{"guid":"4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","title":"Intel Management Engine deep dive","subtitle":"Understanding the ME at the OS and hardware level","slug":"36c3-10694-intel_management_engine_deep_dive","link":"https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10694.html","description":"Reverse engineering a system on a chip from sparse documentation and binaries, developing an emulator from it and gathering the knowledge needed to develop a replacement for one of the more controversial binary blobs in the modern PC.\n\nThe Intel Management Engine, a secondary computer system embedded\nin modern chipsets, has long been considered a security risk \nbecause of its black-box nature and high privileges within the\nsystem. The last few years have seen increasing amounts of \nresearch into the ME and several vulnerabilities have been found.\n\nAlthough limited details were published about these vulnerabilities,\nreproducing exploits has been hard because of the limited information\navailable on the platform. \n\nThe ME firmware is the root of trust for the fTPM, Intel Boot Guard\nand several other platform security features, controlling it allows\noverriding manufacturer firmware signing, and allows implementing \nmany background management features.\n\nI have spent most of past year reverse engineering the OS, hardware\nand links to the host (main CPU) system. This research has led me \nto create custom tools for manipulating firmware images, to write\nan emulator for running ME firmware modules under controlled \ncircumstances and allowed me to replicate an unpublished exploit to\ngain code execution.\n\nIn this talk I will share the knowledge I have gathered so far, document\nmy methods and also explain how to go about a similar project.\n\nI also plan to discuss the possibility of an open source replacement \nfirmware for the Management Engine. \n\nThe information in this talk covers ME version 11.x, which is found in 6th and 7th generation chipsets (Skylake/Kabylake era), most of the hardware related information is also relevant for newer chipsets.","original_language":"eng","persons":["Peter Bosch"],"tags":["36c3","10694","2019","Security","Main"],"view_count":6715,"promoted":false,"date":"2019-12-27T18:50:00.000+01:00","release_date":"2019-12-28T01:00:00.000+01:00","updated_at":"2026-04-04T11:15:06.532+02:00","length":3607,"duration":3607,"thumb_url":"https://static.media.ccc.de/media/congress/2019/10694-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2019/10694-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2019/10694-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2019/10694-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/36c3-10694-intel_management_engine_deep_dive","url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_title":"36C3: Resource Exhaustion","conference_url":"https://api.media.ccc.de/public/conferences/36c3","related":[],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"36c3-10694-eng-deu-Intel_Management_Engine_deep_dive.en.srt","state":"complete","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2021-02-21T17:48:21.259+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/36c3-10694-eng-deu-Intel_Management_Engine_deep_dive.en.srt","url":"https://api.media.ccc.de/public/recordings/45422","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":464,"length":3607,"mime_type":"video/webm","language":"eng-deu","filename":"36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-28T15:13:49.085+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/webm-hd/36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/42547","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":201,"length":3607,"mime_type":"video/webm","language":"eng-deu","filename":"36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-12-28T15:02:00.081+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/webm-sd/36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/42539","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":191,"length":3607,"mime_type":"video/mp4","language":"eng-deu","filename":"36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_hd-slides.mp4","state":"new","folder":"slides-h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-28T14:51:57.894+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/slides-h264-hd/36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_hd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/42519","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":54,"length":3589,"mime_type":"audio/mpeg","language":"eng","filename":"36c3-10694-eng-Intel_Management_Engine_deep_dive_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2019-12-28T14:51:03.865+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/mp3/36c3-10694-eng-Intel_Management_Engine_deep_dive_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/42517","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":42,"length":3589,"mime_type":"audio/opus","language":"eng","filename":"36c3-10694-eng-Intel_Management_Engine_deep_dive_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2019-12-28T14:49:22.816+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/opus/36c3-10694-eng-Intel_Management_Engine_deep_dive_opus.opus","url":"https://api.media.ccc.de/public/recordings/42514","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":159,"length":3607,"mime_type":"video/mp4","language":"eng-deu","filename":"36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-12-28T14:49:13.214+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-sd/36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_sd.mp4","url":"https://api.media.ccc.de/public/recordings/42513","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":337,"length":3607,"mime_type":"video/mp4","language":"eng-deu","filename":"36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-28T13:21:43.990+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10694-eng-deu-Intel_Management_Engine_deep_dive_hd.mp4","url":"https://api.media.ccc.de/public/recordings/42486","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":201,"length":3607,"mime_type":"video/mp4","language":"deu","filename":"36c3-10694-deu-Intel_Management_Engine_deep_dive.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-28T13:21:14.577+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10694-deu-Intel_Management_Engine_deep_dive.mp4","url":"https://api.media.ccc.de/public/recordings/42485","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":202,"length":3607,"mime_type":"video/mp4","language":"eng","filename":"36c3-10694-eng-Intel_Management_Engine_deep_dive.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-28T13:20:53.706+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10694-eng-Intel_Management_Engine_deep_dive.mp4","url":"https://api.media.ccc.de/public/recordings/42484","event_url":"https://api.media.ccc.de/public/events/4a4bb36e-70fa-4ee2-aa7e-1d0a4ccd74c1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"}]}