28 comments

[ 3.9 ms ] story [ 75.3 ms ] thread
This is about ancient VIA C3 CPUs processors - not your modern Intel/AMD. This isn't to say backdoors are implausible on modern processors (vulnerabilities in Intel ME/AMD PSP come to mind), but I would like to see some hard evidence before we panic and freak out. For now, "God Mode on x86 Processors" isn't something I will be losing sleep over, but I will cry about it into my beer ...

https://en.wikipedia.org/wiki/VIA_C3

So you're telling me I can't make my old Pentium immune to bullets?

Well that's disappointing.

AMD's Geode LX SoC won't ship its last order until this year, 2019. The Geode line predates the C3, and the Geode LX is just as old as the C3. I can't confirm when the C3 stopped shipping, but it was probably this decade.

As for microcode vulnerabilities, don't be surprised if they start coming down the pipeline. It was only recently that researchers figured out (publicly, at least) how to hack and upload microcode on Intel chips: https://media.ccc.de/v/34c3-9058-everything_you_want_to_know...

Even more, this isn't even a backdoor. It's in the official documentation since at least 2004. [0]

> This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture.

> This alternate instruction set is intended for testing, debug, and special application usage. Accordingly, it is not documented for general usage. If you have a justified need for access to these instructions, contact your VIA representative.

It then goes on to explain in detail the mechanism for initiating execution of this alternate set of instructions. So while I am sure the researchers put plenty of work in this it seems reading the manual helped a lot more than one would expect for a "backdoor"...

[0] http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemia...

and Wikipedia has an article on this VIA "Alternate Instruction Set", too: https://en.wikipedia.org/wiki/Alternate_Instruction_Set

It's still great hacking and fuzzing to find the privilege escalation instruction.

One of the interesting things that article points out is that apparently Windows automatically disables this feature on boot, so it's not going to be exploitable on most Windows systems.
This is very reminiscent of the Code of Conduct recently integrated into Linux as a way to silence and expel the Linux developers who oppose Intel CIA-backed backdoors.
It seems naive to me to believe that there aren't backdoors in AMD and Intel processors. Intelligence agencies have done far worse in our history than backdooring some electronic components. I'm not so sure why this is so unlikely, especially after the Snowden leaks showing us how far agencies like the NSA are willing to go.
Is the minix - intel has similar hack?
This chip is 18 years ago. It was not uncommon to ship with debug feature on back in those days when microcode is innovative
Article is new, but the linked YouTube video dates back to Aug 28, 2018.
I see someone found this. kudos op. The most important takeaway from this is the practice of instruction set walking. The method has wide utility. All digital devices on the mobo can be probed with similar methods, this includes but is not limited to memory controllers bus controllers harddrive controllers, basically any embedded or integrated device. This is all about showing you how to get your foot in the door for a wild ride into low level hardware reversing. my favorite sport.
is there something wrong with low level engineering? You dont want to loose sight of the utility of a tool simply because of a single case example.
What motivates a person to give a talk like this at Blackhat? A method to compromise cpus by feeding them secret instructions seems like trouble the world doesn't need. Sure, he's only focused on an outdated system, but he's shown how to do it, and even gives away the tool. Is it like making smallpox virus available, so it can be studied? But how can hardware designers make any system safe from such tenacious probing? Imagine how different the world would be if there was no threat of exploitation.
it is sort of assumed that such back doors already exist, but only the big players (NSA, et al) have access. This (and talks like this in general) aren't to let others know about this so they can own people, it's to empower the more regular people to be able to catch these backdoors and better choose which companies we support with our wallets
Because sunlight is the best disinfectant. Imagine a world where exploitation was only in the hands of the powerful.
I guess,it's maybe because VIA's CPU is translate x86 instruction to RISC.So there is not hide RISC core,the core is RISC core,it can be configure to x86 mode,and this guy find the hidden op code to switch the two.