December 6, 2017

Recovering Huffman tables in Intel ME 11.x

Today Positive Technologies' expert Dmitry Sklyarov will explain how Intel ME 11.x stores its state on the flash and the other types of file systems that are supported by ME 11.x in London during his talk on Black Hat conference. Here is his articles about recovering Huffman tables in Intel ME 11.x

Many Intel ME 11.x modules are stored in Flash memory in compressed form [1]. Two different compression methods are used: LZMA and Huffman encoding [2]. LZMА can be decompressed using publicly available tools [3], but reversing Huffman encoding is a much more difficult challenge. Unpacking of Huffman encoding in ME is implemented in hardware, so writing the equivalent code in software is a far from trivial task—assuming it can be accomplished at all.

December 4, 2017

Positive Technologies on GitHub

Currently, an increasing number of companies, such as Google, Microsoft, Facebook, and JetBrains, are placing in open access the code of both small and big projects. Positive Technologies is famous not only for its skilled professionals in IT security but also for a lot of professional developers. This enables us to make a contribution into further development of the Open Source project.

PT has the following GitHub groups that support our open projects:

We have given a detailed description of the first group together with its projects and a brief description of others.

November 23, 2017

Intel fixes vulnerability found by Positive Technologies researchers in Management Engine

Intel has issued a security advisory and released a patch for a vulnerability discovered in Intel ME by Positive Technologies researchers Mark Ermolov and Maxim Goryachy. Intel has also published a downloadable detection tool so that administrators of Windows and Linux systems can determine whether their hardware is at risk.

Intel Management Engine is a proprietary dedicated microcontroller integrated into the Platform Controller Hub (PCH) with a set of built-in peripherals. Since the PCH is the conduit for almost all communication between the CPU and external devices, Intel ME has access to practically all data on the computer. The researchers found a flaw that allows running unsigned code on the PCH on any chipset for Skylake processors and later.