Community
cancel
Showing results for 
Search instead for 
Did you mean: 
stenkilsson
Beginner
91 Views

memory access with intel amt

Hello, I'm looking at using AMT for a computer security project. Is it possible to directly access the physical memory of remote machines using AMT? In a recent thread, you seemed to indicate that it is not possible to access the disks.

For example, the F-Response product (see http://www.f-response.com/) lets security personnel remotely access the memory and disks of a machine running the F-Response Agent. These are exported as virtual devices on the another machine, where standard anti-malware and forensics programs can be used to scan them. Would it be possible to develop something like this with AMT that would make it unnecessary to run any extra software on the target machines? This would be desirable because software running on the target, even a minimal agent, is vulnerable to tampering or disabling by malware...

E. Stenkilsson
0 Kudos
9 Replies
Gael_H_Intel
Moderator
91 Views

Quoting - stenkilsson
Hello, I'm looking at using AMT for a computer security project. Is it possible to directly access the physical memory of remote machines using AMT? In a recent thread, you seemed to indicate that it is not possible to access the disks.

For example, the F-Response product (see http://www.f-response.com/) lets security personnel remotely access the memory and disks of a machine running the F-Response Agent. These are exported as virtual devices on the another machine, where standard anti-malware and forensics programs can be used to scan them. Would it be possible to develop something like this with AMT that would make it unnecessary to run any extra software on the target machines? This would be desirable because software running on the target, even a minimal agent, is vulnerable to tampering or disabling by malware...

E. Stenkilsson


Well if you wanted to do a SOL/IDER session to accomplish some of this, your boot media would need to have utilities that support accessing physical media on the system. AMT is not going to be able to do anything with memory. Have you taken a look through the use cases that we have for AMT? It might be helpful to see what features AMT does in order to get a better understanding of how you can design your project.
stenkilsson
Beginner
91 Views



Well if you wanted to do a SOL/IDER session to accomplish some of this, your boot media would need to have utilities that support accessing physical media on the system. AMT is not going to be able to do anything with memory. Have you taken a look through the use cases that we have for AMT? It might be helpful to see what features AMT does in order to get a better understanding of how you can design your project.

Yeah, I downloaded the SDK and spent a few hours looking at docs, and I didn't see anything about memory access in any of the APIs, so I figured this would not be supported... but figured I'd ask, just in case I missed something. It's a shame, though... the management engine seems perfectly positioned to inspect system memory without interference from a potentially compromised operating system. You say AMT is not going to be able to do anything with memory. Are there technical reasons it couldn't do so, or was the functionality omitted for other reasons?
stenkilsson
Beginner
91 Views

Quoting - stenkilsson

Yeah, I downloaded the SDK and spent a few hours looking at docs, and I didn't see anything about memory access in any of the APIs, so I figured this would not be supported... but figured I'd ask, just in case I missed something. It's a shame, though... the management engine seems perfectly positioned to inspect system memory without interference from a potentially compromised operating system. You say AMT is not going to be able to do anything with memory. Are there technical reasons it couldn't do so, or was the functionality omitted for other reasons?

For example, if memory could be accessed via AMT, it would give a way to implement something like DeepWatch, without writing custom firmware, and with remote capability. DeepWatch was a project of Yuriy Bulygin and David Samyde of Intel, which Yuriy presented at Black Hat last year. See http://www.c7zero.info/stuff/bh-usa-08-bulygin.ppt. Are you sure there's no undocumented functionality in AMT we could use to accomplish this? It would certain fit into the "diagnose and heal" paradigm...
Lance_A_Intel
Employee
91 Views


This sounds like a really good candidate for our new IdeaZone.
RBens2
Valued Contributor I
91 Views

Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger

Gael_H_Intel
Moderator
91 Views

Quoting - rogerb
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger


Thanks for sharing your knowledge, Rogerb!
jacace
Black Belt
91 Views

Quoting - rogerb
Architecturally, the ME does have access to the memory, but there is no API to access it, and it is normally considered to be a security hole to give someone access directly to memory from AMT. Therefore, I don't foresee Intel being willing to add this functionality to the system.

For the original problem, I would recommend looking into the system defense functionality to monitor whether or not an application is running, and I would look into the TXT capability to measure an application to make sure that it hasn't been tampered with. The application could then communicate to the monitoring server through the third-party storage area.

Regards,
Roger


Hello Roger,

Wow, I didn't know ME has access to the memory.
Maybe someday it will be useful to read/write it.
But now, I can't imagine nowwhat would it be useful for? - except for security reasons when the OS is loaded or when a physical verification must be perform.

Javier Andrs
RBens2
Valued Contributor I
91 Views

The ME's access to main memory isn't just for platform maintainence, but it is integral to the overall architecture. The ME runs its code out of main memory. The system BIOS has to punch out a hole in the main memory to allow the ME to have a secure block of main memory to run its application code out of. In the future, the extent of the ME's access to main memory might be extended to allow for diagnostic type of functions, but currently the ME only gets access to the block of MM that the BIOS set aside for it, and no API has been provided to allow users to get access to the ME's block of MM. As I said, allowing users to get access to MM through the ME would open up many security issues that Intel would probably rather not have to deal with.

Regards,
Roger

jacace
Black Belt
91 Views

Quoting - rogerb
The ME's access to main memory isn't just for platform maintainence, but it is integral to the overall architecture. The ME runs its code out of main memory. The system BIOS has to punch out a hole in the main memory to allow the ME to have a secure block of main memory to run its application code out of. In the future, the extent of the ME's access to main memory might be extended to allow for diagnostic type of functions, but currently the ME only gets access to the block of MM that the BIOS set aside for it, and no API has been provided to allow users to get access to the ME's block of MM. As I said, allowing users to get access to MM through the ME would open up many security issues that Intel would probably rather not have to deal with.

Regards,
Roger


Hello Roger,

Thanks, great explanation.

Javier Andrs
Reply