Intel x86 considered harmful – survey of attacks against x86 over last 10 years

(blog.invisiblethings.org)

276 points chei0aiV | 4 comments | 27 Oct 15 14:51 UTC | HN request time: 0.63s | source

Show context

pjc50 ◴[27 Oct 15 16:01 UTC] No.10458874[source]▶

"System management mode" is a tremendous wart and should be removed wholesale, with Intel adopting a more ARM-style trusted boot chain with explicit cooperation from the OS or hypervisor. And while you're at it, kill UEFI and install a pony for me.

(Seriously, SMM serves either bizarre ILO features that high-end vendors like but are rarely used, or security agencies looking for a layer to hide in.)

replies(5): >>10459094 #>>10459158 #>>10459893 #>>10460557 #>>10462796 #

rwmj ◴[27 Oct 15 16:35 UTC] No.10459158[source]▶

>>10458874 #

Actually ILO is pretty useful :-)

I have an APM (ARM64) Mustang, and this takes a rather different approach, but probably not one you'll think is better. The chip advertises 8 x 64 bit cores, but there's a 9th 32 bit core which runs all the time, even when the machine is powered down (although obviously still connected to mains power). It runs a separate firmware, in its own RAM, but can access the main memory at will and invisibly to the main OS.

One way to look at this is it's brilliant that we can just put a tiny Cortex-M3 in a spare bit of silicon and have it do useful management stuff.

replies(5): >>10459253 #>>10459344 #>>10460086 #>>10460423 #>>10462384 #

pjc50 ◴[27 Oct 15 18:29 UTC] No.10460086[source]▶

>>10459158 #

It runs a separate firmware, in its own RAM, but can access the main memory at will and invisibly to the main OS

All watched over by hypervisors of loving grace.

How do you know what the firmware does? Is it even possible to inspect it, let alone replace it? It's just another part of the attack surface - not necessarily deliberately, but if there are exploitable bugs in that firmware that can be triggered from the rest of the system, it's another security risk.

replies(2): >>10460476 #>>10464198 #

rwmj ◴[27 Oct 15 19:28 UTC] No.10460476[source]▶

>>10460086 #

It's possible to update it, not sure about replacing it with ones own code. I know this is "whataboutism" but here goes: Is this different from Intel ME processors with their "hidden" Sparc core?

http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub

replies(1): >>10461156 #

1. msbarnett ◴[27 Oct 15 21:09 UTC] No.10461156[source]▶

>>10460476 #

> Is this different from Intel ME processors with their "hidden" Sparc core?

Minor quibble: The IME is not Sun's SPARC architecture, it's ARC International's ARC, the Argonaut RISC Core, which has its origins in (of all things) the Super Nintendo's SuperFX chip.

replies(3): >>10461233 #>>10461274 #>>10462237 #

2. nickpsecurity ◴[27 Oct 15 21:20 UTC] No.10461233[source]▶

>>10461156 (TP) #

Didn't even know they had ARC processors in them. That's a trip.

3. ◴[27 Oct 15 21:27 UTC] No.10461274[source]▶

>>10461156 (TP) #

4. voltagex_ ◴[28 Oct 15 00:48 UTC] No.10462237[source]▶

>>10461156 (TP) #

Is this what I've got in my Lenovo X1 with vPro? The Ctrl+P shortcut to get into the config at boot doesn't work - can I poke at it any other way?

↑