https://github.com/xoreaxeaxeax/rosenbridge

Hardware backdoors in some x86 CPUs
https://github.com/xoreaxeaxeax/rosenbridge

Last synced: about 2 months ago
JSON representation

Hardware backdoors in some x86 CPUs

• Host: GitHub
• URL: https://github.com/xoreaxeaxeax/rosenbridge
• Owner: xoreaxeaxeax
• License: mit
• Created: 2018-08-09T03:56:17.000Z (about 6 years ago)
• Default Branch: master
• Last Pushed: 2018-10-12T09:22:06.000Z (almost 6 years ago)
• Last Synced: 2024-05-08T13:31:34.103Z (5 months ago)
• Language: C
• Homepage:
• Size: 548 KB
• Stars: 2,326
• Watchers: 89
• Forks: 226
• Open Issues: 13
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-list - rosenbridge

README

        
## project:rosenbridge

: hardware backdoors in x86 CPUs

github.com/xoreaxeaxeax/rosenbridge // domas // @xoreaxeaxeax



### Overview

project:rosenbridge reveals a hardware backdoor in some desktop, laptop, and

embedded x86 processors.

The backdoor allows ring 3 (userland) code to circumvent processor protections

to freely read and write ring 0 (kernel) data.  While the backdoor is typically

disabled (requiring ring 0 execution to enable it), we have found that it is

*enabled by default* on some systems.

This repository contains utilities to check if your processor is affected, close

the backdoor if it is present, and the research and tools used to discover and

analyze the backdoor.

### The Backdoor

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main

x86 core in the CPU.  It is enabled by a model-specific-register control bit,

and then toggled with a _launch-instruction_.  The embedded core is then fed

commands, wrapped in a specially formatted x86 instruction.  The core executes

these commands (which we call the 'deeply embedded instruction set'), bypassing

all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been

observed to be *enabled by default* on some systems, allowing any unprivileged

code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known

coprocessors on x86 CPUs, such as the Management Engine or Platform Security

Processor; it is more deeply embedded than any known coprocessor, having access

to not only all of the CPU's memory, but its register file and execution

pipeline as well.

### Affected Systems

It is thought that only VIA C3 CPUs are affected by this issue.  The C-series

processors are marketed towards industrial automation, point-of-sale, ATM, and

healthcare hardware, as well as a variety of consumer desktop and laptop

computers.

### Looking Forward

The scope of this vulnerability is limited; generations of CPUs after the C3 no

longer contain this feature.

This work is released as a case study and thought experiment, illustrating how

backdoors might arise in increasingly complex processors, and how researchers

and end-users might identify such features.  The tools and research offered

here provide the starting point for ever-deeper processor vulnerability

research.

### Checking your CPU

To check if your CPU is affected:

```

git clone https://github.com/xoreaxeaxeax/rosenbridge

cd rosenbridge/util

make

sudo modprobe msr

sudo ./bin/check

```

The provided utility must be run on baremetal (not in a virtual-machine), and is

in an *alpha* state.  It may crash, panic, or hang systems not containing the

backdoor.

The utilities provided here are designed around a specific processor family and

core; unfortunately, the tools will miss the backdoor if it has been even

slightly modified from the researched form.

### Closing the Backdoor

Some systems have the backdoor enabled by default, allowing unprivileged code to

gain kernel level access without permission.  If the steps in 'Checking your

CPU' indicate that your CPU is vulnerable, you can install a script to close the

backdoor early in the boot process:

```

cd fix

make

sudo make install

reboot

```

Note that, even with this, an attacker with kernel level access can still

re-enable the backdoor.  This script is provided as an outline for correcting

the issue during the boot process, but will require adaptation for different

systems.

### Tools and Techniques

The [sandsifter](https://github.com/xoreaxeaxeax/sandsifter) utility is used

extensively in this research for uncovering unknown instructions.

* asm

	An assembler for the Deeply Embedded Instruction Set (DEIS).  It converts

	programs written in the custom rosenbridge assembly into x86 instructions,

	which, when executed following the _launch-instruction_, will send the

	commands to the hidden CPU core.

* esc

	A proof-of-concept of using the rosenbridge backdoor for privilege

	escalation.

* fix

	A rough outline for closing the vulnerability on affected systems, to the

	extent possible through model-specific-register updates.

* fuzz

	A collection of utilities used to fuzz both the x86 and rosenbridge cores,

	in order to isolate the unknown _launch-instruction_ and

	_bridge-instruction_, and resolve the instruction format of the rosenbridge

	core.

	* deis

		The fuzzer used to explore the effects and capabilities of the

		hidden CPU core.

	* exit

		It is thought that, on some processors, an exit sequence is needed to

		switch back to the x86 core at the end of a DEIS sequence.  This

		directory contains the utilities used to search for the exit sequence in

		early stages of the research, but was abandoned when a processor was

		found not requiring any such sequence.

	* manager

		A collection of python utilities designed to monitor and manage fuzzing

		tasks distributed across a network of workers.

	* wrap

		A stripped down version of the sandsifter fuzzer, used to identify the

		bridge-instruction that will send commands from the x86 core to the

		hidden rosenbridge core.

		

* kern

	A collection of helper utilities used to monitor kernel memory and registers

	for changes caused by fuzzed DEIS instructions.

* lock

	Utilities to lock or unlock the rosenbridge backdoor.

* proc

	A tool to identify patterns from the fuzzing logs to identify classes of

	DEIS instruction behaviors.

* test

	A tool used early in the research, to attempt to identify the hidden core's

	architecture by executing known RISC instructions.

* util

	An alpha-state tool to detect whether or not a processor is affected by

	rosenbridge.

### References

(TODO: link to whitepaper)

(TODO: link to slides)

### Disclaimer

The details and implications presented in this work are the authors’ inferences

and opinions, derived from the research described.  The research is performed

and provided with the goal of identifying and fixing a perceived security

vulnerability on the described CPUs.  VIA processors are renowned for

their low power usage and excellence in embedded designs; we believe that the

functionality described was created in good faith as a useful feature for the

embedded market, and was unintentionally left enabled on some early generations

of the processor.  No malicious intent is implied.

### Author

project:rosenbridge is a research effort from Christopher Domas

([@xoreaxeaxeax](https://twitter.com/xoreaxeaxeax)).