuscation and other Magic - 201807
- mysteries_intel.txt - 2012-07
- Intel Management Engine - 2012-10
- Detecting Peripheral-based Attacks on the Host Memory - 201407
- Intel x86 considered harmful - 2015-10
- Безопасность прошивок на примере подсистемы Intel Management Engine - 2016-03
- Intel ME. Как избежать восстания машин? - 2016-04
- Why is the latest Intel hardware unsupported in libreboot?
- Intel ME info on coreboot's wiki
- me.bios.io, contains some early research about ME: ME blob format might need update, get a proper version of GNU toolchain for ARC and then try ARC disassembly on earlier ME versions.
- Starting point of minimizing ME and see the current status of me_cleaner.
- Neutralize ME firmware on SandyBridge and IvyBridge platforms is an operational manual and we have done it on some mainboards( including a Skylake-based one) so far.
- Reverse-engineering the Intel Management Engine’s ROMP module - 201705, the C pseudo code of ROMP module can help us better understand how it works and how crucial code modules of Intel ME could be exploited.
- INTEL AMT. STEALTH BREAKTHROUGH, whiter paper.
- Has Intel ME Analysis Tool Development Petered Out? - 201708, the 1st time disclosure to the public about >= MEv11 are running MINIX-based OS.
- Disabling Intel ME 11 via undocumented mode - 201708, HAP/AltMeDisable bit is fully disclosured to the public that NSA treats Intel ME as a risk which unlike to avoid without high cost, so they have Intel added a killswitch for their defensive program.
- Выключаем Intel ME 11, используя недокументированный режим
- Deep dive into Intel Management Engine disablement - 201710
- JTAG в каждый дом: полный доступ через USB - 201711, Intel ME memory can be full access by JTAG debugging via USB DCI, which could also possibily doing SMRAM dump for the forensics.
- [Восстановление таблиц Хаффмана в Intel ME 11.x - 201712)(https://habrahabr.ru/company/pt/blog/344056/), English version: Recovering Huffman tables in Intel ME 11.x
- The Intel Management Engine - 201712
- Как взломать выключенный компьютер или выполнить код в Intel ME( How to run code in Intel ME) - 201801
Free/libre open source tools
- me_cleaner, neutralize the ME by minimizing its functions.
- me-tools, extract code modules for further understanding.
- intelmetool, get info from ME via MEI interfaces on GNU/Linux
- MEAnalyzer, show details of a image contains ME firmware.
- MCExtractor, Intel, AMD & VIA Microcode Extraction Tool
- Huffman decompression for version 11.x Intel ME modules
- Intel ME 11.x Firmware Images Unpacker
- Intel ME (Manageability engine) Huffman algorithm
- Intel Management Engine: Drivers, Firmware & System Tools, it's up-to-date Windows-only tools.
- jeff-tools, can unpack the applets from JEFF files used by Intel ME's DAL.
- unME11, Intel ME 11.x Firmware Images Unpacker
- parseMFS, Python 2.7 scripts for parsing MFS/MFSB partition and extracting contained files.
- unME12, Intel ME 12.x Firmware Images Unpacker
- Intel Management Engine JTAG Proof of Concept
IDA Pro scripts
Intel ME/"apps" advisory
- INTEL-SA-00075, CVE-2017-5689: Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege - 20170501, vuln detection script
- INTEL-SA-00081, CVE-2017-5697: Intel AMT Clickjacking Vulnerability - Jun 5 2017
- CVE-2017-5705/INTEL-SA-00086: memory corruption affected ME 11.x, SPS 4.0, and TXE 3.0 - Nov 2017, Intel released a detection tool for GNU/Linux can determine the status of SPS at runtime.
AMD PSP advisory
- Red alert! Intel patches remote execution hole that's been hidden in biz, server chips since 2010 - 20170501, CVE-2017-5689, mjg59's write-up and INTEL-SA-00075 Mitigation Guide. Vendors like SIEMENS fixed CVE-2017-5689 in late June.
- Intel & ME, and why we should get rid of ME, by FSF( Free software foundation)
- Researchers find vulnerability in older versions of Intel ME, but you probably don't need to worry
- State considered harmful - 201512
- Intel SGX Explained - 2016
- Some notes on the Monotonic Counter in Intel SGX and ME - 201711
- Overview of Intel SGX - Part 1, SGX Internals - 201807
Intel SGX attack, most of them via side channel
- Malware Guard Extension: Using SGX to Conceal Cache Attacks - 201702
- DR.SGX: Hardening SGX Enclaves against Cache Attacks with Data Location Randomization
- Another Flip in the Wall of Rowhammer Defenses
- SGX-Bomb: Locking Down the Processor via Rowhammer Attack - 2017
- Some notes on the Monotonic Counter in Intel SGX and ME - 201711
- CacheQuote: Efficiently Recovering Long-termSecrets of SGX EPID via Cache Attacks - 2018
- ZeroTrace: Oblivious Memory Primitives from Intel SGX - 2018, source code.
- Spectre attack against SGX enclave - 201801
- Foreshadow - 201808
- Interface-Based Side Channel Attack Against Intel SGX
Intel SGX implementation
- Intel SGX for Linux*, comprised of the Intel(R) SGX driver, the Intel(R) SGX SDK, and the Intel(R) SGX Platform Software (PSW).
- Microsoft Haven
- SCONE: Secure Linux Containers with Intel SGX
- Graphene Library OS with Intelregistered SGX Support
- Panoply: Low-TCB Linux Applications with SGX Enclaves, the paper is here.
- ZeroTrace: Oblivious Memory Primitives from Intel SGX - 2018, the imp for server device >= skylake. source code.
- Trusted Execution In Untrusted Cloud - 201112
- Thoughts on Intel's upcoming Software Guard Extensions (Part 1) - 201308
- Thoughts on Intel's upcoming Software Guard Extensions (Part 2) - 201309
- Introducing graphene-ng: running arbitrary payloads in SGX enclaves - 201806