Hacker News Comments on
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
Black Hat
·
Youtube
·
193
HN points
·
10
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this video.> we need tools that don't require so much blind trustCompletely agree.
> Open source and verifiable down to the firmware is the only chance we have at any real level of trust
The hardware itself could be compromised though. There's just no way to know what's really inside these black boxes.
We'll never have real trust until we get the ability to fabricate our own processors in our own home just like we already have the ability to write our own software.
⬐ hutzlibuWell, I would love to print out my own cpu in the garage, but until then, I would also be happy, if the factories producing security critical HW, get frequent audits by qualified personel. Certifying and reviewing the build process.Not very likely on a broader scale, though.
⬐ mohaineThis doesn't help completely unless you fabricated the fabricator on trusted parts as well. Unless you trust it there is nothing to prove that the fabricator isn't inserting back doors into whatever it prints.⬐ biglosthttps://wiki.c2.com/?TheKenThompsonHack
Even then, assembly is too high level.https://m.youtube.com/watch?v=eunYrrcxXfw
And then we get into hardware design...
Yeah Occam's razor says your efforts would be much better spent on flashing custom firmware than a retrofit. That or a deliberate backdoor built into the chip from the ground up.Or something like this: https://m.youtube.com/watch?v=_eSAF_qT_FY
But a nearly magic rice-grain part with a microcontroller and networking?? You could make a fortune in IOT with something that capable.
Probably not.However, historically, these sorts of attacks always get better, not worse.
And while even that can sometimes be empty rhetoric, I will say in the last 5 years I'm seeing a lot of security attacks that are already well beyond what even my moderately-trained intuition would suggest are possible, so I have to admit I've sort of given up on trying to guess on whether or not an attack can be made practical. I've seen too many mind-blowing presentations from security researchers to think I can bound their abilities safely. I wouldn't care to bet that they won't move the attacks I already am flabbergasted can exist to some other even-more practical attack that I am flabbergasted can exist.
This is unrelated to the current matter, but let me give you an example: https://www.youtube.com/watch?v=_eSAF_qT_FY If you think that's trivially obvious, and you're confident you can predict how these sorts of things will play out in the future, more power to you, but I'm certainly not justified in that belief at my skill level. I'm just happy I can follow that presentation!
⬐ cwkossYeah, it seems that whenever an exploit "doesn't seem practical for actual use" it is just one more exploit-in-the-chain away from being operationalized.So many systems have unspecified, undocumented and undertested behaviors that have not been exploited only because no one has ever tried.
⬐ biztosPresumably there would be value in releasing the "impractical for actual use" version to the public after you have already operationalized and not before.
⬐ PinguTSIt is a great story to tell. But actually it is a documented feature like this datasheet from 2004 describe: http://datasheets.chipdb.org/VIA/Samuel2/VIA%20C3%20Samuel%2...ALTINST is well known among C3 processors.
⬐ KarlissPrevious discussions:⬐ j16sdizThis chip is 18 years ago. It was not uncommon to ship with debug feature on back in those days when microcode is innovative⬐ dangUrl changed from https://hackaday.com/2019/02/03/unlocking-god-mode-on-x86-pr..., which points to this.⬐ cbhlArticle is new, but the linked YouTube video dates back to Aug 28, 2018.⬐ MASM32_COMI see someone found this. kudos op. The most important takeaway from this is the practice of instruction set walking. The method has wide utility. All digital devices on the mobo can be probed with similar methods, this includes but is not limited to memory controllers bus controllers harddrive controllers, basically any embedded or integrated device. This is all about showing you how to get your foot in the door for a wild ride into low level hardware reversing. my favorite sport.⬐ MASM32_COMis there something wrong with low level engineering? You dont want to loose sight of the utility of a tool simply because of a single case example.⬐ ngcc_hkIs the minix - intel has similar hack?⬐ alextooterI guess,it's maybe because VIA's CPU is translate x86 instruction to RISC.So there is not hide RISC core,the core is RISC core,it can be configure to x86 mode,and this guy find the hidden op code to switch the two.⬐ beautifulfreakWhat motivates a person to give a talk like this at Blackhat? A method to compromise cpus by feeding them secret instructions seems like trouble the world doesn't need. Sure, he's only focused on an outdated system, but he's shown how to do it, and even gives away the tool. Is it like making smallpox virus available, so it can be studied? But how can hardware designers make any system safe from such tenacious probing? Imagine how different the world would be if there was no threat of exploitation.⬐ sprayk⬐ oil25it is sort of assumed that such back doors already exist, but only the big players (NSA, et al) have access. This (and talks like this in general) aren't to let others know about this so they can own people, it's to empower the more regular people to be able to catch these backdoors and better choose which companies we support with our wallets⬐ deadbunnyBecause sunlight is the best disinfectant. Imagine a world where exploitation was only in the hands of the powerful.⬐ mverwijsYou do realize that small pox was eradicated by introducing a malign version of small pox as a vaccine? Kinda like 'black hat medicine'.> Is it like making smallpox virus available, so it can be studied?⬐ jacobush⬐ thgDid you mean chickenpox?⬐ mverwijshttps://en.wikipedia.org/wiki/Smallpox_vaccineThis is neither secret, nor a backdoor (in the malicious sense). It's a officially documented[0] debug mode.[0]: Page 85, http://datasheets.chipdb.org/VIA/EBGA/VIA%20C3%20EBGA%20Data...
This is about ancient VIA C3 CPUs processors - not your modern Intel/AMD. This isn't to say backdoors are implausible on modern processors (vulnerabilities in Intel ME/AMD PSP come to mind), but I would like to see some hard evidence before we panic and freak out. For now, "God Mode on x86 Processors" isn't something I will be losing sleep over, but I will cry about it into my beer ...⬐ djsumdogPlus this isn't as undocumented as he would have you believe. .. I can't find it now, but I had a thread somewhere about how easy it was to find the PDF with the specific commands he had to reverse engineer; documented in published VIA specs.⬐ cafxx⬐ RachelFhttps://it.slashdot.org/comments.pl?sid=12465074&cid=5710734...and Wikipedia has an article on this VIA "Alternate Instruction Set", too: https://en.wikipedia.org/wiki/Alternate_Instruction_SetIt's still great hacking and fuzzing to find the privilege escalation instruction.
⬐ makomk⬐ jplayer01One of the interesting things that article points out is that apparently Windows automatically disables this feature on boot, so it's not going to be exploitable on most Windows systems.⬐ h0l0cubeIt seems the wiki article was created after the Blackhat Conference:> 15:22, 10 August 2018 Sladen (talk | contribs) . . (2,003 bytes) +2,003 . . (initially populate based on news reports)
https://en.wikipedia.org/w/index.php?title=Alternate_Instruc...
It seems naive to me to believe that there aren't backdoors in AMD and Intel processors. Intelligence agencies have done far worse in our history than backdooring some electronic components. I'm not so sure why this is so unlikely, especially after the Snowden leaks showing us how far agencies like the NSA are willing to go.⬐ aokijiThis is very reminiscent of the Code of Conduct recently integrated into Linux as a way to silence and expel the Linux developers who oppose Intel CIA-backed backdoors.⬐ bittermangSo you're telling me I can't make my old Pentium immune to bullets?Well that's disappointing.
⬐ barbecue_sauce⬐ wahernWhen you're ready, you won't have to.AMD's Geode LX SoC won't ship its last order until this year, 2019. The Geode line predates the C3, and the Geode LX is just as old as the C3. I can't confirm when the C3 stopped shipping, but it was probably this decade.As for microcode vulnerabilities, don't be surprised if they start coming down the pipeline. It was only recently that researchers figured out (publicly, at least) how to hack and upload microcode on Intel chips: https://media.ccc.de/v/34c3-9058-everything_you_want_to_know...
⬐ close04Even more, this isn't even a backdoor. It's in the official documentation since at least 2004. [0]> This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture.
> This alternate instruction set is intended for testing, debug, and special application usage. Accordingly, it is not documented for general usage. If you have a justified need for access to these instructions, contact your VIA representative.
It then goes on to explain in detail the mechanism for initiating execution of this alternate set of instructions. So while I am sure the researchers put plenty of work in this it seems reading the manual helped a lot more than one would expect for a "backdoor"...
[0] http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia...
This[0] is a backdoor that was discovered _only_ through reading patents on the chip. It gave the highest possible privilege(ring -4) to the user by simply running an undocumented cpu register. It would be incredibly easy to hide something like this within one of the 100 of thousands of computers that go to the big 4 or even the pentagon.I'd imagine people at the pentagon select randomly from a number of computers coming in and do some chip analysis like this[1] but I can only speculate and they probably can't stop all the hardware backdoors this way.
Anybody that would be caught disclosing highly classified information would probably be found and promptly hanged(or get in some sort of freak car accident). They probably have some serious counterintelligence to catch the leaks. Once again I am only speculating.
[0]:https://www.youtube.com/watch?v=_eSAF_qT_FY [1]:https://www.youtube.com/watch?v=0Z4aF-qiziM
⬐ makomkThe existence of the Via C3 "backdoor" was actually documented in the official datasheet, along with the correct MSR bit to enable/disable it. See page A-10 in appendix A: http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia... Apparently the researchers either couldn't find a copy or didn't notice that part.
they're up front and open that they doalso, they're not that hard to dig out
Here is a demonstration by Christopher Domas where he uses an undocumented processor hidden in an X86 processor to become root: https://www.youtube.com/watch?v=_eSAF_qT_FY
⬐ bogomipzWow this was a great watch. Thanks!
⬐ Jedi72WOW. Watch the first four mins for demo, thats insane. "This isn't supposed to exist"