NSA/GCHQ etc God-Mode Access to Intel CPUs

HOME Forums Tech Security Talk NSA/GCHQ etc God-Mode Access to Intel CPUs

This topic contains 3 replies, has 3 voices, and was last updated by Ed P 6 months, 2 weeks ago.

  • Creator
    Topic
  • #30408

    Ed P
    Participant
    @edps

    You may remember last year’s revelations of how it could be possible for NSA/GCHQ to crack open any Intel powered machine. This has now been supplemented with a video giving some details.

    The following is the 2018 Black Hat presentation by Christopher Domas which showed how it was possible to crack open the security of a specific range of Intel processors. The YouTube starts with a harmless twenty line demo Linux program plus one undocumented assembly language instruction which gives immediate root access to a huge round of applause.

    The researcher started by wading through dozens of patents to discover the model specific registers that enable someone to dive from the user level down below the hypervisor level into the cpu specific microcode (hence the wade through patents). Much of the one hour long presentation describes this arduous process and the steps he took to automate the search for the God instructions.

    The crack works through the use of the undocumented cores that sit alongside the x86 silicon and perform supervisory duties. The video is interesting, but hard going unless you are comfortable with assembly language. A lot of his hard work was in reconstructing the deeply embedded instruction set for these undocumented cores.

    One thing that struck me was the time and expense (purchase of many target systems and setting up automated testing). Only a driven individual, Nation State or competitor could do this work. Definitely not a script-kiddy level, and tin-hats can take comfort in that this hack only works on one specific processor. It isn’t generic to all Intel chips though the general architectures probably have many commonalities.

    All this SHOULD be protected by a GodMode bit but it appears this is turned on for at least one processor.

Spread the love
Viewing 3 replies - 1 through 3 (of 3 total)
  • Author
    Replies
  • #30428

    Dave Rice
    Moderator
    @ricedg
    Forumite Points: 2,389

    And we’re worried about China and Russia? For real world provable exploits it seems it’s the Americans we need to be worried about.

    I suppose it’s no surprise that all Governments want to spy on their own as well as others. But now their tools are being used by people who just want to disrupt.

    0
    0
    #30445

    Wheels-Of-Fire
    Participant
    @grahamdearsley
    Forumite Points: 1,663

    Now that IS interesting and I greatly admire his approach. Finding the existence of an embeded risc processor from the patents, finding an x86 instruction to enable it, finding an x86 bridge instruction who’s second 32 bits are actually a risk instruction and then decoding the risk instruction set. Phew !

    Then 5 minutes before the end of the video he goes and spoils it all by telling us that you need kernel mode access to execute the instruction that enables the risk CPU in the first place !

    So far he has managed to find just one VIA chip that boots up with the risk CPU enable bit set by default and that is aimed at embeded systems.

    Nice work though 😁

    0
    0
    #30448

    Ed P
    Participant
    @edps
    Forumite Points: 3,765

    Comment deleted, but there are a LOT of Windows ring zero exploits floating around.

    • This reply was modified 6 months, 2 weeks ago by Ed P.
    • This reply was modified 6 months, 2 weeks ago by Ed P.
    0
    0
Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Spread the love