December 7, 2017

What Is MINIX? Is The World’s Most Popular OS A Threat?

What Operating System do you use on your computer? Linux? Microsoft Windows? Mac OS X? You could be running any of the countless operating systems available in the market, but the thing is, that’s not the only operating system you are running. Yes, if you have a modern Intel CPU (released in the last few years) with Intel’s Management Engine built in, you have got another operating system running.

intel-processor

You might not have had any clue about it, but inside your Intel system, you have an operating system called ‘MINIX’ running in addition to your main OS.  And it’s raising eyebrows and concerns.

So, what is MINIX?

It is an operating system that Intel puts deep inside your computer. This Unix-like OS was developed by Andrew Tanenbaum in 1987 as an education tool — to demonstrate the working of an OS.

It’s said that MINIX influenced the development of the Linux kernel created by Linus Torvalds. However, the two have major differences in their design.

After the release of MINIX 3, it is being developed as Microkernel OS. You can find MINIX 3 running on every Intel-powered desktop, laptop or server launched after 2015. This surely makes it the most used operating system in the world. Although, you don’t use it at all.

Why having MINIX has concerned people?

A closed source version of MINIX (which itself is an open source OS) exists on its own CPU (Intel Management Engine) that we (the user/owner of the machine) don’t have access to, but it has complete access to the system memory, hard drive, TCP/IP stack. In short, all of it. That level of privilege can make people uncomfortable.

The Intel Management Engine is a small, low-power computer subsystem, built into many Intel® Chipset–based platforms. It performs various tasks while the system is in sleep, during the boot process, and when your system is running.

Typically, x86-based computers run their software at different privilege levels or “rings”. The highest privilege ring used to enable different levels of protection, and can’t be accessed by the users is “Ring -3” (that’s “negative 3”). MINIX exists on “Ring -3” on its own CPU. Most user applications or programs run at lower privilege “Ring 3” (without the negative), and they have the least access to the hardware. The lowest “Ring” you have any real access to is “Ring 0,” which is where the kernel of your OS (the one that you actually chose to use, such as Linux) resides. The lower the number your program runs at, the more access they have to the hardware. Bare-metal hypervisors, such as Xen, run on ring -1. Unified Extensible Firmware Interface (UEFI) runs on ring -2. Rings two and one don’t tend to be used.

privilege-levels-or-rings

However, MINIX runs on ring -3. This indicates that you have zero access to MINIX, but MINIX has total and complete access to your computer. You can’t see it or control it, but it knows all and sees all, which presents a huge security risk.

So, what can happen?

According to Google, which is actively working to remove Intel’s Management Engine (MINIX) from their internal servers (for obvious security reasons), the following features exist within that super-secret Ring -3:

  • TCP/IP networking stacks (4 and 6)
  • File systems
  • Many drivers (including USB, mouse, disk, networking, etc.)
  • A web server

It means, your CPU has a secret web server that you are not allowed to access. And apparently, Intel does not want you to know about it. The fact that Ring -3 has 100 percent access to everything on the computer and allowing MINIX to act as a web server, should make you just a teensy bit nervous.

Why on this Earth is there a web server in a hidden part of my CPU? WHY?

MINIX also has access to your passwords. It can also reimage your computer’s firmware even if it’s powered off. It means, if your computer is “off” but still plugged in, MINIX can still potentially change your computer’s fundamental settings.

Another shocker is that the Management Engine chip can upload and download data packets even if the firewall of your main OS is turned on.

What’s the Solution?

Well, the solution is not “Switch to AMD chips”. The AMD Accelerated Processing Unit (APU) line of microprocessors have a similar feature where they embed an extra ARM-based microcontroller, and that’s also a mysterious black box.

According to Ronald Minnich, a Google software engineer, who discovered this hidden MINIX operating system inside Intel processors, “the only solution I can see is that Intel to dump its MINIX code and use an open-source Linux-based firmware. This would be much more secure. The current software is only secured by ‘security by obscurity’.”

So, what do you think about MINIX and Intel’s ME chip? Drop your thoughts in the comments below.

About the author 

Chaitanya


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}