Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

GOD MODE UNLOCKED: Hardware Backdoors in x86 CPUs

Christopher Domas

3 vote(s)

Complexity is increasing.  Trust eroding.  In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out.  This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they're buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 - permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc. 
The backdoor is a deliberate addition by the manufacturer, not a design mistake; it is enabled by default on many systems.  We give a live demonstration of using the backdoor to bypass all kernel and processor security checks, to give an unprivileged user root permissions.  While the details are specific to one family of processors, we present convincing evidence that the problem may be widespread.  With this in mind, we examine this problem and research as a stepping stone towards more broadly uncovering malicious functionality in a wide range of processors. 
We propose ways of detecting and preventing these backdoors in the future, and conclude by open sourcing the tools we used to discover this backdoor, tools to build and execute payloads for the backdoor, tools for users to check if their systems are affected, and tools to patch the backdoor on affected systems.  Most importantly, we leave the audience with insights on how to detect, exploit, and prevent these threats in the future.
Christopher Domas is a security researcher and embedded systems engineer, currently investigating scalable IoT security.  He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), showing that all programs can be reduced to the same instruction stream (reductio), and the branchless DOOM meltdown mitigations.  His more relevant work includes the sandsifter processor fuzzer, the binary visualization tool ..cantor.dust.., and the memory sinkhole x86 privilege escalation exploit.