Depending on how you look at it, the Intel technology known as Visualization of Internal Signals Architecture, or VISA, is either a feature or a bug. It exists in the Platform Controller Hub (PCH) of Intel-based computer systems, and it’s controlled by the Intel Management Engine. The role of the VISA technology is to provide a flexible signals analysis processor that can be used in debugging of computer hardware, primarily computer system boards.
The Intel Management Engine that controls the VISA technology is a small, low-power embedded computer that runs a modified version of the MINIX operating system. While Intel doesn’t talk about the IME, its existence has been known for a few years. The existence of the VISA technology was discovered by security researchers at Positive Technologies last year.
Intel does have documentation regarding the VISA technology, but it’s protected by an NDA and access is tightly controlled. However, two researchers at Positive Technologies, Maxim Goryachy and Mark Ermolov, report that they’ve discovered the capabilities of the VISA technology, and they’ve found ways to enable it and use the data to discover the inner workings of a computer system that contains it.
Announced at Black Hat Asia March 28
The researchers announced their findings at Black Hat Asia on March 28. They said that a vulnerability they’d previously discovered (INTEL-SA-00086) that allowed them to run unsigned code in the Intel Management Engine also allowed them access to the VISA hardware.
Normally, VISA is disabled on commercial computer systems, but the Positive Technologies team was able to use their access to the IME to enable it. Once they had access, they were able to discern details about the PCH, and from that they were able to find that data from within the computer and its peripherals was able to be read. Essentially, they had full access to everything on the computer.
In response to the revelation, Intel announced that a 2017 update to the Management Engine made the attack impossible. However, the researchers also said that it was possible to downgrade the firmware to an earlier version and still get access to the VISA hardware and the data for which it had access.
In response to questions, Goryachy and Ermlov told eWEEK in an email that the vulnerability only affects 6th- generation and later Intel processors, including Skylake and Kaby Lake, and they said it will be in future Intel processors. “It is a debugging technology, but it was hidden from public for internal use only,” they wrote.
May Help Detect Speculative Execution Attacks
They also revealed one of the basic reasons that the VISA technology exists, in addition to being used for testing in a manufacturing setting. x86 researchers will find it useful, but most important, it may provide a means of detecting speculative execution attacks, such as Meltdown and Spectre.
“The main issue while studying the speculative execution is getting feedback from the hardware. This technology provides an exact way to observe the internal state of CPU/SoC and confirm any suppositions,” they said in their email.
Considering that speculative execution vulnerabilities continue to be found, and that their severity has grown, being able to detect such an attack could be an important tool to fight such an event.
Meanwhile, it’s also important to develop tools to protect against such attacks, which requires detailed knowledge of how the VISA technology works and how to reach it. Goryachy and Ermolov provided this information in their Black Hat presentation, and you can see the XML they used in the process when you look at the actual slides.
For those of you who are (like me) seriously geeky, the presentation makes fascinating reading. My guess is that Intel’s next step is going to be finding a way to prevent downgrading the firmware that in turn will prevent at least some of the ways this vulnerability can be exploited.
Physical Access to VISA Tech Required
For everyone else, what you need to know is that the only way (right now at least) to gain access to the VISA technology is to have physical access to the computer involved. But once there, all an attacker is likely to need is access to a USB port. The researchers show how this can be done in their presentation.
But other research has shown that access to the management engine may be possible through a network connection. If that turns out to be the case, then remote hacking becomes possible because physical access is no longer required.
What this does tell you is that physical security continues to be critically important. It’s now clear that a threat actor with physical access can find a way to siphon off your data in even more ways than you previously knew. But it also means that you need to monitor your network, especially those segments that contain machines with critical data, and to find intrusions when they begin—not at some point while they’re already ongoing.
Meanwhile, one hopes that Intel will find a way to permanently disable the features that aren’t needed when their chips and system boards leave the manufacturing line.