ugotag.com  
  
× ANCIENT WORLD ANIMALS AQUARIUM ARCHERY ARCHITECTURE ART ARTIFICIAL INTELLIGENCE AUDIO BOOKS AVIATION BABY BEAUTY BIG THOUGHTS BIKING BIOLOGY BIRDS BLOCKCHAIN BUSINESS AUTOMOTIVE CATS CHRISTMAS COLD WAR COMPUTER SECURITY CRAFTS CRIME STORIES CRYPTOCURRENCY CSGO DIGITAL COMBAT SIMULATOR DOGS EASTER ECONOMICS ELECTRONICS ENGINEERING ENVIRONMENT FAR CRY 5 FARMING FASHION FISHING FITNESS FOOD & DRINK FORTNITE BATTLE ROYALE FREEDOM OF SPEECH FUNNY GAMBLING GAMING GARDENING GEOPOLITICS GOD OF WAR GUITAR GUNS HALLOWEEN HARRY POTTER HEALTH & WELLNESS HISTORY YOUR HOME HOME REPAIR HOMEBREW INSECTS INTERESTING KIDS KITCHEN KNITTING LAWNCARE LEGO LIQUOR LOCKSPORT MARTIAL ARTS MATH MENS STYLE MINECRAFT MOBILE DEVICES MOTORBIKES MOVIES MULTIPLICATION MUSIC MYSTERY NEUROSCIENCE OLYMPICS ORGANIZATION OUTDOORS PETS PHILOSOPHY PHOTOGRAPHY PHYSICS PI DAY POLITICS POTTERY PRIVACY PROGRAMMING PSYCHOLOGY RECIPE RED DEAD REDEMPTION RELAXING RELIGION REMOTE CONTROL ROCKCLIMBING SCI FI SCI FY SCIENCE SHOOTING SPORTS SKATEBOARDING SPECIAL FORCES SPEECHES SPORTS STAR WARS STEM STPATRICKS STYLE TECHNOLOGY THANKSGIVING TOYS TRAVEL TV VALENTINE'S DAY WAR WEDDING WOODWORKING WW1 WORLD WAR 2
HOME  |  TECHNOLOGY  |  HEALTH  |  FOOD  |  MORE

Episode Markers
  • 01:06
     
    #Demo   
    Demo x86 BOUND instruction operation demo.
  • 02:40
     
    #demo of x86 backdoor   
    gonna add one x86 instruction it's an instruction that's so secure or so obscure and unknown it doesn't actually 00:02:50,140 have a name in fact it doesn't it's not supposed to exist demo of x86 backdoor
  • 03:33
     
    #rings of privilege   
    with the idea of rings of privilege so in the beginning thirty years ago in x86 there was no concept of separation of privileges on the processor basically any code running on the processor had the same permissions as any other code
  • 04:56
     
    #hypervisor    #ring-1   
    We needed something more privileged than ring zero in order to handle that so we invented the hypervisor and since it was more privileged in ring zero colloquially we kind of called that ring-1
  • 05:07
     
    #system management mode    #ring-2    #hypervisor management   
    There's some things we didn't want hypervisor to do we threw all those things into system management mode and since that was more privileged in the hypervisor we called that ring-2. hypervisor management
  • 05:16
     
    #ring-3    #Q35/AMT/ME   
    There's this entirely different processor sitting on the platform that< can actually do things that the x86 processor can't do so we started calling out ring-3. Q35/AMT/ME
  • 05:49
     
    #patents    #patents   
    Sometimes you can find information in patents that you can't find in any other documentation so given this idea of this privilege model of these rings of privilege and x86 imagination surprise without sifting through patents.
  • 06:11
     
    #x86 backdoor   
    "Additionally accessing some of the internal control registers can enable the user to bypass security mechanisms for example allowing ring 0 access at ring 3." US8341419 x86 backdoor
  • 09:09
     
    #hints from patent   
    Figure 3 shows an embodiment of a cache memory referring to figure 3 in one embodiment cache memory 320 multi-way cache memory and another embodiment cache memory 320 comprises multiple physical sections in one embodiment cache memory 320 is logically divided into multiple sections in one embodiment cache memory 320 includes for cash flows ie cash way 310 cash way 311 catch way 312 and cash flow 314 in one embodiment a process or sequester's one or more cache ways to store or at or 2xq processor microcode. US8296528 hints from patent
  • 10:09
     
    #six useful patents   
    six useful patents
  • 10:26
     
    #deeply embedded core   
    Embedding an on x86 core alongside their x86 cores in the c3 processor this non x86 core was a RISC type arbiter architecture and the patents didn't have a consistent term for this but I started calling this the deeply embedded core.
  • 10:43
     
    #global configuration register    #global configuration register   
    global configuration register is a register that would be exposed to the x86 CPU through a model specific register and the patent suggested that this global configuration register could activate the RISC core.
  • 10:55
     
    #launch instruction   
    They also talked about what was called a launch instruction it would be a new instruction added to the x86 instruction set architecture.
  • 11:47
     
    #summary of information from patents   
    summary of information from patents
  • 12:17
     
    #x86 MSR    #x86 model-specific register   
    So just a little bit of background for people not familiar with the idea of MSRs on x86. x86 MSR x86 model-specific register
  • 14:17
     
    #enumerating MSRs on CPU   
    Basically what you can do is in a kernel module set your general protection exception handler to be specific function under your controller you can with the lidt instruction to reconfigure that exception handler then you're going to load an MSR address into the ECX register so let's say I wanted to figure out does MSR 1337 exist on this processor I'll load 1337 into the ECX register then I'm going to try to read that model specific register and then if I don't get a fault that means that the MSR exists whether or not the enumerating MSRs on CPU
  • 15:42
     
    #timing attack on the processor   
    Idea for sort of a timing side channel attack on the processor timing attack on the processor
  • 20:21
     
    #sandsifter   
    Developed this tool called sandsifter so what's an sector does is it finds an intelligent way to scan through the x86 instruction set it uses page fault analysis and a depth first search algorithm to quickly find all the x86 instructions of interest on a processor.
  • 22:57
     
    #found new x86 instruction    #global configuration register    #launch instruction   
    After about a day of scanning Sandsifter finds exactly one new instruction in x86 that was not supposed to be there. found new x86 instruction global configuration register launch instruction
  • 30:08
     
    #deeply embedded core    #not 30 common architectures   
    Quickly ruled out 30 very common RISC architectures for that deeply embedded core. not 30 common architectures
  • 33:59
     
    #demo of fuzzer   
    What I'm going to do is I'm going to start a fuzzing job on the master it's going to generate some fuzzing tasks for each of the targets and once it's done that it'll start power powering up each of these that targets one by one so if you watch the lights on the relay and if you listen. demo of fuzzer
  • 40:09
     
    #collector    #reverse engineer unknown instruction set   
    Tool for this that I called the collector and basically what that's going to do is it's going to help us automatically reverse engineer unknown instruction set.
  • 43:09
     
    #DEIS assembler   
    I decided to go all out and I wrote a complete assembler for this custom assembly language that they called the DEIS assembler.
  • 44:33
     
    #revisiting that demo    #demo with details   
    revisiting that demo from the beginning now now that we understand how all the different pieces work. demo with details
  • 48:06
     
    #protections fall apart   
    protections fall apart. Antivirus does nothing now. ASLR depth. They're easily circumvented when you can just directly reach into ring 0. Code-signing, control flow integrity, kernel integrity checks don't do anything.
  • 48:23
     
    #mitigations   
    There are mitigations.

GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs

This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors. By Christopher Domas






Community tags: computer_security     HOME     SIGN UP     CONTACT US