Open in app

Sign in

Write

Sign in

Ever Heard of MINIX?
It’s The World’s Most Widely Used Operating System

Have an Intel Processor? Then you’re a user!

RealWorldCyberSecurity
9 min readApr 24, 2020

MINIX: It’s the world’s most widely used operating system and another security threat that you’ve never heard of! Like all operating systems, it has bugs. Only you can’t patch the bugs in MINIX!

Introductory Note

If you are not familiar with the Intel Management Engine, I would recommend you first read the article, Negative Rings in Intel Architecture: The Security Threats You’ve Probably Never Heard Of.

Intel’s MINIX: So Many Questions. So Few Answers.

First, a few relevant facts.

If you have an Intel chipset in your computer, then you are running MINIX. It’s the operating system run by the “Ring -3” Intel Management Engine (ME), quite easily making it the world’s most widely used operating system.

As the underlying operating system for the ME, MINIX is quite likely also the world’s most privileged operating system. What do I mean by “privileged”? I mean that by MINIX being the basis for the ME, it has the ultimate undeniable control of more computers than anything else in the world.

Despite MINIX being designed as a high-security operating system, it still has to have bugs. All software, including all operating systems, has bugs.

MINIX is BSD-licensed. That means Intel can make changes to MINIX and not have to disclose those changes.

This leads to a whole slew of questions. Specific to Intel’s MINIX, what we really need to know is:

  • What bugs have been patched in MINIX?
  • What bugs haven’t?
  • What bugs lay unfound?
  • What changes has Intel made to MINIX?
  • What bugs have they inadvertently introduced?
  • What bugs does Intel know about but hasn’t disclosed?
  • What are the software development and test procedures used when modifying MINIX and when developing the ME applications that run on MINIX?
  • What types of outside third-party testing has been performed on Intel’s MINIX and the ME applications which run on MINIX?

Curious minds want to know!

Whose “curious minds,” you ask?

Black-Hat Hackers, of course! That is, state actors and those organizations who supply exploits to state actors. Well, those gals and guys, plus the worst of the cybercriminals.

Oh, and the above questions are just the tip of the iceberg of the questions regarding Intel’s ME and its MINIX implementation, for which Intel hasn’t supplied critically-needed answers.

A Few Basics

First: Okay, I lied. But, only slightly. I said you can’t patch MINIX, but that was in reference to MINIX on the ME. You can patch MINIX if you install it as an end-user operating system on some device. But, in its most widespread deployment — as the Intel Management Engine’s operating system — you can’t patch it. Only Intel can.

Want to experiment with MINIX? You can download it for free, here. You can quite easily run it as a VM to explore and study it.

Not familiar with the Intel Management Engine? Then you can read an overview of it here.

Finally, according to legend, MINIX was the inspiration for Linux.

A Security Threat

When I begin investigating a new device, a new piece of software, or a new operating system, my first question is always the same: How can it be used against me?

MINIX, by itself, isn’t necessarily a security threat. It’s where it is deployed that is the concern: Its deployment as the ME’s operating system is the threat it poses. In that role, the ramifications of a single remotely exploitable bug could be, well, catastrophic. Worldwide catastrophic. And that’s an understatement. It could literally become a “Pwn The World” level bug.

Don’t believe me about the threat posed by a bug in the ME? Then consider what the EFF has to say about the ME: Intel’s Management Engine is a security hazard, and users need a way to disable it. Yes, the ME’s use of MINIX is only one issue with the ME, but it is a significant part of the overall problem.

Why is MINIX a substantial part of the threat posed by the ME? Because even if the only function the ME performs is to boot the main processor, the ME is always running. Which means that MINIX is always exposed to potential attacks, even when the main processor in your computer is powered off.

MINIX is a critical component of the ME. Without MINIX’s continual execution, the ME would cease to function. The ME is non-functional without its operating system! It’s that simple.

Now, allow me to reiterate some of my initial points and elaborate on them.

MINIX is quite easily the world’s most widely used operating system. If you have a computer with an Intel processor which was manufactured in 2008 or later, you nearly certainly are using a computer in which the ME is a component. That means you are running MINIX on your computer. [See note 1.]

As the operating system running the ME, MINIX quite likely is the world’s most privileged operating system. As detailed in the blog article on negative rings, the ME is always running (even when your processor is powered off). And, it has full access to all of your computer’s resources, including its network connections. (Always running — I can’t emphasize that enough!) That makes the ME the most powerful (permissive) known component on your computer. That makes MINIX a critical linchpin in the security of nearly every laptop, desktop, or server computer in the world! [2]

MINIX has been designed as a high-security operating system. But, all software, including all operating systems, have bugs. Thus, MINIX most assuredly has undiscovered bugs. All the testing in the world isn’t going to discover all the bugs. Some “insignificant” bugs may not yet have publicly available patches. After all, it takes time from the discovery of a bug to the release of a patch for that bug.

The bigger problem is that bugs can’t be considered in isolation. Whereas one or two or three bugs may appear to be individually insignificant and unexploitable, combining those bugs in unpredictable ways may lead to a successful exploit. After all, are not many of today’s most serious pwns a result of multi-stage attacks?

What bugs have been patched in MINIX? What bugs haven’t? Fortunately, the known bugs in open-source MINIX are queryable by anyone, here. But, I have to ask: Is it a good idea to publish the known bugs in the operating system which underlies the majority of the world’s computers? At a minimum, publishing those bugs gives anyone intent on attacking Intel’s MINIX an easy starting point to being their exploitation research.

Which brings us to the question: What bugs lay unfound? That’s the potentially multi-million dollar question bug-bounty hunters are trying to answer.

Most assuredly, Intel has made changes to MINIX. Under MINIX’s license (BSD), Intel does not have to disclose those changes. Which begs two questions:

  1. What changes has Intel made to MINIX?
  2. What bugs have they inadvertently introduced?

Clearly, Intel isn’t going to disclose the known bugs in its version of MINIX until it has released patches for them. Meanwhile, they’re sitting ducks for curious minds intent on finding them.

Which brings us to another question: When was the last time you knowingly patched a bug in the ME on any of your systems, not less a MINIX bug in the ME? I can reasonably assure you the answer to the latter half of the question is “never,” as none of the security advisories issued by Intel explicitly identify the ME’s operating system as the source of the bug. A few identify web server bugs, but it isn’t clear if those are bugs in a MINIX web server package or in an Intel-supplied web server.

The first half of the question is more critical. Allow me to rephrase it: Is your ME up-to-date? Most likely, the only way you have of determining that is to check all of your operating system releases to see if the known ME vulnerabilities are included in an operating system patch you have applied to your system. [3]

Finally, there are unanswered questions regarding Intel’s secure software development practices for its ME product: What are the software development and test procedures used when modifying MINIX and when developing the ME applications that run on MINIX? What types of outside third-party testing has been performed on Intel’s MINIX and the ME applications which run on MINIX? Intel has been uncomfortably quiet about how it develops, tests, and maintains its ME product, and that includes its MINIX modifications for the ME.

We need to “trust but verify.” Intel is asking for trust, but not providing adequate verification. Intel needs a lot more disclosure in this area beyond “trust us.” At a minimum, Intel needs to present evidence of outside audits with a statement from the auditors as to what is and isn’t adequate about Intel’s secure development processes.

Wrap Up

MINIX is undeniably a good operating system for a product such as the Intel ME. The problem we have is not with MINIX per se. Rather, it is with Intel’s deployment of MINIX and its probable changes to it. The lack of disclosure by Intel as to how they have deployed MINIX and how they assure it is properly patched is the crux of the issue.

There are simply too many unknowns about the ME in general to have any real confidence in the security of the ME or its MINIX deployment.

MINIX is but one part of the issue here. But, it is arguably the most critical of our issues. Well, at least our known issues, that is.

Summary

Donald Rumsfeld famously stated, “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know.” In a simple paragraph, Rumsfeld summarized the most critical problems we face in systems, security, and software engineering, not to mention in intelligence and in a plethora of other disciplines.

The problem with Intel’s MINIX deployment is there are far too many known unknowns, not to begin to mention we don’t even have a means of quantifying how many unknown unknowns we need to consider.

Intel’s MINIX implementation is unquestionably the most security-critical operating system in existence. No, strike that: make it, “the most security-crucial operating system in existence.” One flaw, and it’s potentially “game over” for every Intel-based computer in the world.

And, in case you didn’t read the notes as they were referenced in the article, having an AMD processor shouldn’t give you any great comfort, either.

I’m not claiming that Intel (or AMD, or ARM, or any other processor manufacturer) is doing a lousy job of securing their products. In fact, I have every reason to believe that they are doing an excellent job of securing their products. What’s lacking is the publicly-available evidence to support that presumption. From the user’s viewpoint, security by obscurity is equivalent to no security at all.

In all of our processors today, we have absolutely too many unknown unknowns.

And, every one of them is a potential catastrophic-fail, simply waiting to happen.

Notes

  1. If your computer is so old that it doesn’t have a PCH chip, that doesn’t mean that it isn’t running the ME. The PCH is where the ME currently runs. In older chipsets, the ME ran in the Northbridge or other chips. Nearly all Intel processor chipsets produced in and after 2008 have included the ME.
  2. “But, I run AMD.” Congratulations. You still have problems. Just, maybe not MINIX problems. Even less is known about AMD’s Platform Security Processor (PSP). What is known is that it is an ARM co-processor inside the AMD processor chip itself. It reported deploys ARM’s TrustZone technology, and most likely runs either OP-TEE_OS or a highly-customized Linux variant as its operating system.
  3. I have found this to be a nearly impossible-to-answer question. If you read some OEM documentation, it will claim that a given system does not include the Intel Management Engine. If you have an Intel-based computer, that is a flat-out incorrect statement, as it is nearly impossible to have a bootable Intel computer without running the ME. (Exceptions: Intel systems manufactured before 2008 do not have an ME, and it is my understanding that a few ATOM-based systems don’t have it.)

    So, what does the “no ME included” statement actually mean? I can only speculate, but I can make two educated guesses. My first guess would be that the vendor actually means that they don’t support Intel’s AMT, and many systems don’t. That’s an entirely reasonable possibility. If that is what the OEM actually means, they should say exactly that. But, the lack of support of AMT does not exclude the need to patch the ME for non-AMT vulnerabilities (or, for non-AMT patches rolled into an AMT patch bundle). By not patching the ME “because it isn’t used,” the OEM is leaving the ME potentially open to exploitation.

    My second guess as to what “no ME included” could mean is, that after boot, the ME enters High Assurance Platform (HAP) mode. It is not entirely clear what HAP disables on the ME. But, HAP was allegedly developed to support the security requirements of certain TLA government agencies. If “no ME included” actually means “the ME runs in HAP mode,” that would most likely be a very good thing.

Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.

About The Blogger

Featured Image

“MINIX 3 Inside” Fake Intel-Like Logo
“MINIX 3 Inside” Fake Intel-Like Logo
Cybersecurity
Minix
Intel Management Engine
Information Security
Operating Systems

--

--

RealWorldCyberSecurity

Written by RealWorldCyberSecurity

209 Followers

A blog discussing what we are doing wrong in security and how we need to fix it.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams