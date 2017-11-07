Slashdot is powered by your submissions, so send in your scoop

 


MINIX: Intel's Hidden In-chip Operating System

Posted by msmash
Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.

  • Now I have to go change my pants

  • Three questions (Score:1)

    by Anonymous Coward

    1) Do AMD processors have similar vulnerabilities or is this an Intel issue only?

    2) Why isn't Intel being held responsible to fix this, either by action of lawmakers or through lawsuits for providing a faulty product?

    3) Shouldn't Intel either have to patch the vulnerabilities or issue a recall?

    • 2 and 3: (Score:1)

      by Anonymous Coward

      Because it is functioning as intended for its usage among authoritarian regimes (the US included thanks to Congress, the NSA, CIA, and domestic SigInt/PsyOps.)

      The Clipper chip concept was never off the table its implementation just became less 'warrant and seize' and more 'illegal wiretap'.

  • No mention of AMD? (Score:3)

    by Zobeid ( 314469 ) on Tuesday November 07, 2017 @09:12AM (#55505417)

    Do AMD processors have any counterpart of this nonsense?

  • Overblown -- oh and AMD isn't any better (Score:3, Interesting)

    by CajunArson ( 465943 ) on Tuesday November 07, 2017 @09:12AM (#55505423) Journal

    This stuff is overblown since these management engines are only ever active in a limited set of corporate environments where out-of-band management is a huge plus that actually improves security by not requiring your IT drone to physically access every system even if it's turned off.

    Oh, and don't think your magical AMD saviours are any better. There a TrustZone processor that you have zero control over embedded in their products that does the exact same bad stuff.

    • these management engines are only ever active in a limited set of corporate environments where out-of-band management is a huge plus that actually improves security by not requiring your IT drone to physically access every system even if it's turned off.

      I think you mean that they only have a use to the consumer in a limited set of corporate environments. IME is active on all their chips.

    • Re: (Score:1)

      by Anonymous Coward

      The ME is actually active all the time. Basically the modern Intel architecture just doesn't live without ME managing things. It may not be network enabled or remote accessed depending on the configuration, but it's pretty much always there now, and always active.

      Even the vendors don't really know what all it may be doing, just that they have to interact with it to provide certain features or interrogate it to explain why the system decided to go haywire.

  • and we should worry about chinese and russian hackers...

  • How is this news again? (Score:3)

    by Gabest ( 852807 ) on Tuesday November 07, 2017 @09:14AM (#55505435)
    Before the cloud, people used to put their own servers in server rooms. That's the interface to manage your machine from outside.

    • The new part is that you make people pay you for putting the computers you manage into their server room, pay for the power to run them and put their software for you to manage on it.

      It's kinda like being the admin for a server farm, only that you don't get paid, but in return, neither do you have to pay for anything, you're not responsible for anything you do to the computers and you can do with the software and data on them whatever you please.

      • Re: (Score:2)

        by arth1 ( 260657 )

        It's kinda like being the admin for a server farm, only that you don't get paid, but in return, neither do you have to pay for anything, you're not responsible for anything you do to the computers and you can do with the software and data on them whatever you please.

        Oh, you still pay for it. The fees include both hardware, operating costs and administration (done by largely unqualified people, but still administration of sorts). It's just cheaper due to scale.
        And you're still responsible - the contracts tend to have clauses that you must not interfere with the hosting or other services. So if you deliberately break the hardware through software (quite doable, alas), don't expect them to blindly replace broken gear forever.

        • No, I thought he meant the manufacturer was the admin who didn't get payed, didn't have to pay anything and could do whatever they want.

    • Before the cloud, people used to put their own servers in server rooms. That's the interface to manage your machine from outside.

      This doesn't prevent a system from coming into your environment already compromised. That, to me is the scary part. Your order could be intercepted and compromised or compromised at the vendor before shipment. And there is no way to scan the subsystem for threats.

  • I did, and apparently Minux is safe! :)

  • The years of the Minux desktop (Score:5, Insightful)

    by sinij ( 911942 ) on Tuesday November 07, 2017 @09:29AM (#55505535)
    Apparently, we have been having years of Minux desktop all this time and never knew.

  • Tanenbaum: a professor of Computer Science...? (Score:5, Informative)

    by Barnoid ( 263111 ) on Tuesday November 07, 2017 @09:29AM (#55505537)

    Kids these days...

    Andrew S. Tanenbaum is the original creator of MINIX, not just "a professor" at Vrije Universiteit.

  • We can always use a Raspberry Pi, right?

  • that's been around for decades? except they add more stuff to it and now it runs in a separate processor?

  • if my computer starts acting odd like it is being remote controlled i will first wipe the drive and do a clean install with a newer cleaner more secure operating system, and if this bad behavior still persists i will take a fucking 8 pound sledge hammer to it and turn it in to a pile of junk in short time

  • This is a little bit awesome, though. (Score:4, Interesting)

    by Seven Spirals ( 4924941 ) on Tuesday November 07, 2017 @09:44AM (#55505609)
    I've been a MINIX user for a long time. I was introduced to it in college in my operating systems course by the Tannenbaum book. This in-chip weirdness is, uhm, bizarre. However, MINIX is still interesting. It's one of the few microkernel based Unix variants and it's innards are particularly clean and easy to hack on due to it's heritage as a teaching OS. I don't know what the hell Intel was thinking, but don't blame MINIX. Go install it and use this as an excuse to get your own hands dirty. :-)

    • I've been waiting for someone to port Linux interfaces for SystemD (previously udev, kevents, and HAL) to Minix for a while, which would make it capable of replacing the Linux kernel.

      Beyond that, you'd need to port in the file system and hardware drivers. Since they're separate services, you can make GPL versions out-of-tree and just load them into Minix. In-tree versions of adapted netbsd, freebsd, or dragonflybsd drivers are allowable.

      • I've been waiting for someone to port Linux interfaces for SystemD (previously udev, kevents, and HAL) to Minix for a while, which would make it capable of replacing the Linux kernel.

        While I see what you are getting at and it's a laudable goal, I don't see anyone wanting to dig into systemd to do it. It's like dissecting a skunk. You might learn something, and even do something to help, but it won't be pleasant.

  • joke

    Customers buying Intel Products!! Only to have Intel consume 90% of the processing power "To Mine Bitcoin " for their own profit. ;) Woot ;)

    Bill Gates was Right!! People only do need 640k and 4.77MHz ;) lol

    /joke

  • So it's a backdoor/// (Score:3)

    by evolutionary ( 933064 ) on Tuesday November 07, 2017 @10:03AM (#55505735)
    Let's call this what it is: A variation of the "clipper chip" like the government tried to do years ago, except this is more powerful and way worse. It's a backdoor that can potentially operate at a level few not in certain government departments or Intel top level developers can access. Perhaps it's time to give Intel the cold shoulder. Need to confirm if AMD has this backdoor OS in it's processors or not. Wonder how China and Russia respond to this sort of thing? Will we ever see an end of this screwing the end user for corporate and/or government interests?
  • Minix, that's terrible. What I want to know is why they aren't running HURD.
  • To lazy to track this down. but I recall something about this Linux thing from Linus Torvalds in the mid 90s ;) lol
  • Wow - that open letter is horrible. It just continues the old UNIX wars: "look how cool I am, *my* OS is used everywhere --- thanks to the superior microkernel approach and license. Boo GPL". Not even a mention of the fact that it is used to spy on users...
  • this was reported 4 years ago and I remember reading this article awhile back:

    https://www.eteknix.com/expert... [eteknix.com]
  • This is a huge plot twist in a longstanding argument (monolithic x micro kernel). It had been widely believed Minix was all but dead, but it looks like Minix won against Linux in a way, even if used for evil. Mr. Torvalds is probably not very happy that Intel didn't choose his kernel for their evil deeds.

