Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1381 Discussions

memory access with intel amt

stenkilsson
Beginner
‎06-04-2009 10:51 AM
839 Views
Hello, I'm looking at using AMT for a computer security project. Is it possible to directly access the physical memory of remote machines using AMT? In a recent thread, you seemed to indicate that it is not possible to access the disks.

For example, the F-Response product (see http://www.f-response.com/) lets security personnel remotely access the memory and disks of a machine running the F-Response Agent. These are exported as virtual devices on the another machine, where standard anti-malware and forensics programs can be used to scan them. Would it be possible to develop something like this with AMT that would make it unnecessary to run any extra software on the target machines? This would be desirable because software running on the target, even a minimal agent, is vulnerable to tampering or disabling by malware...

E. Stenkilsson
0 Kudos

Link Copied

9 Replies
Gael_H_Intel
Moderator
‎06-04-2009 03:17 PM
839 Views
Quoting - stenkilsson
Hello, I'm looking at using AMT for a computer security project. Is it possible to directly access the physical memory of remote machines using AMT? In a recent thread, you seemed to indicate that it is not possible to access the disks.

For example, the F-Response product (see http://www.f-response.com/) lets security personnel remotely access the memory and disks of a machine running the F-Response Agent. These are exported as virtual devices on the another machine, where standard anti-malware and forensics programs can be used to scan them. Would it be possible to develop something like this with AMT that would make it unnecessary to run any extra software on the target machines? This would be desirable because software running on the target, even a minimal agent, is vulnerable to tampering or disabling by malware...

E. Stenkilsson


Well if you wanted to do a SOL/IDER session to accomplish some of this, your boot media would need to have utilities that support accessing physical media on the system. AMT is not going to be able to do anything with memory. Have you taken a look through the use cases that we have for AMT? It might be helpful to see what features AMT does in order to get a better understanding of how you can design your project.
0 Kudos
Copy link
stenkilsson
Beginner
‎06-04-2009 05:15 PM
839 Views


Well if you wanted to do a SOL/IDER session to accomplish some of this, your boot media would need to have utilities that support accessing physical media on the system. AMT is not going to be able to do anything with memory. Have you taken a look through the use cases that we have for AMT? It might be helpful to see what features AMT does in order to get a better understanding of how you can design your project.

Yeah, I downloaded the SDK and spent a few hours looking at docs, and I didn't see anything about memory access in any of the APIs, so I figured this would not be supported... but figured I'd ask, just in case I missed something. It's a shame, though... the management engine seems perfectly positioned to inspect system memory without interference from a potentially compromised operating system. You say AMT is not going to be able to do anything with memory. Are there technical reasons it couldn't do so, or was the functionality omitted for other reasons?
0 Kudos
Copy link
stenkilsson
Beginner
‎06-04-2009 05:47 PM
839 Views
Quoting - stenkilsson

Yeah, I downloaded the SDK and spent a few hours looking at docs, and I didn't see anything about memory access in any of the APIs, so I figured this would not be supported... but figured I'd ask, just in case I missed something. It's a shame, though... the management engine seems perfectly positioned to inspect system memory without interference from a potentially compromised operating system. You say AMT is not going to be able to do anything with memory. Are there technical reasons it couldn't do so, or was the functionality omitted for other reasons?

For example, if memory could be accessed via AMT, it would give a way to implement something like DeepWatch, without writing custom firmware, and with remote capability. DeepWatch was a project of Yuriy Bulygin and David Samyde of Intel, which Yuriy presented at Black Hat last year. See http://www.c7zero.info/stuff/bh-usa-08-bulygin.ppt. Are you sure there's no undocumented functionality in AMT we could use to accomplish this? It would certain fit into the "diagnose and heal" paradigm...
0 Kudos
Copy link
Lance_A_Intel
Employee
‎06-04-2009 07:44 PM
839 Views

This sounds like a really good candidate for our new IdeaZone.
0 Kudos
Copy link
RBens2
Valued Contributor I
‎06-05-2009 06:39 AM
839 Views
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger

0 Kudos
Copy link
Gael_H_Intel
Moderator
‎06-05-2009 08:53 AM
839 Views
Quoting - rogerb
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger


Thanks for sharing your knowledge, Rogerb!
0 Kudos
Copy link
jacace
New Contributor I
‎06-09-2009 08:06 AM
839 Views
Quoting - rogerb
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger


Hello Roger,

Wow, I didn't know ME has access to the memory.
Maybe someday it will be useful to read/write it.
But now, I can't imagine nowwhat would it be useful for? - except for security reasons when the OS is loaded or when a physical verification must be perform.

Javier Andrs
0 Kudos
Copy link
RBens2
Valued Contributor I
‎06-09-2009 08:19 AM
839 Views
The ME's access to main memory isn't just for platform maintainence, but it is integral to the overall architecture. The ME runs its code out of main memory. The system BIOS has to punch out a hole in the main memory to allow the ME to have a secure block of main memory to run its application code out of. In the future, the extent of the ME's access to main memory might be extended to allow for diagnostic type of functions, but currently the ME only gets access to the block of MM that the BIOS set aside for it, and no API has been provided to allow users to get access to the ME's block of MM. As I said, allowing users to get access to MM through the ME would open up many security issues that Intel would probably rather not have to deal with.

Regards,
Roger

0 Kudos
Copy link
jacace
New Contributor I
‎06-09-2009 11:31 AM
839 Views
Quoting - rogerb
The ME's access to main memory isn't just for platform maintainence, but it is integral to the overall architecture. The ME runs its code out of main memory. The system BIOS has to punch out a hole in the main memory to allow the ME to have a secure block of main memory to run its application code out of. In the future, the extent of the ME's access to main memory might be extended to allow for diagnostic type of functions, but currently the ME only gets access to the block of MM that the BIOS set aside for it, and no API has been provided to allow users to get access to the ME's block of MM. As I said, allowing users to get access to MM through the ME would open up many security issues that Intel would probably rather not have to deal with.

Regards,
Roger


Hello Roger,

Thanks, great explanation.

Javier Andrs
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.