Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.

memory access with intel amt

stenkilsson
Beginner
1,419 Views
Hello, I'm looking at using AMT for a computer security project. Is it possible to directly access the physical memory of remote machines using AMT? In a recent thread, you seemed to indicate that it is not possible to access the disks.

For example, the F-Response product (see http://www.f-response.com/) lets security personnel remotely access the memory and disks of a machine running the F-Response Agent. These are exported as virtual devices on the another machine, where standard anti-malware and forensics programs can be used to scan them. Would it be possible to develop something like this with AMT that would make it unnecessary to run any extra software on the target machines? This would be desirable because software running on the target, even a minimal agent, is vulnerable to tampering or disabling by malware...

E. Stenkilsson
0 Kudos
9 Replies
Gael_H_Intel
Moderator
1,419 Views
Quoting - stenkilsson
Hello, I'm looking at using AMT for a computer security project. Is it possible to directly access the physical memory of remote machines using AMT? In a recent thread, you seemed to indicate that it is not possible to access the disks.

For example, the F-Response product (see http://www.f-response.com/) lets security personnel remotely access the memory and disks of a machine running the F-Response Agent. These are exported as virtual devices on the another machine, where standard anti-malware and forensics programs can be used to scan them. Would it be possible to develop something like this with AMT that would make it unnecessary to run any extra software on the target machines? This would be desirable because software running on the target, even a minimal agent, is vulnerable to tampering or disabling by malware...

E. Stenkilsson


Well if you wanted to do a SOL/IDER session to accomplish some of this, your boot media would need to have utilities that support accessing physical media on the system. AMT is not going to be able to do anything with memory. Have you taken a look through the use cases that we have for AMT? It might be helpful to see what features AMT does in order to get a better understanding of how you can design your project.
0 Kudos
stenkilsson
Beginner
1,419 Views


Well if you wanted to do a SOL/IDER session to accomplish some of this, your boot media would need to have utilities that support accessing physical media on the system. AMT is not going to be able to do anything with memory. Have you taken a look through the use cases that we have for AMT? It might be helpful to see what features AMT does in order to get a better understanding of how you can design your project.

Yeah, I downloaded the SDK and spent a few hours looking at docs, and I didn't see anything about memory access in any of the APIs, so I figured this would not be supported... but figured I'd ask, just in case I missed something. It's a shame, though... the management engine seems perfectly positioned to inspect system memory without interference from a potentially compromised operating system. You say AMT is not going to be able to do anything with memory. Are there technical reasons it couldn't do so, or was the functionality omitted for other reasons?
0 Kudos
stenkilsson
Beginner
1,419 Views
Quoting - stenkilsson

Yeah, I downloaded the SDK and spent a few hours looking at docs, and I didn't see anything about memory access in any of the APIs, so I figured this would not be supported... but figured I'd ask, just in case I missed something. It's a shame, though... the management engine seems perfectly positioned to inspect system memory without interference from a potentially compromised operating system. You say AMT is not going to be able to do anything with memory. Are there technical reasons it couldn't do so, or was the functionality omitted for other reasons?

For example, if memory could be accessed via AMT, it would give a way to implement something like DeepWatch, without writing custom firmware, and with remote capability. DeepWatch was a project of Yuriy Bulygin and David Samyde of Intel, which Yuriy presented at Black Hat last year. See http://www.c7zero.info/stuff/bh-usa-08-bulygin.ppt. Are you sure there's no undocumented functionality in AMT we could use to accomplish this? It would certain fit into the "diagnose and heal" paradigm...
0 Kudos
Lance_A_Intel
Employee
1,419 Views

This sounds like a really good candidate for our new IdeaZone.
0 Kudos
RBens2
Valued Contributor I
1,419 Views
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger

0 Kudos
Gael_H_Intel
Moderator
1,419 Views
Quoting - rogerb
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger


Thanks for sharing your knowledge, Rogerb!
0 Kudos
jacace
New Contributor I
1,419 Views
Quoting - rogerb
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger


Hello Roger,

Wow, I didn't know ME has access to the memory.
Maybe someday it will be useful to read/write it.
But now, I can't imagine nowwhat would it be useful for? - except for security reasons when the OS is loaded or when a physical verification must be perform.

Javier Andrs
0 Kudos
RBens2
Valued Contributor I
1,419 Views
The ME's access to main memory isn't just for platform maintainence, but it is integral to the overall architecture. The ME runs its code out of main memory. The system BIOS has to punch out a hole in the main memory to allow the ME to have a secure block of main memory to run its application code out of. In the future, the extent of the ME's access to main memory might be extended to allow for diagnostic type of functions, but currently the ME only gets access to the block of MM that the BIOS set aside for it, and no API has been provided to allow users to get access to the ME's block of MM. As I said, allowing users to get access to MM through the ME would open up many security issues that Intel would probably rather not have to deal with.

Regards,
Roger

0 Kudos
jacace
New Contributor I
1,419 Views
Quoting - rogerb
The ME's access to main memory isn't just for platform maintainence, but it is integral to the overall architecture. The ME runs its code out of main memory. The system BIOS has to punch out a hole in the main memory to allow the ME to have a secure block of main memory to run its application code out of. In the future, the extent of the ME's access to main memory might be extended to allow for diagnostic type of functions, but currently the ME only gets access to the block of MM that the BIOS set aside for it, and no API has been provided to allow users to get access to the ME's block of MM. As I said, allowing users to get access to MM through the ME would open up many security issues that Intel would probably rather not have to deal with.

Regards,
Roger


Hello Roger,

Thanks, great explanation.

Javier Andrs
0 Kudos
Reply