{"id":13439273,"url":"https://github.com/xoreaxeaxeax/rosenbridge","last_synced_at":"2025-04-08T11:07:55.214Z","repository":{"id":37677829,"uuid":"144098696","full_name":"xoreaxeaxeax/rosenbridge","owner":"xoreaxeaxeax","description":"Hardware backdoors in some x86 CPUs","archived":false,"fork":false,"pushed_at":"2018-10-12T09:22:06.000Z","size":561,"stargazers_count":2360,"open_issues_count":13,"forks_count":226,"subscribers_count":87,"default_branch":"master","last_synced_at":"2025-04-01T09:29:23.323Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xoreaxeaxeax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-09T03:56:17.000Z","updated_at":"2025-03-23T16:10:05.000Z","dependencies_parsed_at":"2022-08-08T21:15:48.077Z","dependency_job_id":null,"html_url":"https://github.com/xoreaxeaxeax/rosenbridge","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xoreaxeaxeax%2Frosenbridge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xoreaxeaxeax%2Frosenbridge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xoreaxeaxeax%2Frosenbridge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xoreaxeaxeax%2Frosenbridge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xoreaxeaxeax","download_url":"https://codeload.github.com/xoreaxeaxeax/rosenbridge/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247829491,"owners_count":21002995,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:01:12.567Z","updated_at":"2025-04-08T11:07:55.196Z","avatar_url":"https://github.com/xoreaxeaxeax.png","language":"C","funding_links":[],"categories":["Tools","C","\u003ca id=\"04102345243a4bcaec83f703afff6cb3\"\u003e\u003c/a\u003e硬件设备\u0026\u0026USB\u0026树莓派"],"sub_categories":["RAT","\u003ca id=\"ff462a6d508ef20aa41052b1cc8ad044\"\u003e\u003c/a\u003e未分类-Hardware"],"readme":"## project:rosenbridge\n: hardware backdoors in x86 CPUs\n\ngithub.com/xoreaxeaxeax/rosenbridge // domas // @xoreaxeaxeax\n\n\u003cimg src=\"rosenbridge.gif\" width=\"500\"\u003e\n\n### Overview\n\nproject:rosenbridge reveals a hardware backdoor in some desktop, laptop, and\nembedded x86 processors.\n\nThe backdoor allows ring 3 (userland) code to circumvent processor protections\nto freely read and write ring 0 (kernel) data.  While the backdoor is typically\ndisabled (requiring ring 0 execution to enable it), we have found that it is\n*enabled by default* on some systems.\n\nThis repository contains utilities to check if your processor is affected, close\nthe backdoor if it is present, and the research and tools used to discover and\nanalyze the backdoor.\n\n### The Backdoor\n\nThe rosenbridge backdoor is a small, non-x86 core embedded alongside the main\nx86 core in the CPU.  It is enabled by a model-specific-register control bit,\nand then toggled with a _launch-instruction_.  The embedded core is then fed\ncommands, wrapped in a specially formatted x86 instruction.  The core executes\nthese commands (which we call the 'deeply embedded instruction set'), bypassing\nall memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been\nobserved to be *enabled by default* on some systems, allowing any unprivileged\ncode to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known\ncoprocessors on x86 CPUs, such as the Management Engine or Platform Security\nProcessor; it is more deeply embedded than any known coprocessor, having access\nto not only all of the CPU's memory, but its register file and execution\npipeline as well.\n\n### Affected Systems\n\nIt is thought that only VIA C3 CPUs are affected by this issue.  The C-series\nprocessors are marketed towards industrial automation, point-of-sale, ATM, and\nhealthcare hardware, as well as a variety of consumer desktop and laptop\ncomputers.\n\n### Looking Forward\n\nThe scope of this vulnerability is limited; generations of CPUs after the C3 no\nlonger contain this feature.\n\nThis work is released as a case study and thought experiment, illustrating how\nbackdoors might arise in increasingly complex processors, and how researchers\nand end-users might identify such features.  The tools and research offered\nhere provide the starting point for ever-deeper processor vulnerability\nresearch.\n\n### Checking your CPU\n\nTo check if your CPU is affected:\n\n```\ngit clone https://github.com/xoreaxeaxeax/rosenbridge\ncd rosenbridge/util\nmake\nsudo modprobe msr\nsudo ./bin/check\n```\n\nThe provided utility must be run on baremetal (not in a virtual-machine), and is\nin an *alpha* state.  It may crash, panic, or hang systems not containing the\nbackdoor.\n\nThe utilities provided here are designed around a specific processor family and\ncore; unfortunately, the tools will miss the backdoor if it has been even\nslightly modified from the researched form.\n\n### Closing the Backdoor\n\nSome systems have the backdoor enabled by default, allowing unprivileged code to\ngain kernel level access without permission.  If the steps in 'Checking your\nCPU' indicate that your CPU is vulnerable, you can install a script to close the\nbackdoor early in the boot process:\n\n```\ncd fix\nmake\nsudo make install\nreboot\n```\n\nNote that, even with this, an attacker with kernel level access can still\nre-enable the backdoor.  This script is provided as an outline for correcting\nthe issue during the boot process, but will require adaptation for different\nsystems.\n\n### Tools and Techniques\n\nThe [sandsifter](https://github.com/xoreaxeaxeax/sandsifter) utility is used\nextensively in this research for uncovering unknown instructions.\n\n* asm\n\n\tAn assembler for the Deeply Embedded Instruction Set (DEIS).  It converts\n\tprograms written in the custom rosenbridge assembly into x86 instructions,\n\twhich, when executed following the _launch-instruction_, will send the\n\tcommands to the hidden CPU core.\n\n* esc\n\n\tA proof-of-concept of using the rosenbridge backdoor for privilege\n\tescalation.\n\n* fix\n\n\tA rough outline for closing the vulnerability on affected systems, to the\n\textent possible through model-specific-register updates.\n\n* fuzz\n\n\tA collection of utilities used to fuzz both the x86 and rosenbridge cores,\n\tin order to isolate the unknown _launch-instruction_ and\n\t_bridge-instruction_, and resolve the instruction format of the rosenbridge\n\tcore.\n\n\t* deis\n\n\t\tThe fuzzer used to explore the effects and capabilities of the\n\t\thidden CPU core.\n\n\t* exit\n\n\t\tIt is thought that, on some processors, an exit sequence is needed to\n\t\tswitch back to the x86 core at the end of a DEIS sequence.  This\n\t\tdirectory contains the utilities used to search for the exit sequence in\n\t\tearly stages of the research, but was abandoned when a processor was\n\t\tfound not requiring any such sequence.\n\n\t* manager\n\n\t\tA collection of python utilities designed to monitor and manage fuzzing\n\t\ttasks distributed across a network of workers.\n\n\t* wrap\n\n\t\tA stripped down version of the sandsifter fuzzer, used to identify the\n\t\tbridge-instruction that will send commands from the x86 core to the\n\t\thidden rosenbridge core.\n\t\t\n* kern\n\n\tA collection of helper utilities used to monitor kernel memory and registers\n\tfor changes caused by fuzzed DEIS instructions.\n\n* lock\n\n\tUtilities to lock or unlock the rosenbridge backdoor.\n\n* proc\n\n\tA tool to identify patterns from the fuzzing logs to identify classes of\n\tDEIS instruction behaviors.\n\n* test\n\n\tA tool used early in the research, to attempt to identify the hidden core's\n\tarchitecture by executing known RISC instructions.\n\n* util\n\n\tAn alpha-state tool to detect whether or not a processor is affected by\n\trosenbridge.\n\n### References\n\n(TODO: link to whitepaper)\n\n(TODO: link to slides)\n\n### Disclaimer\n\nThe details and implications presented in this work are the authors’ inferences\nand opinions, derived from the research described.  The research is performed\nand provided with the goal of identifying and fixing a perceived security\nvulnerability on the described CPUs.  VIA processors are renowned for\ntheir low power usage and excellence in embedded designs; we believe that the\nfunctionality described was created in good faith as a useful feature for the\nembedded market, and was unintentionally left enabled on some early generations\nof the processor.  No malicious intent is implied.\n\n### Author\n\nproject:rosenbridge is a research effort from Christopher Domas\n([@xoreaxeaxeax](https://twitter.com/xoreaxeaxeax)).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxoreaxeaxeax%2Frosenbridge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxoreaxeaxeax%2Frosenbridge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxoreaxeaxeax%2Frosenbridge/lists"}