rosenbridge: Hardware backdoors in some x86 CPUs

rosenbridge

Overview

project:rosenbridge reveals a hardware backdoor in some desktop, laptop, and embedded x86 processors.

The backdoor allows ring 3 (userland) code to circumvent processor protections to freely read and write ring 0 (kernel) data. While the backdoor is typically disabled (requiring ring 0 execution to enable it), we have found that it is enabled by default on some systems.

This repository contains utilities to check if your processor is affected, close the backdoor if it is present, and the research and tools used to discover and analyze the backdoor.

The Backdoor

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the ‘deeply embedded instruction set’), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.

Affected Systems

It is thought that only VIA C3 CPUs are affected by this issue. The C-series processors are marketed towards industrial automation, point-of-sale, ATM, and healthcare hardware, as well as a variety of consumer desktop and laptop computers.

Looking Forward

The scope of this vulnerability is limited; generations of CPUs after the C3 no longer contain this feature.

This work is released as a case study and thought experiment, illustrating how backdoors might arise in increasingly complex processors, and how researchers and end-users might identify such features. The tools and research offered here provide the starting point for ever-deeper processor vulnerability research.

Checking your CPU

To check if your CPU is affected:

git clone https://github.com/xoreaxeaxeax/rosenbridge

cd rosenbridge/util

make

sudo modprobe msr

sudo ./bin/check

The provided utility must be run on baremetal (not in a virtual machine) and is in an alpha state. It may crash, panic, or hang systems not containing the backdoor.

The utilities provided here are designed around a specific processor family and core; unfortunately, the tools will miss the backdoor if it has been even slightly modified from the researched form.

Closing the Backdoor

Some systems have the backdoor enabled by default, allowing unprivileged code to gain kernel-level access without permission. If the steps in ‘Checking your CPU’ indicate that your CPU is vulnerable, you can install a script to close the backdoor early in the boot process:

cd fix

make

sudo make install

reboot

Note that, even with this, an attacker with kernel level access can still re-enable the backdoor. This script is provided as an outline for correcting the issue during the boot process but will require adaptation for different systems.

Copyright (c) 2018 Christopher Domas
Source: https://github.com/xoreaxeaxeax/