back to article The off-brand 'military-grade' x86 processors, in the library, with the root-granting 'backdoor'

A forgotten family of x86-compatible processors still used in specialist hardware, and touted for "military-grade security features," has a backdoor that malware and rogue users can exploit to completely hijack systems. The vulnerability is hardwired into the silicon of Via Technologies' C3 processors, which hit the market in …

  1. Kev99 Silver badge

    Idiots. A user should be forced to make a physical action to enable special code or processors, not just write 20 lines of C.

    1. Destroy All Monsters Silver badge

      Bullshit. A user is not forced to make a physical action to do a kernel call either.

      A good enough procedure would a kernel parameter that sets the Alternate Instruction Set Allowed bit.

  2. John Savard

    Different Viewpoint

    Since even when the feature is enabled in the BIOS, it can only be used from ring 0 code, it isn't a security flaw that enables entry into the system; it's just a feature that makes it a bit easier to do serious damage (or, more importantly, do it without getting caught) after one is in a position to do nearly everything anyways.

    What bothers me is that this potentially useful feature, because it only allows the use of augmented instruction sets if all security features are turned off, is therefore nearly useless. So firstly it's a waste of silicon; secondly, given that it somewhat weakens security, it definitely shouldn't be there if it isn't there for any sensible reason.

    1. JulieM Silver badge

      Re: Different Viewpoint

      It's not a waste. It would have been insanely useful during design and testing. It could potentially be used for some niche application IRL, and their major customers were specialists. I can see why it made sense as a feature, at least in some circumstances.

      Obviously, like all sharp-edged tools, it also has the potential to be dangerous if misused. It's effectively a Multiface for the PC .....

      1. Anonymous Coward
        Anonymous Coward

        "It would have been insanely useful during"

        Design of testing of what? The silicon itself? No need of such features to design or debug a kernel. They added a feature that fully bypass x86 security. I understand some developers find security features a pain in the ass because they block wrong code, which is exactly the reason they are there.

        And this is not an out-of-band monitor executing fully separated code, you can command it from the same code running on the main CPU. A very bad design. Maybe some very strange and unsecure application may find it useful, but it's still a huge backdoor.

        1. This post has been deleted by its author

        2. Konk

          Re: "It would have been insanely useful during"

          It's not really a backdoor when it's in the documentation for everyone to see and you can turn it off.

          It might be strange but people buying this processor for embedded applications would have had the opportunity to know about it and disable it.

          1. Roland6 Silver badge

            Re: "It would have been insanely useful during"

            >It's not really a backdoor when it's in the documentation for everyone to see and you can turn it off.

            Agree, this does have some parallels with the 'backdoor' that Intel chips possessed, that Joanna Rutkowska exploited with her Blue Pill rootkit.

    2. Pascal Monett Silver badge
      Trollface

      Re: it definitely shouldn't be there if it isn't there for any sensible reason

      But it is there for a sensible reason. It is "intended for testing, debugging, and special applications", special applications meaning TLA access, obviously.

    3. Brewster's Angle Grinder Silver badge

      Re: Different Viewpoint

      Did you read the same article as me? It can only be enabled from ring 0. But, once enabled "...privileged functions can be used from any protection level, memory descriptor checking can be bypassed, and many x86 exceptions such as alignment check can be bypassed."

  3. Jemma

    Wait...

    I thought you just typed 'iddqd' for God mode..

    1. Sgt_Oddball
      Trollface

      Re: Wait...

      I was more a fan of using 'dncornholio' myself

  4. John Smith 19 Gold badge
    FAIL

    Yet Another case of "Security by obscurity"

    That doesn't work.

    And if I'm reading that "Invocation code" right that's 6 hex digits, IE a 24bit binary number.

    Shouldn't be too tough to brute force all of the actual wake up codes in that list.

    A system that grants nearly unlimited access (potentially remotely) to your processors.

    It's not the idea, it's the security chain that should exist around it that prevents the wrong people using it.

    The simplest option is of course, not to have it in the first place.

    1. Ken Hagan Gold badge

      Re: Yet Another case of "Security by obscurity"

      "That doesn't work."

      Well, security by obscurity hardly ever works if you document it, as noted in the Fine Article.

  5. _LC_
    Holmes

    Intel ME, anyone?

    1. phuzz Silver badge

      Well, it's similar, in that it was added to chips as a feature for certain users, but it's very much un-useful for consumers.

      These Via chips weren't intended for home PCs, they were for industrial applications where having a RISC co-processor might have been handy. Intel's ME was designed so that large companies basically had lights-out management on their desktop machines. Both were fine for their intended purpose, but in the case of Intel, they included it in consumer machines for some reason where it was very much not a good thing.

  6. Steve Graham

    I was running a Nehemiah-based system last week! Waiting for a part to arrive for my poorly "home server" (an old Thinkpad) I resurrected an ITX board as a stand-in. It's gone back in the cupboard now, and I don't think I can be bothered to set it up again to try this trick, neat as it is.

  7. arctic_haze
    Black Helicopters

    It's sad

    Real life in the 21th century pushes me to being paranoid after I managed to spend some decades laughing at all the IT conspiracy theories.

  8. EveryTime

    This is a documented feature that should be disabled on systems that don't use it.

    The only obvious bug is that a few deployed systems fail to disable the co-processor feature. That is strictly a software bug, not a processor bug.

    There is a lesson here, but it's not the one publicized. It's very difficult to extend a processor's instruction set with general-purpose programmable feature and retain the original security model.

    The original 8086 had a general co-processor interface. The 8087 floating point co-processor was the only Intel chip that used the interface, and it limited its set of operations to safe ones. But the interface allowed much, much more. At the time, with no protection rings, that wasn't an architectural mistake. As soon as protection was added, allowing a general coprocessor was a Bad Idea.

    Now consider how that lesson applies to FPGA acceleration. That interface design has to be done very carefully.

  9. Irongut
    Thumb Down

    "GOD MODE UNLOCKED: hardware backdoors in some x86 CPUs"

    This kind of sensationalist bullshit is not helping the security industry. Every bug, exploit or malware is publicised as if it is going to cause the end of the world. Any reasonable person reading that tweet would expect the problem to affect chips from Intel and maybe AMD, no one is going to think "you know what I bet this is those chips VIA bought from Cyrix."

    This is why the rest of the world doesn't listen when a real problem is found and thinks OS updates are just a pain in the ass to be avoided if at all possible.

  10. Anonymous Coward
    Anonymous Coward

    Is there any x86 chip that has managment hardware that is not rooted?

    one could almost think it was intentional

  11. agurney

    back to the future

    ...which hit the market in the early to mid-2000s.

    ..so, somewhere between 2000 and 2500 (or 2050)?

  12. HWwiz

    That old classic

    Ahh so its the old classic "Its a documented feature"...

    Which of course is always better than an undocumented feature.

  13. Crisp

    For those who happen to know where a cash machine running a 15-year-old C3 might be found

    This knowledge might be used for endless entertainment purposes.

    1. Anonymous Coward
      Anonymous Coward

      Re: For those who happen to know where a cash machine running a 15-year-old C3 might be found

      Where’s the teenage John Connor when you need him?

      1. _LC_

        Re: For those who happen to know where a cash machine running a 15-year-old C3 might be found

        You mean, the inbreed?

    2. o p

      Re: For those who happen to know where a cash machine running a 15-year-old C3 might be found

      Sonicwall 2040. Still running.

  14. John Savard

    Cluedo

    And, oh, yes, I grasped what the mention of the library in the article was a reference to - although, living in North America, I know the game by Parker Brothers' name of Clue rather than Waddington's original name of Cluedo.

  15. Grimsterise

    As an ex-soldier 'military grade' always amuses. To me and any other ex serviceman it means: 'Crap made by the lowest bidder which will let you down when you really need it'.

    1. PM from Hell
      Mushroom

      It may have been built by the lowest bidder but it was the lowest bidder to offer the MIL spec. I managed a roll out to gas and electricity network engineers, the guys who work on the high tension services and high pressure mains. They could destroy an ordinary laptop in days (being thrown around the van, used in wet conditions etc. The MIL grade laptops we replaced them with were just about indestructible and the guys loved the fact that they were washable. I can appreciate that battlefield use is an order of magnitude more extreme whilst our guys needed a lappy that could be perched on the edge of a trench so they could look at valve diagrams etc, drop it in the trench then carry on, no-one was shooting at them .

      1. tony trolle

        panasonic toughbooks can take a battlefield but a cop can break one in a few months

  16. ganymede io device
    Terminator

    Rise of the centaur

    http://www.cognitivefilms.com/rise-of-the-centaur

  17. BinkyTheMagicPaperclip Silver badge

    Could be really useful in specific circumstances

    If you wanted to reverse engineer software that, for whatever reason, doesn't work in a virtualised (or v86) environment, doesn't have a kernel debugger, but you still have the ability to execute userland code, this could be ideal.

  18. Anonymous Coward
    Anonymous Coward

    This is why we should all avoid the Linux becuase of the problems with the kernel. If we have windows then we don't have to worry about these.

    1. _LC_
      Pint

      http://www.freepressjournal.in/wp-content/uploads/2018/05/dont-drink-and-drive.jpeg

  19. Claptrap314 Silver badge

    Bad idea, done badly.

    This chips dates from the period that I was doing microprocessor validation at AMD and IBM.

    First, such a facility has 0 added value to a competent validation team. All of these chips have a special debug (JTAG) interface that allows direct access to the register file and every level of cache (including otherwise hidden state machines) on the part, plus a few other things. This interface is used to test EVERY chip BEFORE they are cut and placed into the dies. It is again used after they are died. While the chip is still in development, this interface is used to load test code (like the code I wrote) directly into the processor.

    Moreover, the job of the validation team is to test all supported features of the part. The addition of such a facility creates a HUGE space of processor state transitions that have to themselves be tested.

    Yes, exposing the RISC core that is behind every x86 processor since Intel's Pentium (and maybe before) can have tremendous performance benefits for specialized applications. When I was there, I wanted AMD to open up such a facility. I was brushed off by people who knew way, way more than I did about such things. In particular, I did not understand the architecture well enough to instinctively grasp the implications for things like ring-0 verses ring-3. In retrospect, it does not surprise me that the C3 simply bypassed all of that. The facilities would be operating at different levels.

    So, yeah. It's probably with excellent cause that I was brushed off.

  20. Anonymous Coward
    Anonymous Coward

    Not the same

    What Domas has disclosed here are instructions not previously disclosed which allow one to completely bypass all security features within the CPU, to access things normally restricted to RING-0 from RING-3, and in a major way so that all kernel memory could be read, the full CPU state could be altered. It would allow an attacker, for example, to completely take over the CPU and gain access to anything they wished.

    This is a major finding, and one that hints of similar things existing in AMD and Intel, and may be the follow-on of a tweet by Domas last year, one which he never followed-up on, that he had previously found hints of this technology through his sandsifter application back then.

    --

    Rick C. Hodgin

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like