>>55341739
There is hardware that the "bare metal" of the machine doesn't control or see. Such as Intel management engine.

>>55341770
So if Intel puts a killswitch or a spyware in there, you're fucked and there's nothing anything running on that system could do to prevent the worst case scenario right?

>>55341818
Nothing running on the system would even know about it in the best case scenario.

>>55341739
Good question. Ring -n is an incorrect term.

"Ring -1" in Windows is called VTL 0 (Virtual Trust Level). And "Ring -2" is VTL1.

This was introduced in Win8, but more prevalent and known in Win10.

Win10 has a HyperVisor which lives in VTL1. It has total control compared to any other component, and controls all access to hardware. So it has more control than the Windows OS itself, as Windows 10 is just a VM inside the proprietary closed-source secretive Windows HyperVisor.

At VTL 0 exists the secure kernel. Essentially the chain of control goes like this:

Win7: Windows -> NT kernel -> Hardware
Win10: Windows -> NT kernel -> Secure Kernel* -> HyperVisor* -> Hardware

In Win7, NT kernel which can be called from by a Windows admin elevating to NT\SYSTEM talks directly to hardware, hence the reason why MBR patching, OS patching etc could be done.
Now in Win10 the * components, can not be accessed by you even as admin. Even if your NT\SYSTEM you only execute code at NT kernel, and Secure Kernel still doesn't trust you.

This is very secure model by Windows. It has made it an extremely secure OS from malware. Not to mention the HyperGuard, PatchGuard, ControlFlowGuard etc that protect Windows from exploits and malware, and those Guards monitor everything for anything suspicious, and it's then sent to MS when found.

So the VTLs add tremendous security, and significantly move the attack vector from NT kernel (which has been showered with vulnerabilities) to components which are very secure. Not impossible to exploit, but you won't see willy nilly exploits in the wild from now on, since they will be worth megabucks to the blackmarket, gov agencies, and cooperation's.

>>55342521
Finally something useful on /g/ for once.

>>55342521
Linux on suicide watch

>>55342521
But in a stricter sense of the term, isn't the firmware/UEFI and other hardware 'bare metal' software still the lowest level, lower than ring -1 or ring -2? Would that make the hardware level ring -3?

>>55344168
isn't the firmware/UEFI and other hardware 'bare metal' software still the lowest level
In a loose sense, yes, but firmware loaded is not strictly part of the Ring model, as it's not part of the control flow from usermode to access hardware. Firmware does the first boot to get components up and running, and it has burnt in signing keys in the firmware to check the next component is legit. And there's an entire chain of trust from firmware loading, Trusted Protection Models (TPM) checks, certs etc, until Windows boot. But yeah, firmware not part of protection Ring model.

> Would that make the hardware level ring -3?
Again in a very loose term of sense "yes", but hardware itself is not part of the ring model. The ring model is to do with protected flow/access to hardware from user controlled input. Ring 3 (usermode) has the least access. Even Ring1 doesn't necessarily have any direct access to hardware in the new model, but the CPU architecture (AMD, Intel) requires CPU register 'CS' to have the code privilege level associated with execution of the page. So this new Windows model is a mix of CPU compatibility and software implemented additional protection (VTL's...).

Windows Usermode (Ring 3) -> Windows Kernelmode (Ring1) -> Secure kernel (Ring 0, VTL 0) -> HyperVisor (R0, VTL1) -> Hardware

>>55344456
Cool, thanks for clearing that up. You're honestly really educated compared to the average /g/ retard this may be the best thread on here in a while.

Last question, Intel's management engine? (or whatever AMD's equivalent is) That's a firmware level but does a lot more than just boot/hardware initialization. It can be accessed on run time and has access to a whole mac address and network and whatnot. It's a significant security hole, how does Windows classify it? And what ring level would it be?

>>55344168
>>55344577
From what I've read, exploits that can result in execution of code on on die management processors that exist on newer CPUs like Intel's Management Engine and AMD's Platform Security Processor are generally considered to be ring -3.

>>55344577

> Intel's management engine
Oh that chip embedded in modern Intel chips. It's unique to Intel CPU's (I don't think AMD has an equivalent). It was originally designed for network stuff, allowing admins to remotely administrate stuff on their secured machines like critical updates, and fixes. A bit overkill for Intel to implement a solution like that, but now it's in all modern Intel CPU's. Makes me wary to buy them, as if someone finds a vulnerability and can send instructions to it, you have something very dangerous which bypasses Windows entire secure model and can access any part of RAM or your physical disk. And of course since it was originally designed for remote administration, it has a full network layer stack with TCP/IP implementation.

Conspiracy theorist will go wild, claiming it's an NSA driven. Maybe so, who knows..

> And what ring level would it be
It's not part of the ring model. As it bypasses Windows HyperVisor entirely. It can be accessed from a non-local user. It's literally:

Remote user -> Mobo network interface -> Intel IME chip

Where you have to send some sort of special sequence of network bytes for it to take a different route (not to main CPU, where it's Interrupted and handled by Windows), but it travels to the small Intel IME chip inside instead.

>>55344883
>>55344767
I stand corrected. AMD does have an equivalent. "AMD's Platform Security Processor (PSP)". Never heard of that before, will have to find some technical docs on it sometime.

>>55344982
It isn't completely equivalent as it wasn't originally included for the purpose of out of band management but rather secure memory management, though it still has complete access to and therefore potential control of all of your hardware like Intel's ME. You probably haven't heard because it first came out in ~2013 and is only in AMD's APUs as of currently as that's all they've released since 2013.

>>55341739
Yes it exists. Yes it can be exploited. More here:
https://www.youtube.com/watch?v=QGuIGLz01hE