Back in summer I have read a new book published by one of the core Intel architects about the Management Engine (ME). I didn't quite like what I read there. In fact I even found this a bit depressing, even though Intel ME wasn't particular news to me as we, at the ITL, have already studied this topic quite in-depth, so to say, back in 2008... But, as you can see in the linked article, I believed we could use VT-d to protect the host OS from the potentially malicious ME-based rootkits (which we demonstrated back then).
So, a few weeks after I read that book, I started thinking about how we could potentially get around this troublesome ME technology. Technology that Intel decided to serve to us on every new processor. I spoke to a few clever people, and concluded it's possible to come up with a reasonable solution that would require only minor hardware modifications. Modifications which could be done by laptop OEMs, or even by more advanced users.
We decided to write a paper describing this solution, but prior to that I wanted to write a short paper summarizing all the security (and trustworthiness) problems we face on x86, covering also other things, such as boot (in)security, not just the ME. I thought it would take me a week to write such a 5-10 pages paper...
Turned out it took me a few months (admittedly on and off) and some 50+ pages (admittedly with a not-so-small font, and with references spanning full 7 pages.). Oh, well.
As mentioned, the paper is mostly a (hopefully systematic) survey of the various problems and attacks presented against the x86 platform over the last 10 years.
This means the paper does not present new exploits, although I smuggled there maybe 2 or 3 new thoughts or ideas, which I believe have not been discussed publicly before.
The 2nd paper, the one about the practical defense, is coming soon... I will resist the temptation to say: "in the coming weeks", this time ;)
The sources for the paper (Markdown and Bibtex files) can be found in this repo, if anybody finds it more appealing to read it in Vim or Emacs.