xoreaxeaxeax / rosenbridge Goto Github PK

View Code? Open in Web Editor NEW

2.3K 89.0 227.0 561 KB

Hardware backdoors in some x86 CPUs

License: MIT License

Python 45.06% Makefile 1.11% C 51.36% Assembly 0.98% Shell 1.49%

rosenbridge's Introduction

project:rosenbridge

: hardware backdoors in x86 CPUs

github.com/xoreaxeaxeax/rosenbridge // domas // @xoreaxeaxeax

Overview

project:rosenbridge reveals a hardware backdoor in some desktop, laptop, and embedded x86 processors.

The backdoor allows ring 3 (userland) code to circumvent processor protections to freely read and write ring 0 (kernel) data. While the backdoor is typically disabled (requiring ring 0 execution to enable it), we have found that it is enabled by default on some systems.

This repository contains utilities to check if your processor is affected, close the backdoor if it is present, and the research and tools used to discover and analyze the backdoor.

The Backdoor

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.

Affected Systems

It is thought that only VIA C3 CPUs are affected by this issue. The C-series processors are marketed towards industrial automation, point-of-sale, ATM, and healthcare hardware, as well as a variety of consumer desktop and laptop computers.

Looking Forward

The scope of this vulnerability is limited; generations of CPUs after the C3 no longer contain this feature.

This work is released as a case study and thought experiment, illustrating how backdoors might arise in increasingly complex processors, and how researchers and end-users might identify such features. The tools and research offered here provide the starting point for ever-deeper processor vulnerability research.

Checking your CPU

To check if your CPU is affected:

git clone https://github.com/xoreaxeaxeax/rosenbridge
cd rosenbridge/util
make
sudo modprobe msr
sudo ./bin/check

The provided utility must be run on baremetal (not in a virtual-machine), and is in an alpha state. It may crash, panic, or hang systems not containing the backdoor.

The utilities provided here are designed around a specific processor family and core; unfortunately, the tools will miss the backdoor if it has been even slightly modified from the researched form.

Closing the Backdoor

Some systems have the backdoor enabled by default, allowing unprivileged code to gain kernel level access without permission. If the steps in 'Checking your CPU' indicate that your CPU is vulnerable, you can install a script to close the backdoor early in the boot process:

cd fix
make
sudo make install
reboot

Note that, even with this, an attacker with kernel level access can still re-enable the backdoor. This script is provided as an outline for correcting the issue during the boot process, but will require adaptation for different systems.

Tools and Techniques

The sandsifter utility is used extensively in this research for uncovering unknown instructions.

asm

An assembler for the Deeply Embedded Instruction Set (DEIS). It converts programs written in the custom rosenbridge assembly into x86 instructions, which, when executed following the launch-instruction, will send the commands to the hidden CPU core.
esc

A proof-of-concept of using the rosenbridge backdoor for privilege escalation.
fix

A rough outline for closing the vulnerability on affected systems, to the extent possible through model-specific-register updates.
fuzz

A collection of utilities used to fuzz both the x86 and rosenbridge cores, in order to isolate the unknown launch-instruction and bridge-instruction, and resolve the instruction format of the rosenbridge core.
- deis
  
  The fuzzer used to explore the effects and capabilities of the hidden CPU core.
- exit
  
  It is thought that, on some processors, an exit sequence is needed to switch back to the x86 core at the end of a DEIS sequence. This directory contains the utilities used to search for the exit sequence in early stages of the research, but was abandoned when a processor was found not requiring any such sequence.
- manager
  
  A collection of python utilities designed to monitor and manage fuzzing tasks distributed across a network of workers.
- wrap
  
  A stripped down version of the sandsifter fuzzer, used to identify the bridge-instruction that will send commands from the x86 core to the hidden rosenbridge core.
kern

A collection of helper utilities used to monitor kernel memory and registers for changes caused by fuzzed DEIS instructions.
lock

Utilities to lock or unlock the rosenbridge backdoor.
proc

A tool to identify patterns from the fuzzing logs to identify classes of DEIS instruction behaviors.
test

A tool used early in the research, to attempt to identify the hidden core's architecture by executing known RISC instructions.
util

An alpha-state tool to detect whether or not a processor is affected by rosenbridge.

References

(TODO: link to whitepaper)

(TODO: link to slides)

Disclaimer

The details and implications presented in this work are the authors’ inferences and opinions, derived from the research described. The research is performed and provided with the goal of identifying and fixing a perceived security vulnerability on the described CPUs. VIA processors are renowned for their low power usage and excellence in embedded designs; we believe that the functionality described was created in good faith as a useful feature for the embedded market, and was unintentionally left enabled on some early generations of the processor. No malicious intent is implied.

Author

project:rosenbridge is a research effort from Christopher Domas (@xoreaxeaxeax).

rosenbridge's People

Contributors

Stargazers

Watchers

Forkers

sgnls olivierh59500 xeddmc gavz ezneh cxz cephurs baakka jwilk-forks c0dak fatgrass edrolo-paulm denisse-dev nguyendat qwexvf nang01t2 howknows self20 johnjohnsp1 dothanthitiendiettiende nullart2 rholais raminfp p0prxx neichen yourmoonlight secureplanet07 niksonx ritter0715 mewbak seabreg datenwolf cryptonic01 d-ned 0x6b386f totoroha colinianking oneiroi op-bb pianomanx daliandragon intfrr superdong0 techlord-rce fingerleakers sigma-random wanghusheng marcogomex norcimo5 4144 u20024804 codeinearts hmahal security-geeks xet7 fkhadra pigletgo linecode mpujari snakewarhead f0829 infernalheaven mehrdad-shokri akpotter joncampbell123 benaryorg sharpsho0ter nanangarsyad shalekesan omensec locussam shaunstanislauslau sayers522 ikarius6 thinkreed renhua destinyd vadmus cpkt9762 larrycameron80 cheftimothyng yanbf188 taohexx r0ug3 midhlajvs gridl wlad-tk rhalp10 zenzue dstrbad webmalex tjwallas jdiazmx oxoocoffee coolboy4me sftwrngnr kevin2k16 kirilldanshin lager1 wuyohee2004

rosenbridge's Issues

How was the rosenbridge coprocessor, and its instruction set, discovered?

I think this is the penultimate question on everyone's minds right now.

Okay, so sandsifter did the heavy lifting; but that just firehoses random instructions at the CPU and looks for interesting results. That sounds like it would generate a nontrivial amount of noise - not so much so as to make the whole process overly tedious or simply unviable, but enough that skill and experience would be paramount to figure out what's worth following up on and what can be safely discarded.

But sandsifter just deals in discovery, and (in this case) to a very rudimentary extent - sandsifter was designed to find oddness in x86 CPUs, not entirely new processor architectures!

I am very interested to find out how you went from "hmm, that's weird" to pinpointing/establishing the very existence of the coprocessor, to identifying 21 of its instructions - and the x86 wrappings!

Also, in the same way a fighter pilot might share how to start up and fly an F-18, would you mind sharing how work on the assembler could be furthered by anyone with a VIA C3 who's interested in playing with this beyond going "huh, it's vulnerable"?

Please tell us that research papers and/or in-depth blog posts are in the pipeline. :)

And thanks, too. This is really awesome. ME, eat your heart out.

Assembler message on Ubuntu 18.04

I get the error after this gcc demo.c -o demo

demo.c:11: Error: `bound' is not supported in 64-bit mode

Linker fails on Ubuntu 18.04

mkdir -p bin
gcc check.c -o ./bin/check
/usr/bin/x86_64-linux-gnu-ld: /tmp/ccvtUcwF.o: relocation R_X86_64_32 against `.text' can not be  used when making a PIE object; recompile with -fPIC
/usr/bin/x86_64-linux-gnu-ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:4: recipe for target 'bin/check' failed
make: *** [bin/check] Error 1

check.c doesn't compile on mac

Not sure if this is something by design.

Testing on a macOS 10.13.3.

fatal error: 'bits/libc-header-start.h' file not found - on ide.CS50.com

Hello. I learn CS50 course and have one problem with compiling some program on web-server ide.CS50.com
I think, that I'm trying to compile 32-bit program on 64-bit machine.
I'm trying every solution that I can found:

Added -m32 in every line of make file.
Checked tab-symbols in every line of make file.
Tryed to install "sudo apt-get install gcc-multilib g++-multilib", "sudo apt-get install gcc-multilib" and "sudo apt install libc6-dev-i386" but saw the massage with "Failed to fetch".

Please, help.

Fails to compile on GCC 7.3.0 (Ubuntu)

There's some issues trying to compile:

$ LC_ALL=C gcc -O0 -fPIC --save-temps check.c -o bin/check
/usr/bin/x86_64-linux-gnu-ld: check.o: relocation R_X86_64_32 against `.text' can not be used when making a PIE object; recompile with -fPIC
/usr/bin/x86_64-linux-gnu-ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status

Compiler used.

$ LC_ALL=C gcc --version
gcc (Ubuntu 7.3.0-16ubuntu3) 7.3.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

gcc: recompile with fPIC

When I run cd rosenbridge/util && make on Arch I get the following error:

mkdir -p bin
gcc check.c -o ./bin/check
/usr/bin/ld: /tmp/ccWOkfZ4.o: relocation R_X86_64_32 against `.text' can not be used when making a PIE object; recompile with -fPIC
/usr/bin/ld: final link failed: nonrepresentable section on output
collect2: error: ld returned 1 exit status
make: *** [Makefile:5: bin/check] Error 1

I tried adding -fPIC to gcc in the makefile but I get the same result.

doug@doug-dt:~/code/cpufuzz/rosenbridge/util$ make CFLAGS=-mcmodel=small\ -fno-pic\ -fno-PIC\ -fno-pie\ -fno-PIE
mkdir -p bin
gcc check.c -o ./bin/check
/usr/bin/x86_64-linux-gnu-ld: /tmp/cc3CVzsx.o: relocation R_X86_64_32 against `.text' can not be used when making a PIE object; recompile with -fPIC
/usr/bin/x86_64-linux-gnu-ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:4: recipe for target 'bin/check' failed
make: *** [bin/check] Error 1

> make
mkdir -p bin
gcc check.c -o ./bin/check
/usr/bin/x86_64-linux-gnu-ld: /tmp/ccceCtgC.o: relocation R_X86_64_32 against `.text' can not be used when making a PIE object; recompile with -fPIC
/usr/bin/x86_64-linux-gnu-ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
Makefile:4: recipe for target 'bin/check' failed
make: *** [bin/check] Error 1

Environment details:

> lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.1 LTS
Release:	18.04
Codename:	bionic

> uname -a
Linux antrix.scaleninja.com 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

> cpuinfo:
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 94
model name	: Intel(R) Xeon(R) CPU E3-1505M v5 @ 2.80GHz
stepping	: 3
microcode	: 0xc6
cpu MHz		: 800.042
cache size	: 8192 KB
physical id	: 0
siblings	: 8
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 22
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp flush_l1d
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
bogomips	: 5616.00
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:

project nightshyft link at end of white paper is down

link to whitepaper got from there https://www.blackhat.com/us-18/briefings/schedule/#god-mode-unlocked---hardware-backdoors-in-x86-cpus-10194 , last page reference #11 is down