Twitter | Search | |
Mark Ermolov
Intel Platform RE/security researcher
168
Tweets
39
Following
1,548
Followers
Tweets
Mark Ermolov retweeted
Alexander Popov 16h
I don't think that I blocked a real "backdoor attempt": Sometimes code refactoring or innocent feature split can have security implications. Anyway, we should be on the lookout. Kudos,
Reply Retweet Like
Mark Ermolov retweeted
Daniel Bilar Jan 16
Muen uses VT-x and not ring-0/ring-3 transitions as isolation mechanism. User/Supervisor bit in page tables not used for enforcement of access rights => precondition not met => not vulnerable. See Muen x86/64 Separation Kernel for High Assurance
Reply Retweet Like
Mark Ermolov Jan 14
Using the vulnerability we were able to program huffman decoder hw decoding remaining unknown code words
Reply Retweet Like
Mark Ermolov retweeted
Plato Mavropoulos Jan 13
Replying to @platomaniac
Added FPT, BPDT & CSE LT partition overlap check. Also CSE partition Size, Hash, OEM/FIT config & Out of Bounds module detection. Improved CPD entry count and ME 8+ FPT & BPDT entry display (-dfpt). Fixed bugs at CSE unpacking, S-BPDT & Manifest detection.
Reply Retweet Like
Mark Ermolov retweeted
Alexander Popov Jan 12
I've sent the 7th version of the patch series introducing STACKLEAK to the Linux kernel mainline. Now STACKLEAK can erase the kernel thread stack from the trampoline stack, which was introduced in patchset.
Reply Retweet Like
Mark Ermolov Jan 11
Replying to @Evil_X_ @dakami and 5 others
Here we are saying about ME stolen memory. ME trans for UMA can't be redirected because there isn't DMAR unit for VCm. ME can use also other VCs for access to host memory but this is another story...
Reply Retweet Like
Mark Ermolov Jan 10
ME 11.x kernel implements strict segmented memory model, so user mode processes have no way to access kernel memory throught their LDT selectors
Reply Retweet Like
Mark Ermolov Jan 10
We injected CPUID instruction in runtime but it's simply ignored without , so currently we don't known any way to determinate this certainly
Reply Retweet Like
Mark Ermolov Jan 10
Replying to @dakami @Evil_X_ and 5 others
It's accessed by ME DMA engine issuing DMI transactions with traffic class belonging to VCm virtual channel., Those trans only can access UMA and bypass VTd. This is hardcoded in PCI/DMI host bridge
Reply Retweet Like
Mark Ermolov Jan 10
Also, SPT_MASTER internal device names this cores as Minute IA. Acc to some Intel presentations it's based on scalar 486 with Pentium's ISA. Also acc to VISA (visualization of internal signals) templates for Intel Trace tool from System Studio, ME and ISH is 486 based
Reply Retweet Like
Mark Ermolov Jan 10
ME 11.x swaps out code pages to UMA only for LZMA modules. Huffman mods are paged in from SPI directly. All UMA pages (code and data) are encrypted by AES with special UMA key
Reply Retweet Like
Mark Ermolov Jan 10
As we saw the SPT x86 cores (ME, ISH) have JTAG idcode saying they belong to LMT2 architecture (Lakemount we think). This differs from Quark SoCs. Some Quarks (acc to idcode from Debug Op Ref Man) have LMT arch others LMT3
Reply Retweet Like
Mark Ermolov retweeted
Jann Horn Jan 9
The PoC code referenced in our recent blogpost about CPUs is public now:
Reply Retweet Like
Mark Ermolov Jan 7
Replying to @platomaniac
Do you have any preproduction microcode binaries? We need those for extended JTAG features
Reply Retweet Like
Mark Ermolov retweeted
Plato Mavropoulos Jan 6
Intel, AMD & VIA CPU Microcode Repositories! A community assisted project aimed to collect all the latest PRD CPU microcodes since 1995 from the three main vendors in order to help people understand what they need to update, to research how they work etc.
Reply Retweet Like
Mark Ermolov Jan 6
Where can we find his internal presentation you are speaking about?
Reply Retweet Like
Mark Ermolov retweeted
Igor Skochinsky Jan 5
looks like some people actually care about AMD's PSP: BTW, ME also has an fTPM and is also mostly based on the spec's pseudocode... cc
Reply Retweet Like
Mark Ermolov retweeted
Kostya Kortchinsky Jan 4
Retpoline: a software construct for preventing branch-target-injection --
Reply Retweet Like
Mark Ermolov retweeted
Joanna Rutkowska Jan 5
And yet, as we just saw, hardware virtualization mitigates attacks (the most powerful of the recent attacks on processors), so...
Reply Retweet Like
Mark Ermolov Jan 4
Replying to @IgorSkochinsky
Probably for new CPU interface controlling speculative indirect branch target injection
Reply Retweet Like