[Cryptography] God Mode backdoors

Henry Baker hbaker1 at pipeline.com
Tue Aug 14 10:52:01 EDT 2018


FYI --

https://www.tomshardware.com/news/x86-hidden-god-mode,37582.html

Hacker Finds Hidden 'God Mode' on Old x86 CPUs
by Paul Wagenseil August 9, 2018 at 5:06 PM

LAS VEGAS -- Some x86 CPUs have hidden backdoors that let you seize
root by sending a command to an undocumented RISC core that manages
the main CPU, security researcher Christopher Domas told the Black Hat
conference here Thursday (Aug. 9).

The command -- ".byte 0x0f, 0x3f" in Linux -- "isn't supposed to
exist, doesn't have a name, and gives you root right away," Domas
said, adding that he calls it "God Mode."

The backdoor completely breaks the protection-ring model of
operating-system security, in which the OS kernel runs in ring 0,
device drivers run in rings 1 and 2, and user applications and
interfaces ("userland") run in ring 3, furthest from the kernel and
with the least privileges. To put it simply, Domas' God Mode takes you
from the outermost to the innermost ring in four bytes.

"We have direct ring 3 to ring 0 hardware privilege escalation," Domas
said. "This has never been done."

That's because of the hidden RISC chip, which lives so far down on the
bare metal that Domas half-joked that it ought to be thought of as a
new, deeper ring of privilege, following the theory that hypervisors
and chip-management systems can be considered ring -1 or ring -2.

"This is really ring -4," he said. "It's a secret, co-located core
buried alongside the x86 chip. It has unrestricted access to the x86."

The good news is that, as far as Domas knows, this backdoor exists
only on VIA C3 Nehemiah chips made in 2003 and used in embedded
systems and thin clients. The bad news is that it's entirely possible
that such hidden backdoors exist on many other chipsets.

"These black boxes that we're trusting are things that we have no way
to look into," he said. "These backdoors probably exist elsewhere."

Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips
made in 2003, by combing through filed patents. He found one --
US8341419 -- that mentioned jumping from ring 3 to ring 0 and
protecting the machine from exploits of model-specific registers
(MSRs), manufacturer-created commands that are often limited to
certain chipsets.

Domas followed the "trail of breadcrumbs," as he put it, from one
patent to another and figured out that certain VIA chipsets were
covered by the patents. Then he collected many old VIA C3 machines and
spent weeks fuzzing code.

He even built a testing rig consisting of seven Nehemiah-based thin
clients hooked up to a power relay that would power-cycle the machines
every couple of minutes, because his fuzzing attempts would usually
crash the systems. After three weeks, he had 15 GB of log data -- and
the instructions to flip on the backdoor in the hidden RISC chip.

"Fortunately, we still need ring 0 access to start the launch process,
right?" Domas asked. "No. Some of the VIA C3 x86 processors have God
Mode enabled by default. You can reach it from userland. Antivirus
software, ASLR and all the other security mitigations are useless."

Domas has put all his research, plus tools to check whether your VIA
C3 CPU might have an undocumented coprocessor and to disable the
coprocessor by default, up on his GitHub page at
https://github.com/xoreaxeaxeax/rosenbridge.

---
Why do we even bother encrypting, when our chips are so corrupt?

I believe that these VIA chips ended up in some military hardware,
and possibly in some ATM machines.


This article strengthens my belief that *all* of our current chips
have hidden backdoors thanks to Uncle Sam.  No wonder China wants
to design & build their own chips!



More information about the cryptography mailing list