CODE BLUE, profile picture
Uploaded byCODE BLUE
PDF, PPTX37,296 views

インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky

The document is a compilation of technical notes and references related to Intel's Active Management Technology (AMT) and firmware features, authored by Igor Skochinsky. It includes discussions on various components such as BIOS, memory controllers, and security mechanisms like firmware signing keys, while also providing links to further resources and specifications. The text is organized in a series of bullet points or sections detailing aspects of Intel architecture and firmware development.

Technology
In this document
Powered by AI

Introductory slide featuring the presenter Igor Skochinsky and event details for CODE BLUE 2014.

Discussion on IDA, Hex-Rays, and BIOS technologies related to PCs, UEFI, and software versions.

Explanation of Host Embedded Controller Interface (HECI) and Intel Active Management Technology (AMT).

Focus on Intel Management Engine (ME) architecture, with insights into firmware, ROM, and descriptors.

Information on different versions of ME, including Gen 1 and Gen 2 details, focusing on module descriptions.

Details on features like Memory Controller, Java VM interactions, and IPT symbology related to system security.

Overview of Trusted Execution Environment (TEE) and Trusted Foundations, mentioning integration with Intel technologies.

Final slides providing various references for further reading on BIOS, IDA, and Intel AMT, concluding with contact information.

Embed presentation

Download as PDF, PPTX
ME Igor Skochinsky Hex-Rays CODE BLUE 2014 Tokyo
2(c) 2014 Igor Skochinsky   !   ME   !     !   ME   !     !     !    
3(c) 2014 Igor Skochinsky   !   15   !   IDA   !   2008 Hex-­‐Rays   !   IDA ( )   !   ( Kindle Sony  Reader)   !   PC (BIOS,  UEFI,  ME)   !   reddit.com/r/ReverseEngineering/    
4(c) 2014 Igor Skochinsky ME:     !   ( )   !   (GMCH,  PCH,  MCH)   !   BIOS CPU   !   ( CPU )   !   CPU  
5(c) 2014 Igor Skochinsky ME:     Credit: Intel 2009
6(c) 2014 Igor Skochinsky ME:     OS !   HECI  (MEI):  Host  Embedded  Controller  Interface;     PCI   !   SOAP ;   HTTP HTTPS  
7(c) 2014 Igor Skochinsky ME:     ME   !   (AMT):   KVM   !   :   /   !   IDE (IDE-­‐R) LAN  (SOL):   OS CD/ HDD PC   !   :  2 (OTP)   !   :   PIN  
8(c) 2014 Igor Skochinsky ME:       !   PC ” ” PC   !   3G SMS   !   HDD   !    
9(c) 2014 Igor Skochinsky ME:
10(c) 2014 Igor Skochinsky ME:       !   ( )   !     !   HECI     !   AMT  SDK   !   Linux   ;  coreboot   !   BIOS   !   ME BIOS   !   ME  
11(c) 2014 Igor Skochinsky ME       !   ME             !   FTP   !                                                                                                                                   !                                                                                                                                                                             !                                                                                                                                                                   :)  
12(c) 2014 Igor Skochinsky FSP   !   2013   !     !   Intel   !                                                                                                    HM76/QM77   !                                                                                            ME     http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp- overview "confidential“ :)
13(c) 2014 Igor Skochinsky SPI   !   SPI BIOS ME GbE   !   BIOS( OS) ME   !   Descriptor ME   !   Descriptor  
14(c) 2014 Igor Skochinsky ME   !   ME   !    
15(c) 2014 Igor Skochinsky ME   !   “ "   !   RSA  
16(c) 2014 Igor Skochinsky ME   !   2   !   Gen  2:  Intel  5  Series( Ibex  Peak)   Gen 1 Gen 2 ME versions 1.x-5.x 6.x-9.x Core ARCTangent-A4 ARC 600(?) Instruction set ARC (32-bit) ARCompact (32/16) Manifest tag $MAN $MN2 Module header tag $MOD $MME Code compression None, LZMA None, LZMA, Huffman
17(c) 2014 Igor Skochinsky ME   Module name Description BUP Bringup (hardware initialization/configuration) KERNEL Scheduler, low-level APIs for other modules POLICY Secondary init tasks, some high-level APIs HOSTCOMM Handles high-level protocols over HECI/MEI CLS Capability Licensing Service – enable/disable features depending on SKU, SKU upgrades TDT Theft Deterrence Technology (Intel Anti-Theft) Pavp Protected Audio-Video Path JOM Dynamic Application Loader (DAL) – used to implement Identity Protection Technology (IPT)  
18(c) 2014 Igor Skochinsky ME:  ROM   !   ROM   !     !     !   ME "ROMB"  
19(c) 2014 Igor Skochinsky ME:  ROM   !   ROM   !    
20(c) 2014 Igor Skochinsky ME:  ROM   !   ME   !   ROMB  
21(c) 2014 Igor Skochinsky ME:  ROM   !   ROMB ROM   !   ROM :   !   C (memcpy,  memset,  strcpy )   !   ThreadX  RTOS     !   API   !   ROM   !   FTPR BUP   !   BUP KERNEL :(  
22(c) 2014 Igor Skochinsky ME:
23(c) 2014 Igor Skochinsky ME:     !   ME !   : ME RSA ROM “During the design phase, a Firmware Signing Key (FWSK) public/private pair is generated at a secure Intel Location, using the Intel Code Signing System. The Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus fixed. Each approved production firmware image is digitally signed by Intel with the private FWSK. The public FWSK and the digital signature are appended to the firmware image manifest. At runtime, a secure boot sequence is accomplished by means of the boot ROM verifying that the public FWSK on Flash is valid, based on the hash value in ROM. The ROM validates the firmware image that corresponds to the manifest’s digital signature through the use of the public FWSK, and if successful, the system continues to boot from Flash code.” “Architecture Guide: Intel® Active Management Technology”, 2009
24(c) 2014 Igor Skochinsky ME: (UMA)   !   ME RAM  (UMA) (MCU )   !   ME BIOS CPU   !   2009 Invisible  Things  Lab   !   ...  
25(c) 2014 Igor Skochinsky ME:  UMA   !   UMA   !   #1:  BIOS MESEG   !   [ ...]   !     !   UEFI   !     !   :     !   :   ...  
26(c) 2014 Igor Skochinsky ME:  UMA   !   #2:     !   DRAM UMA   !   ...   : ME UMA : UMA
27(c) 2014 Igor Skochinsky ME:  UMA   !   –   !   –   !   DDR3   “The memory controller incorporates a DDR3 Data Scrambling feature to minimize the impact of excessive di/dt on the platform DDR3 VRs due to successive 1s and 0s on the data bus. [...] As a result the memory controller uses a data scrambling feature to create pseudo-random patterns on the DDR3 data bus to reduce the impact of any excessive di/ dt.” (from Intel Corporation Desktop 3rd Generation Intel® Core™ Processor Family, Desktop Intel® Pentium® Processor Family, and Desktop Intel® Celeron® Processor Family Datasheet)
28(c) 2014 Igor Skochinsky ME:  UMA   !   #3:   UMA   !   UMA FPT 1   !   FPT   !   :   1)  32MB FPT BIOS 32MB ME 16MB   2)  16MB FPT BIOS 16MB 16MB   !    
29(c) 2014 Igor Skochinsky ME:  UMA   !   #4:     !   BIOS   !   UEFI "Setup" ( Breakpoint   2012 )   !    –  
30(c) 2014 Igor Skochinsky ME:  UMA   !   #5:     !     !     !   ...  
31(c) 2014 Igor Skochinsky   !   ME   !     !   (SPS)   !   BUP KERNEL   !   #1:  BUP !   !   KERNEL " " ...   !   #2:   ( )   !   2   !    
32(c) 2014 Igor Skochinsky JOM   DAL   !   JOM ME 7.1 !   (DAL) !   ME ( ) !   ( IPT) !   ME !   ...
33(c) 2014 Igor Skochinsky JOM   DAL   !   : !   Java Could  not  allocate  an  instance  of   java.lang.OutOfMemoryError   linkerInternalCheckFile:  JEFF  format  version  not   supported   com.intel.crypto   com.trustedlogic.isdi   Starting  VM  Server...  
34(c) 2014 Igor Skochinsky JOM   DAL   !   Java VM !   ME Base64 BLOB "oath.dalp" !   !   "Medal App" !   JOM "JEFF" !   JEFF Java !   Java !  
35(c) 2014 Igor Skochinsky JOM   DAL   !   ... !   Java ... .ascii  "Invalid  constant  offset  in  the  SLDC  instruction"  
36(c) 2014 Igor Skochinsky JEFF   !   JEFF !   J 2001 !   ISO (ISO/IEC 20970) !   !   !   !   !   !  
37(c) 2014 Igor Skochinsky JEFF   !   Python !   oath.dalp JEFF !   !   Java !   : !   !   UI ( ) !   !  
38(c) 2014 Igor Skochinsky JEFF     !   ( ) Class  com.intel.util.IntelApplet   private:      /*  0x0C  */  boolean  m_invokeCommandInProcess;      /*  0x00  */  OutputBufferView  m_outputBuffer;      /*  0x0D  */  boolean  m_outputBufferTooSmall;      /*  0x04  */  OutputValueView  m_outputValue;      /*  0x08  */  byte[]  m_sessionId;   public:      void  <init>();      final  int  getResponseBufferSize();      final  int  getSessionId(byte[],  int);      final  int  getSessionIdLength();      final  String  getUUID();      final  abstract  int  invokeCommand(int,  byte[]);      int  onClose();      final  void  onCloseSession();      final  int  onCommand(int,  CommandParameters);      int  onInit(byte[]);      final  int  onOpenSession(CommandParameters);      final  void  sendAsynchMessage(byte[],  int,  int);      final  void  setResponse(byte[],  int,  int);      final  void  setResponseCode(int);  
39(c) 2014 Igor Skochinsky IPT     !   !   OATH : package  com.intel.dal.ipt.framework;   public  class  AppletImpl  extends  com.intel.util.IntelApplet   {      final  int  invokeCommand(int,  byte[])      {          ...      }      int  onClose()      {          ...      }      int  onInit(byte[])      {          ...      }   }  
40(c) 2014 Igor Skochinsky IPT     !   ME !   !   !   ...
41(c) 2014 Igor Skochinsky IPT     !   C/C++, Java, .NET API DLL !   DLL JHI COM TCP/IP !   ME HECI/MEI !   ME JOM !   JOM !   !   out-of- bound
42(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   JOM Trusted Logic Mobility ( Trustonic) "Trusted Foundations" Trusted Execution Environment (TEE) : Trusted Foundations
43(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   Trusted Foundations !   ARM TrustZone !   GPL Trusted Foundations !   !   TrustZone ME/JOM HECI/MEI !  
44(c) 2014 Igor Skochinsky Trusted  Execu;on  Environment   !   GlobalPlatform (Trusted Logic Mobililty/ Trustonic ) TEE !   API (TEE ) API !   ME http://www.globalplatform.org/specificationsdevice.asp
45(c) 2014 Igor Skochinsky   !   ME !   ME !   ROM BUP KERNEL !   API !   JEFF DAL/IPT !   ARC IDA 6.4 IDA 6.5
46(c) 2014 Igor Skochinsky   !     !   JEFF .class JEFF   !     !   Linux  IPT   !   EFFS   !   ME   !   EFFS   !     !    
47(c) 2014 Igor Skochinsky   !     !     !     !   UMA   !     !   ME  ↔   !     !   ;     !   ...     !    
48(c) 2014 Igor Skochinsky   !   BIOS  RE   !   ME   !   ME BIOS   !   BIOS   !   Nikolaj  Schlej UEFITool UEFI   hkps://github.com/NikolajSchlej/UEFITool   !   Coreboot ME   !     !   Open  Virtual  Plalorm  (www.ovpworld.org)   ARC600 ARC700(ARCompact )   !     !    
49(c) 2014 Igor Skochinsky   http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/ http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html http://download.intel.com/technology/itj/2008/v12i4/paper[1-10].pdf http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf http://www.stewin.org/papers/dimvap15-stewin.pdf http://www.stewin.org/techreports/pstewin_spring2011.pdf http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf http://me.bios.io/ http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf
50(c) 2014 Igor Skochinsky     igor@hex-­‐rays.com   skochinsky@gmail.com  

More Related Content

PDF
ゼロからはじめるKVM超入門
byVirtualTech Japan Inc.
 
PDF
コンテナにおけるパフォーマンス調査でハマった話
byYuta Shimada
 
PDF
Unified JVM Logging
byYuji Kubota
 
PDF
オススメのJavaログ管理手法 ~コンテナ編~(Open Source Conference 2022 Online/Spring 発表資料)
byNTT DATA Technology & Innovation
 
PDF
Docker Compose 徹底解説
byMasahito Zembutsu
 
PPTX
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
byNTT DATA Technology & Innovation
 
PDF
より速く より運用しやすく 進化し続けるJVM(Java Developers Summit Online 2023 発表資料)
byNTT DATA Technology & Innovation
 
PDF
HTTP/2 入門
byYahoo!デベロッパーネットワーク
 
ゼロからはじめるKVM超入門
byVirtualTech Japan Inc.
 
コンテナにおけるパフォーマンス調査でハマった話
byYuta Shimada
 
Unified JVM Logging
byYuji Kubota
 
オススメのJavaログ管理手法 ~コンテナ編~(Open Source Conference 2022 Online/Spring 発表資料)
byNTT DATA Technology & Innovation
 
Docker Compose 徹底解説
byMasahito Zembutsu
 
Apache Spark on Kubernetes入門(Open Source Conference 2021 Online Hiroshima 発表資料)
byNTT DATA Technology & Innovation
 
より速く より運用しやすく 進化し続けるJVM(Java Developers Summit Online 2023 発表資料)
byNTT DATA Technology & Innovation
 
HTTP/2 入門
byYahoo!デベロッパーネットワーク
 

What's hot

PDF
MongoDB〜その性質と利用場面〜
byNaruhiko Ogasawara
 
PDF
新入社員のための大規模ゲーム開発入門 サーバサイド編
byinfinite_loop
 
PDF
【第26回Elasticsearch勉強会】Logstashとともに振り返る、やっちまった事例ごった煮
byHibino Hisashi
 
PDF
WebSocket / WebRTCの技術紹介
byYasuhiro Mawarimichi
 
PDF
ネットワークOS野郎 ~ インフラ野郎Night 20160414
byKentaro Ebisawa
 
PDF
それはYAGNIか? それとも思考停止か?
byYoshitaka Kawashima
 
PDF
CEDEC 2018 最速のC#の書き方 - C#大統一理論へ向けて性能的課題を払拭する
byYoshifumi Kawai
 
PPTX
PostgreSQL 12は ここがスゴイ! ~性能改善やpluggable storage engineなどの新機能を徹底解説~ (NTTデータ テクノ...
byNTT DATA Technology & Innovation
 
PDF
PostgreSQLレプリケーション10周年!徹底紹介!(PostgreSQL Conference Japan 2019講演資料)
byNTT DATA Technology & Innovation
 
PDF
Yahoo! JAPANのコンテンツプラットフォームを支えるSpring Cloud Streamによるマイクロサービスアーキテクチャ #jsug #sf_52
byYahoo!デベロッパーネットワーク
 
PDF
最近のOpenStackを振り返ってみよう
byTakashi Kajinami
 
PPTX
今こそ知りたいSpring Batch(Spring Fest 2020講演資料)
byNTT DATA Technology & Innovation
 
PDF
Javaコードが速く実⾏される秘密 - JITコンパイラ⼊⾨(JJUG CCC 2020 Fall講演資料)
byNTT DATA Technology & Innovation
 
PPTX
PostgreSQLモニタリングの基本とNTTデータが追加したモニタリング新機能(Open Source Conference 2021 Online F...
byNTT DATA Technology & Innovation
 
PPTX
本当は恐ろしい分散システムの話
byKumazaki Hiroki
 
PPTX
初心者向けMongoDBのキホン!
byTetsutaro Watanabe
 
PPTX
iostat await svctm の 見かた、考え方
by歩 柴田
 
PPTX
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
byNTT DATA Technology & Innovation
 
PPTX
PostgreSQL14の pg_stat_statements 改善(第23回PostgreSQLアンカンファレンス@オンライン 発表資料)
byNTT DATA Technology & Innovation
 
PDF
コンテナの作り方「Dockerは裏方で何をしているのか?」
byMasahito Zembutsu
 
MongoDB〜その性質と利用場面〜
byNaruhiko Ogasawara
 
新入社員のための大規模ゲーム開発入門 サーバサイド編
byinfinite_loop
 
【第26回Elasticsearch勉強会】Logstashとともに振り返る、やっちまった事例ごった煮
byHibino Hisashi
 
WebSocket / WebRTCの技術紹介
byYasuhiro Mawarimichi
 
ネットワークOS野郎 ~ インフラ野郎Night 20160414
byKentaro Ebisawa
 
それはYAGNIか? それとも思考停止か?
byYoshitaka Kawashima
 
CEDEC 2018 最速のC#の書き方 - C#大統一理論へ向けて性能的課題を払拭する
byYoshifumi Kawai
 
PostgreSQL 12は ここがスゴイ! ~性能改善やpluggable storage engineなどの新機能を徹底解説~ (NTTデータ テクノ...
byNTT DATA Technology & Innovation
 
PostgreSQLレプリケーション10周年!徹底紹介!(PostgreSQL Conference Japan 2019講演資料)
byNTT DATA Technology & Innovation
 
Yahoo! JAPANのコンテンツプラットフォームを支えるSpring Cloud Streamによるマイクロサービスアーキテクチャ #jsug #sf_52
byYahoo!デベロッパーネットワーク
 
最近のOpenStackを振り返ってみよう
byTakashi Kajinami
 
今こそ知りたいSpring Batch(Spring Fest 2020講演資料)
byNTT DATA Technology & Innovation
 
Javaコードが速く実⾏される秘密 - JITコンパイラ⼊⾨(JJUG CCC 2020 Fall講演資料)
byNTT DATA Technology & Innovation
 
PostgreSQLモニタリングの基本とNTTデータが追加したモニタリング新機能(Open Source Conference 2021 Online F...
byNTT DATA Technology & Innovation
 
本当は恐ろしい分散システムの話
byKumazaki Hiroki
 
初心者向けMongoDBのキホン!
byTetsutaro Watanabe
 
iostat await svctm の 見かた、考え方
by歩 柴田
 
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
byNTT DATA Technology & Innovation
 
PostgreSQL14の pg_stat_statements 改善(第23回PostgreSQLアンカンファレンス@オンライン 発表資料)
byNTT DATA Technology & Innovation
 
コンテナの作り方「Dockerは裏方で何をしているのか?」
byMasahito Zembutsu
 

Similar to インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky

PDF
Secret of Intel Management Engine by Igor Skochinsky
byCODE BLUE
 
PPTX
I3 multicore processor
byAmol Barewar
 
PPTX
I3
byAmol Barewar
 
PDF
Graphics virtualization
byThe Linux Foundation
 
PDF
Graphics virtualization
byThe Linux Foundation
 
PPT
Chap 02[1]
byHafiz Muhammad Azeem Sarwar
 
PDF
Hello rootKitty: A lightweight invariance-enforcing framework
byFrancesco Gadaleta
 
PDF
オペレーティングシステム 設計と実装 第3版(20101211)
byRyousei Takano
 
PPTX
Linux Improvements in Memory Corruption Based Protections
byVlatko Kosturjak
 
PDF
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
byChanwoo Choi
 
PDF
Intel Itanium Hotchips 2011 Overview
byPauline Nist
 
PPTX
Clear Linux OS - Architecture Overview
byOpen Source Technology Center MeetUps
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
PDF
Porting Xen Paravirtualization to MIPS Architecture
byThe Linux Foundation
 
PDF
Accelerate Your Game Development on Android*
byIntel® Software
 
PDF
ARMvisor @ COSCUP2012
byPeter Chang
 
PDF
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
byFrancesco Gadaleta
 
PDF
Droidcon ndk cpu_architecture_optimization
byDroidcon Berlin
 
PDF
Droidcon2013 ndk cpu_architecture_optimization_weggerle_intel
byDroidcon Berlin
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
byArea41
 
Secret of Intel Management Engine by Igor Skochinsky
byCODE BLUE
 
I3 multicore processor
byAmol Barewar
 
I3
byAmol Barewar
 
Graphics virtualization
byThe Linux Foundation
 
Graphics virtualization
byThe Linux Foundation
 
Chap 02[1]
byHafiz Muhammad Azeem Sarwar
 
Hello rootKitty: A lightweight invariance-enforcing framework
byFrancesco Gadaleta
 
オペレーティングシステム 設計と実装 第3版(20101211)
byRyousei Takano
 
Linux Improvements in Memory Corruption Based Protections
byVlatko Kosturjak
 
OpenIot & ELC Europe 2016 Berlin - How to develop the ARM 64bit board, Samsun...
byChanwoo Choi
 
Intel Itanium Hotchips 2011 Overview
byPauline Nist
 
Clear Linux OS - Architecture Overview
byOpen Source Technology Center MeetUps
 
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
Porting Xen Paravirtualization to MIPS Architecture
byThe Linux Foundation
 
Accelerate Your Game Development on Android*
byIntel® Software
 
ARMvisor @ COSCUP2012
byPeter Chang
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
byFrancesco Gadaleta
 
Droidcon ndk cpu_architecture_optimization
byDroidcon Berlin
 
Droidcon2013 ndk cpu_architecture_optimization_weggerle_intel
byDroidcon Berlin
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
byArea41
 

More from CODE BLUE

PDF
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
byCODE BLUE
 
PDF
[cb22] Tales of 5G hacking by Karsten Nohl
byCODE BLUE
 
PDF
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
byCODE BLUE
 
PDF
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
byCODE BLUE
 
PDF
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
byCODE BLUE
 
PPTX
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
byCODE BLUE
 
PPTX
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
byCODE BLUE
 
PDF
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
byCODE BLUE
 
PDF
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
byCODE BLUE
 
PDF
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
byCODE BLUE
 
PDF
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
byCODE BLUE
 
PDF
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
byCODE BLUE
 
PDF
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
byCODE BLUE
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
byCODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
byCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
byCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
byCODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
byCODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
byCODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
byCODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
byCODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
byCODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
byCODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
byCODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
byCODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
byCODE BLUE
 

Recently uploaded

PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 

インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky

  • 1.
  • 2.
    2(c) 2014 IgorSkochinsky   !   ME   !     !   ME   !     !     !    
  • 3.
    3(c) 2014 IgorSkochinsky   !   15   !   IDA   !   2008 Hex-­‐Rays   !   IDA ( )   !   ( Kindle Sony  Reader)   !   PC (BIOS,  UEFI,  ME)   !   reddit.com/r/ReverseEngineering/    
  • 4.
    4(c) 2014 IgorSkochinsky ME:     !   ( )   !   (GMCH,  PCH,  MCH)   !   BIOS CPU   !   ( CPU )   !   CPU  
  • 5.
    5(c) 2014 IgorSkochinsky ME:     Credit: Intel 2009
  • 6.
    6(c) 2014 IgorSkochinsky ME:     OS !   HECI  (MEI):  Host  Embedded  Controller  Interface;     PCI   !   SOAP ;   HTTP HTTPS  
  • 7.
    7(c) 2014 IgorSkochinsky ME:     ME   !   (AMT):   KVM   !   :   /   !   IDE (IDE-­‐R) LAN  (SOL):   OS CD/ HDD PC   !   :  2 (OTP)   !   :   PIN  
  • 8.
    8(c) 2014 IgorSkochinsky ME:       !   PC ” ” PC   !   3G SMS   !   HDD   !    
  • 9.
    9(c) 2014 IgorSkochinsky ME:
  • 10.
    10(c) 2014 IgorSkochinsky ME:       !   ( )   !     !   HECI     !   AMT  SDK   !   Linux   ;  coreboot   !   BIOS   !   ME BIOS   !   ME  
  • 11.
    11(c) 2014 IgorSkochinsky ME       !   ME             !   FTP   !                                                                                                                                   !                                                                                                                                                                             !                                                                                                                                                                   :)  
  • 12.
    12(c) 2014 IgorSkochinsky FSP   !   2013   !     !   Intel   !                                                                                                    HM76/QM77   !                                                                                            ME     http://www.intel.com/content/www/us/en/intelligent-systems/intel-firmware-support-package/intel-fsp- overview "confidential“ :)
  • 13.
    13(c) 2014 IgorSkochinsky SPI   !   SPI BIOS ME GbE   !   BIOS( OS) ME   !   Descriptor ME   !   Descriptor  
  • 14.
    14(c) 2014 IgorSkochinsky ME   !   ME   !    
  • 15.
    15(c) 2014 IgorSkochinsky ME   !   “ "   !   RSA  
  • 16.
    16(c) 2014 IgorSkochinsky ME   !   2   !   Gen  2:  Intel  5  Series( Ibex  Peak)   Gen 1 Gen 2 ME versions 1.x-5.x 6.x-9.x Core ARCTangent-A4 ARC 600(?) Instruction set ARC (32-bit) ARCompact (32/16) Manifest tag $MAN $MN2 Module header tag $MOD $MME Code compression None, LZMA None, LZMA, Huffman
  • 17.
    17(c) 2014 IgorSkochinsky ME   Module name Description BUP Bringup (hardware initialization/configuration) KERNEL Scheduler, low-level APIs for other modules POLICY Secondary init tasks, some high-level APIs HOSTCOMM Handles high-level protocols over HECI/MEI CLS Capability Licensing Service – enable/disable features depending on SKU, SKU upgrades TDT Theft Deterrence Technology (Intel Anti-Theft) Pavp Protected Audio-Video Path JOM Dynamic Application Loader (DAL) – used to implement Identity Protection Technology (IPT)  
  • 18.
    18(c) 2014 IgorSkochinsky ME:  ROM   !   ROM   !     !     !   ME "ROMB"  
  • 19.
    19(c) 2014 IgorSkochinsky ME:  ROM   !   ROM   !    
  • 20.
    20(c) 2014 IgorSkochinsky ME:  ROM   !   ME   !   ROMB  
  • 21.
    21(c) 2014 IgorSkochinsky ME:  ROM   !   ROMB ROM   !   ROM :   !   C (memcpy,  memset,  strcpy )   !   ThreadX  RTOS     !   API   !   ROM   !   FTPR BUP   !   BUP KERNEL :(  
  • 22.
    22(c) 2014 IgorSkochinsky ME:
  • 23.
    23(c) 2014 IgorSkochinsky ME:     !   ME !   : ME RSA ROM “During the design phase, a Firmware Signing Key (FWSK) public/private pair is generated at a secure Intel Location, using the Intel Code Signing System. The Private FWSK is stored securely and confidentially by Intel. Intel AMT ROM includes a SHA-1 Hash of the public key, based on RSA, 2048 bit modulus fixed. Each approved production firmware image is digitally signed by Intel with the private FWSK. The public FWSK and the digital signature are appended to the firmware image manifest. At runtime, a secure boot sequence is accomplished by means of the boot ROM verifying that the public FWSK on Flash is valid, based on the hash value in ROM. The ROM validates the firmware image that corresponds to the manifest’s digital signature through the use of the public FWSK, and if successful, the system continues to boot from Flash code.” “Architecture Guide: Intel® Active Management Technology”, 2009
  • 24.
    24(c) 2014 IgorSkochinsky ME: (UMA)   !   ME RAM  (UMA) (MCU )   !   ME BIOS CPU   !   2009 Invisible  Things  Lab   !   ...  
  • 25.
    25(c) 2014 IgorSkochinsky ME:  UMA   !   UMA   !   #1:  BIOS MESEG   !   [ ...]   !     !   UEFI   !     !   :     !   :   ...  
  • 26.
    26(c) 2014 IgorSkochinsky ME:  UMA   !   #2:     !   DRAM UMA   !   ...   : ME UMA : UMA
  • 27.
    27(c) 2014 IgorSkochinsky ME:  UMA   !   –   !   –   !   DDR3   “The memory controller incorporates a DDR3 Data Scrambling feature to minimize the impact of excessive di/dt on the platform DDR3 VRs due to successive 1s and 0s on the data bus. [...] As a result the memory controller uses a data scrambling feature to create pseudo-random patterns on the DDR3 data bus to reduce the impact of any excessive di/ dt.” (from Intel Corporation Desktop 3rd Generation Intel® Core™ Processor Family, Desktop Intel® Pentium® Processor Family, and Desktop Intel® Celeron® Processor Family Datasheet)
  • 28.
    28(c) 2014 IgorSkochinsky ME:  UMA   !   #3:   UMA   !   UMA FPT 1   !   FPT   !   :   1)  32MB FPT BIOS 32MB ME 16MB   2)  16MB FPT BIOS 16MB 16MB   !    
  • 29.
    29(c) 2014 IgorSkochinsky ME:  UMA   !   #4:     !   BIOS   !   UEFI "Setup" ( Breakpoint   2012 )   !    –  
  • 30.
    30(c) 2014 IgorSkochinsky ME:  UMA   !   #5:     !     !     !   ...  
  • 31.
    31(c) 2014 IgorSkochinsky   !   ME   !     !   (SPS)   !   BUP KERNEL   !   #1:  BUP !   !   KERNEL " " ...   !   #2:   ( )   !   2   !    
  • 32.
    32(c) 2014 IgorSkochinsky JOM   DAL   !   JOM ME 7.1 !   (DAL) !   ME ( ) !   ( IPT) !   ME !   ...
  • 33.
    33(c) 2014 IgorSkochinsky JOM   DAL   !   : !   Java Could  not  allocate  an  instance  of   java.lang.OutOfMemoryError   linkerInternalCheckFile:  JEFF  format  version  not   supported   com.intel.crypto   com.trustedlogic.isdi   Starting  VM  Server...  
  • 34.
    34(c) 2014 IgorSkochinsky JOM   DAL   !   Java VM !   ME Base64 BLOB "oath.dalp" !   !   "Medal App" !   JOM "JEFF" !   JEFF Java !   Java !  
  • 35.
    35(c) 2014 IgorSkochinsky JOM   DAL   !   ... !   Java ... .ascii  "Invalid  constant  offset  in  the  SLDC  instruction"  
  • 36.
    36(c) 2014 IgorSkochinsky JEFF   !   JEFF !   J 2001 !   ISO (ISO/IEC 20970) !   !   !   !   !   !  
  • 37.
    37(c) 2014 IgorSkochinsky JEFF   !   Python !   oath.dalp JEFF !   !   Java !   : !   !   UI ( ) !   !  
  • 38.
    38(c) 2014 IgorSkochinsky JEFF     !   ( ) Class  com.intel.util.IntelApplet   private:      /*  0x0C  */  boolean  m_invokeCommandInProcess;      /*  0x00  */  OutputBufferView  m_outputBuffer;      /*  0x0D  */  boolean  m_outputBufferTooSmall;      /*  0x04  */  OutputValueView  m_outputValue;      /*  0x08  */  byte[]  m_sessionId;   public:      void  <init>();      final  int  getResponseBufferSize();      final  int  getSessionId(byte[],  int);      final  int  getSessionIdLength();      final  String  getUUID();      final  abstract  int  invokeCommand(int,  byte[]);      int  onClose();      final  void  onCloseSession();      final  int  onCommand(int,  CommandParameters);      int  onInit(byte[]);      final  int  onOpenSession(CommandParameters);      final  void  sendAsynchMessage(byte[],  int,  int);      final  void  setResponse(byte[],  int,  int);      final  void  setResponseCode(int);  
  • 39.
    39(c) 2014 IgorSkochinsky IPT     !   !   OATH : package  com.intel.dal.ipt.framework;   public  class  AppletImpl  extends  com.intel.util.IntelApplet   {      final  int  invokeCommand(int,  byte[])      {          ...      }      int  onClose()      {          ...      }      int  onInit(byte[])      {          ...      }   }  
  • 40.
    40(c) 2014 IgorSkochinsky IPT     !   ME !   !   !   ...
  • 41.
    41(c) 2014 IgorSkochinsky IPT     !   C/C++, Java, .NET API DLL !   DLL JHI COM TCP/IP !   ME HECI/MEI !   ME JOM !   JOM !   !   out-of- bound
  • 42.
    42(c) 2014 IgorSkochinsky Trusted  Execu;on  Environment   !   JOM Trusted Logic Mobility ( Trustonic) "Trusted Foundations" Trusted Execution Environment (TEE) : Trusted Foundations
  • 43.
    43(c) 2014 IgorSkochinsky Trusted  Execu;on  Environment   !   Trusted Foundations !   ARM TrustZone !   GPL Trusted Foundations !   !   TrustZone ME/JOM HECI/MEI !  
  • 44.
    44(c) 2014 IgorSkochinsky Trusted  Execu;on  Environment   !   GlobalPlatform (Trusted Logic Mobililty/ Trustonic ) TEE !   API (TEE ) API !   ME http://www.globalplatform.org/specificationsdevice.asp
  • 45.
    45(c) 2014 IgorSkochinsky   !   ME !   ME !   ROM BUP KERNEL !   API !   JEFF DAL/IPT !   ARC IDA 6.4 IDA 6.5
  • 46.
    46(c) 2014 IgorSkochinsky   !     !   JEFF .class JEFF   !     !   Linux  IPT   !   EFFS   !   ME   !   EFFS   !     !    
  • 47.
    47(c) 2014 IgorSkochinsky   !     !     !     !   UMA   !     !   ME  ↔   !     !   ;     !   ...     !    
  • 48.
    48(c) 2014 IgorSkochinsky   !   BIOS  RE   !   ME   !   ME BIOS   !   BIOS   !   Nikolaj  Schlej UEFITool UEFI   hkps://github.com/NikolajSchlej/UEFITool   !   Coreboot ME   !     !   Open  Virtual  Plalorm  (www.ovpworld.org)   ARC600 ARC700(ARCompact )   !     !    
  • 49.
    49(c) 2014 IgorSkochinsky   http://software.intel.com/en-us/articles/architecture-guide-intel-active-management-technology/ http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ http://theinvisiblethings.blogspot.com/2009/08/vegas-toys-part-i-ring-3-tools.html http://download.intel.com/technology/itj/2008/v12i4/paper[1-10].pdf http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf http://www.stewin.org/papers/dimvap15-stewin.pdf http://www.stewin.org/techreports/pstewin_spring2011.pdf http://www.stewin.org/slides/pstewin-SPRING6-EvaluatingRing-3Rootkits.pdf http://flashrom.org/trac/flashrom/browser/trunk/Documentation/mysteries_intel.txt http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=src/southbridge/intel/bd82x6x/me.c http://download.intel.com/technology/product/DCMI/DCMI-HI_1_0.pdf http://me.bios.io/ http://www.uberwall.org/bin/download/download/102/lacon12_intel_amt.pdf
  • 50.
    50(c) 2014 IgorSkochinsky     igor@hex-­‐rays.com   skochinsky@gmail.com