Software developer, cyclist, photographer, hiker, reader.I work for the Library of Congress but all opinions are my own.Email: chris@improbable.org
8005 stories
·
84 followers

The Intel ME vulnerabilities are a big deal for some people, harmless for most

1 Share
(Note: all discussion here is based on publicly disclosed information, and I am not speaking on behalf of my employers)

I wrote about the potential impact of the most recent Intel ME vulnerabilities a couple of weeks ago. The details of the vulnerability were released last week, and it's not absolutely the worst case scenario but it's still pretty bad. The short version is that one of the (signed) pieces of early bringup code for the ME reads an unsigned file from flash and parses it. Providing a malformed file could result in a buffer overflow, and a moderately complicated exploit chain could be built that allowed the ME's exploit mitigation features to be bypassed, resulting in arbitrary code execution on the ME.

Getting this file into flash in the first place is the difficult bit. The ME region shouldn't be writable at OS runtime, so the most practical way for an attacker to achieve this is to physically disassemble the machine and directly reprogram it. The AMT management interface may provide a vector for a remote attacker to achieve this - for this to be possible, AMT must be enabled and provisioned and the attacker must have valid credentials[1]. Most systems don't have provisioned AMT, so most users don't have to worry about this.

Overall, for most end users there's little to worry about here. But the story changes for corporate users or high value targets who rely on TPM-backed disk encryption. The way the TPM protects access to the disk encryption key is to insist that a series of "measurements" are correct before giving the OS access to the disk encryption key. The first of these measurements is obtained through the ME hashing the first chunk of the system firmware and passing that to the TPM, with the firmware then hashing each component in turn and storing those in the TPM as well. If someone compromises a later point of the chain then the previous step will generate a different measurement, preventing the TPM from releasing the secret.

However, if the first step in the chain can be compromised, all these guarantees vanish. And since the first step in the chain relies on the ME to be running uncompromised code, this vulnerability allows that to be circumvented. The attacker's malicious code can be used to pass the "good" hash to the TPM even if the rest of the firmware has been tampered with. This allows a sufficiently skilled attacker to extract the disk encryption key and read the contents of the disk[2].

In addition, TPMs can be used to perform something called "remote attestation". This allows the TPM to provide a signed copy of the recorded measurements to a remote service, allowing that service to make a policy decision around whether or not to grant access to a resource. Enterprises using remote attestation to verify that systems are appropriately patched (eg) before they allow them access to sensitive material can no longer depend on those results being accurate.

Things are even worse for people relying on Intel's Platform Trust Technology (PTT), which is an implementation of a TPM that runs on the ME itself. Since this vulnerability allows full access to the ME, an attacker can obtain all the private key material held in the PTT implementation and, effectively, adopt the machine's cryptographic identity. This allows them to impersonate the system with arbitrary measurements whenever they want to. This basically renders PTT worthless from an enterprise perspective - unless you've maintained physical control of a machine for its entire lifetime, you have no way of knowing whether it's had its private keys extracted and so you have no way of knowing whether the attestation attempt is coming from the machine or from an attacker pretending to be that machine.

Bootguard, the component of the ME that's responsible for measuring the firmware into the TPM, is also responsible for verifying that the firmware has an appropriate cryptographic signature. Since that can be bypassed, an attacker can reflash modified firmware that can do pretty much anything. Yes, that probably means you can use this vulnerability to install Coreboot on a system locked down using Bootguard.

(An aside: The Titan security chips used in Google Cloud Platform sit between the chipset and the flash and verify the flash before permitting anything to start reading from it. If an attacker tampers with the ME firmware, Titan should detect that and prevent the system from booting. However, I'm not involved in the Titan project and don't know exactly how this works, so don't take my word for this)

Intel have published an update that fixes the vulnerability, but it's pretty pointless - there's apparently no rollback protection in the affected 11.x MEs, so while the attacker is modifying your flash to insert the payload they can just downgrade your ME firmware to a vulnerable version. Version 12 will reportedly include optional rollback protection, which is little comfort to anyone who has current hardware. Basically, anyone whose threat model depends on the low-level security of their Intel system is probably going to have to buy new hardware.

This is a big deal for enterprises and any individuals who may be targeted by skilled attackers who have physical access to their hardware, and entirely irrelevant for almost anybody else. If you don't know that you should be worried, you shouldn't be.

[1] Although admins should bear in mind that any system that hasn't been patched against CVE-2017-5689 considers an empty authentication cookie to be a valid credential

[2] TPMs are not intended to be strongly tamper resistant, so an attacker could also just remove the TPM, decap it and (with some effort) extract the key that way. This is somewhat more time consuming than just reflashing the firmware, so the ME vulnerability still amounts to a change in attack practicality.

comment count unavailable comments
Read the whole story
Share this story
Delete

Today’s net neutrality vote – an unsurprising, unfortunate disappointment

1 Share

We are incredibly disappointed that the FCC voted this morning – along partisan lines – to remove protections for the open internet. This is the result of broken processes, broken politics, and broken policies. As we have said over and over, we’ll keep fighting for the open internet, and hope that politicians decide to protect their constituents rather than increase the power of ISPs.

This fight isn’t over. With our allies and our users, we will turn to Congress and the courts to fix the broken policies.

The partisan divide only exists in Washington.  The internet is a global, public resource and if closed off — with only some content and services available unless you pay more to your ISP — the value of that resource declines. According to polls from earlier this year, American internet users agree. Three-quarters of the public support net neutrality. This isn’t a partisan issue.

We’ll keep fighting. We’re encouraged by net neutrality victories in India and elsewhere.  Americans deserve and need better than this.

The post Today’s net neutrality vote – an unsurprising, unfortunate disappointment appeared first on The Mozilla Blog.

Read the whole story
Share this story
Delete

Will Trump's lows ever hit rock bottom?

1 Comment
A president who'd all but call a senator a whore is unfit to clean toilets in Obama's presidential library or to shine George W. Bush's shoes: Our view…
Read the whole story
Share this story
Delete
1 public comment
acdha
1 day ago
reply
Note that this is in USA Today – that’s only slightly more political than the average airline’s inflight magazine
Washington, DC

Seven Years

1 Comment and 4 Shares
[hair in face] "SEVVVENNN YEEEARRRSSS"
Read the whole story
Share this story
Delete
1 public comment
effingunicorns
2 days ago
reply
it's been kind of A Day so I'm not afraid to admit I cried
jlvanderzwan
1 day ago
Had the same with the previous comic, that this one references. I felt so much relief when I reached the end of this one...
jlvanderzwan
1 day ago
Links for the new readers: https://xkcd.com/881/, https://xkcd.com/1141/
jlvanderzwan
1 day ago
These are also related but more humorous in nature: https://xkcd.com/933/, https://xkcd.com/996/
jlvanderzwan
1 day ago
And this one explains how the experience of dealing with cancer "works": https://xkcd.com/931/
gordol
1 day ago
As someone who is now officially a cancer survivor, this one hits home.

The Real Origins of the Religious Right

2 Comments
Between Weyrich’s machinations and Schaeffer’s jeremiad, evangelicals were slowly coming around on the abortion issue. At the conclusion of the film tour in…
Read the whole story
jlvanderzwan
1 day ago
reply
As you dig deeper into the root historical cause of something messed up about current day American society, the odds of it being racism approaches one.
Share this story
Delete
1 public comment
acdha
1 day ago
reply
Relevant now that we know how many white evangelicals voted for Moore
Washington, DC
jlvanderzwan
1 day ago
"They’ll tell you it was abortion. Sorry, the historical record’s clear: It was segregation."
jlvanderzwan
1 day ago
I wonder just how many other issues are really about segregation in the end. Gun regulation that actually got through? "Oh no the black panthers are arming themselves!" I have also seen it argued that the criminalisation of marijuana had racist motivations.
acdha
1 day ago
The drug war definitely had a large racial component – one of Nixon’s advisors eventually admitted it rather clearly: https://amp.cnn.com/cnn/2016/03/23/politics/john-ehrlichman-richard-nixon-drug-war-blacks-hippie/index.html
jlvanderzwan
1 day ago
Damn. Time to replace "South African" with "Republican"? https://www.youtube.com/watch?v=fxEweP2TiMk

Free to Use and Reuse: Selections from the National Film Registry

2 Shares

“Duck and Cover” is a 1951 U.S. Office of Civil Defense film for schoolchildren highlighting what to do in the event of an attack by atomic or other weapons.

The Library of Congress is offering film lovers a special gift during the holiday season: Sixty-four motion pictures, named to the Library’s National Film Registry, are now available online. The collection, “Selections from the National Film Registry,” is also available on YouTube.

These films are among hundreds of titles that have been tapped for preservation because of their cultural, historical and aesthetic significance—each year, the National Film Registry selects 25 films showcasing the range and diversity of America’s film heritage.

Legendary sailors Popeye and Sinbad battle in the 1936 film “Popeye the Sailor Meets Sindbad the Sailor.”

All of the streaming films in the new online collection are in the public domain. They are also available as freely downloadable files with the exception of two titles. Additional films will be added periodically to the website.

“We are especially pleased to make high-resolution ProRes 422 .mov files freely available for download for practically every title in this digital collection,” said curator Mike Mashon, head of the Library’s Moving Image Section. “We think these films will be of particular educational and scholarly benefit as well as for reuse by the creative community.”

Highlights from “Selections from the National Film Registry” include

  • Memphis Belle” (1944)—William Wyler’s remarkable World War II documentary about the crew of a B-17 “Flying Fortress” bomber
  • The Hitch-Hiker” (1953)—a gritty film noir directed by actress Ida Lupino
  • Trance and Dance in Bali” (1936–39)—Margaret Mead and Gregory Bateson’s groundbreaking ethnographic documentary
  • Modesta” (1956)—a Spanish-language film produced by Puerto Rico’s Division of Community Education
  • Popeye the Sailor Meets Sindbad the Sailor” (1936)—a two-reel Technicolor cartoon
  • The House I Live In” (1945)— a plea for religious tolerance starring Frank Sinatra that won an honorary Academy Award
  • Master Hands” (1936)—a dazzling “mechanical ballet” shot on a General Motors automotive assembly line
  • Duck and Cover” (1951)— a Cold War curio that features Bert the Turtle explaining to schoolchildren how best to survive a nuclear attack

Enjoy!

The final mission of the B-17 bomber, Memphis Belle, is the subject of the 1944 documentary “The Memphis Belle: A Story of a Flying Fortress.”

Read the whole story
dianaschnuth
2 days ago
reply
Toledo OH
schnuth
1 day ago
I remember watching Duck & Cover at a library summer program. We also watched an Army video on how to dig a ditch that we all thought was hilarious. I need to look for that one.
Share this story
Delete
Next Page of Stories