Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they’re buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
The backdoor is a deliberate addition by the manufacturer, not a design mistake; it is enabled by default on many systems. We give a live demonstration of using the backdoor to bypass all kernel and processor security checks, to give an unprivileged user root permissions. While the details are specific to one family of processors, we present convincing evidence that the problem may be widespread. With this in mind, we examine this problem and research as a stepping stone towards more broadly uncovering malicious functionality in a wide range of processors.
We propose ways of detecting and preventing these backdoors in the future, and conclude by open sourcing the tools we used to discover this backdoor, tools to build and execute payloads for the backdoor, tools for users to check if their systems are affected, and tools to patch the backdoor on affected systems. Most importantly, we leave the audience with insights on how to detect, exploit, and prevent these threats in the future.
