The Schizophrenic Programmer Who Built an OS to Talk to God

Topics: Devices Build Entertainment Technology Open Source Science YRO Follow us: Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Nickname: Password: 6-1024 characters long Public Terminal

Google

Facebook

Twitter

Researcher Finds A Hidden 'God Mode' on Some Old x86 CPUs (tomshardware.com)

Posted by EditorDavid on Saturday August 11, 2018 @11:34AM from the look-what-I-found dept. "Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU," Tom's Hardware reports, citing a presentation by security researcher Christopher Domas at the Black Hat Briefings conference in Las Vegas. The command -- ".byte 0x0f, 0x3f" in Linux -- "isn't supposed to exist, doesn't have a name, and gives you root right away," Domas said, adding that he calls it "God Mode." The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes. "We have direct ring 3 to ring 0 hardware privilege escalation," Domas said. "This has never been done.... It's a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86."

The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it's entirely possible that such hidden backdoors exist on many other chipsets. "These black boxes that we're trusting are things that we have no way to look into," he said. "These backdoors probably exist elsewhere." Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents. "Some of the VIA C3 x86 processors have God Mode enabled by default," Domas adds. "You can reach it from userland. Antivirus software, ASLR and all the other security mitigations are useless." bug hardware security

→ Should Online Courses Film Students Taking Tests? Windows 7 Has Lots of "God Modes" The Schizophrenic Programmer Who Built an OS To Talk To God Science Cannot Prove the Existence of God Malware Taps Windows' 'God Mode' Julia 1.0 Released After a Six-Year Wait

Researcher Finds A Hidden 'God Mode' on Some Old x86 CPUs More | Reply Login Researcher Finds A Hidden 'God Mode' on Some Old x86 CPUs

Post Load All Comments S5 eFaurlclh 1 485 A Cbbomremvieantetsd L2o2g H Iind/dCerneate an Account C/Soemaments Filter: AScllore: I5nsightful I4nformative I3nteresting F2unny 1The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way. ›0 I-1s it on the die? (Score:3) bMyo Breig |D RuekpelSy iLx o(g 8in32501 ) on Saturday August 11, 2018 @11:39AM (#57107256) I s the separate RISC core actually on the silicon or just in the patent? Time to get out the fuming sulfuric acid. NRicepklny atom Teh:i s Share tPwaisttsewr ofardce: b6o-o1k0 2li4n kcehdairna cters long F laPgu basli cIn Taeprpmroipnraial te

Re:LIosg i tIn on thFeo rdgoiet ?y o(uSr cpoarsesw:5o,r dI?nformative) Cbylo dsuenkelfalke ( 91624 ) on Saturday August 11, 2018 @11:43AM (#57107264) CItl oiss ereal alright. Same with the Intel management engine and the AMD PSP. Reply to This Parent Share twitter facebook linkedin Flag as Inappropriate 2 hidden comments

"monster" CPU Re:Is it on the die? (Score:1) by davidwr ( 791652 ) I run this [monster6502.com]. No microscope required. :) 1 hidden comment

Re:Is it on the die? (Score:4, Informative) by sjames ( 1099 ) on Saturday August 11, 2018 @11:59AM (#57107330) Homepage Journal If you RTFA you will see that the patent hinted at it's presence and then he found it on real hardware by fuzzing. Reply to This Parent Share twitter facebook linkedin Flag as Inappropriate

Re: (Score:2) by Megol ( 3135005 ) Lot of work to find something (partially) documented. Sandpile lists the instruction as ALTINST, the code is documented by VIA as used for testing with an MSR (Machine Specific Register) bit to enable it. If not enabled I assume it would be treated as an illegal instruction. That some machine with a C3 processor didn't set the correct machine configuration is bad but not the end of the world - just set it correctly in the OS instead.

Re: (Score:2) by jarkus4 ( 1627895 ) And he could save a lot of time by reading the manual for the processor as its a documented feature (ALTERNATE INSTRUCTION EXECUTION )...

did VIA ever do anything right? (Score:2) by drinkypoo ( 153816 ) Their chipsets have always been hot garbage. Their x86 chips are already dog slow, now this? How was VIA even a thing?

Re:did VIA ever do anything right? (Score:5, Informative) by vadim_t ( 324782 ) on Saturday August 11, 2018 @12:09PM (#57107370) Homepage VIA is cheap. Back in the C3 days they had a bit of popularity among the people who wanted a compact server, firewall or media box. Decently fast but cool running CPUs, and good silent fans were all a pretty new development back then, so there wasn't that much choice. So I tried. The Nehemiah CPU was a dog. The network card corrupted some of the outgoing packets, and it was visible by naked eye by just refreshing a page served by the box and seeing how a character was wrong somewhere. Sticking a system in a small box looked pretty, but the tiny fan was noisy as hell, and it killed the hard disk from the overheating after a while. There was some kind of trouble with the power supply. Accounting for the time I spent screwing around with that junk, it would have been far cheaper to just buy a normal board with a normal CPU. With the luck I've had with this specific product line, I'm amazed some of it is still alive today. Reply to This Parent Share twitter facebook linkedin Flag as Inappropriate

Re: (Score:2) by squiggleslash ( 241428 ) I'm not saying the network card might also have had problems, but if you're seeing corrupted characters on a webpage, then that hints at problems beyond the network. Web pages are delivered via TCP, and TCP packets are error checked by the operating system, not the network card.

Not always a bad thing (Score:1) by davidwr ( 791652 ) Ok, this IS always a bad thing for the typical end user, but I can see two rwal-world use cases: * For debugging. In this case, the customer wants the fearure. For the general case, there are better, safer ways of debugging, but there nay be cases where this is preferable. * Espionage, in which case tge real customer - your aversary - wants the feature. Beyond this, there isn't much point. 1 hidden comment Re: (Score:3, Insightful) by mmmVenison ( 5475826 ) I would be surprised if there wasn't a backdoor in any complex system, hardware or software. 3 hidden comments

Surprise Re:Not always a bad thing (Score:1) by davidwr ( 791652 ) There are plenty of complex systems with no "backdoors." I assume "backdoor" means an intentional feature, not an unintentional security bug. If you meant an unintentionall bug, then we agree. I also assume "the complex system" as the part that was built, not the hardware or software levels below "the system.". That is, if you claim all complex OSes that are sold independently of hardware have backdoors, you are claiming that these backdoors exist regardless of which hardware they run on, as long as the hard

Re: (Score:1) by mmmVenison ( 5475826 ) I take backdoor to mean an undocumented thing that allows the developers to access something that the end user isn't supposed to be aware of. So by that definition it would be intentional yes. It may not be malicious in nature, or may even be considered an inside joke or easter egg, or maybe I am paranoid. Re: Not always a bad thing (Score:1) by Anonymous Coward In tge rwal warld, I like to use a spelings checker and proofs read my grammer before spending. Bekause; A) its a great feature ! 2) its my preferable way to debuggings 4]. It stops tge aversary rite in there tracks!? * More, over its less RISK than x86, AND, an nay SPARK's CPU. ,

Re: (Score:1) by Anonymous Coward You're right, it was part of the debuging core, which is present on most current cisc, risc and mips cpu's. It could be disabled by sending a four byte sequence to the cpu during bootup, mostly done when the bios was in control, though it was better to leave it in and have an easy backdoor for when the pebkac. greetings ! and switch

Re: (Score:2) by Rewind ( 138843 ) No, you looking for IDDQD.

Re: (Score:2) by ArchieBunker ( 132337 ) I don't trust the government to properly fill potholes in the streets let alone have a design review of CPU silicon.

Re: (Score:2) by iggymanz ( 596061 ) riiiight, last I checked the USA government wanted a backdoor in everything because citizens are to be treated like criminals by default.

This has no name and is not supposed to exist ? (Score:5, Informative) by Cochonou ( 576531 ) on Saturday August 11, 2018 @12:02PM (#57107342) Homepage From the datasheet itself [chipdb.org]:

ALTERNATE INSTRUCTION EXECUTION When set to 1, the ALTINST bit in the FCR enables execution of an alternate (not x86) instruction set. While setting this FCR bit is a privileged operation, executing the alternate instructions can be done from any protection level. This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture. For example, in the alternate instruction set, privileged functions can be used from any protection level, memory descriptor checking can be bypassed, and many x86 exceptions such as alignment check can be bypassed. This alternate instruction set is intended for testing, debug, and special application usage. Accordingly, it is not documented for general usage. If you have a justified need for access to these instructions, contact your VIA representative. The mechanism for initiating execution of this alternate set of instructions is as follows: 1. Set the FCR ALTINST bit to 1 using WRMSR instruction (this is a privileged instruction). This should be done using a read-modify-write sequence to preserve the values of other FCR bits. 2. The ALTINST bit enables execution of a new x86 jump instruction that starts execution of alternate instructions. This new jump instruction can be executed from any privilege level at any time that ALTINST is 1. The new jump instruction is a two-byte instruction: 0x0F3F. If ALTINST is 0, the execution of 0x0F3F causes an Invalid Instruction exception. 3. When executed, the new 0x0F3F x86 instruction causes a near branch to CS:EAX. That is, the branch function is the same as the existing x86 instruction jmp [eax] In addition to the branch, the 0x0F3F instruction sets the processor into an internal mode where the target bytes are not interpreted as x86 instructions but rather as alternate instruction set instructions. 4. The alternate instructions fetched following the 0x0F3F branch should be of the form 0x8D8400XXXXXXXX where 0xXXXXXXXX is the 32-bit alternate instruction That is, the alternate instructions are presented as the 32-bit displacement of a LEA [EAX+EAX+disp] instruction. This example assumes that the current code segment size is 32-bits, if it is 16-bits, then an address size prefix (0x67) must be placed in front of the LEA opcode. 5. Upon fetching, the LEA “wrapper” is stripped off and the 32-bit alternate instruction contained in the displacement field is executed. 6. The alternate instruction set contains a special branch instruction that returns control to x86 fetch and execute mode. The x86 state upon return is not necessarily what it was when alternate instruction execution is entered since the alternate instructions can completely modify the x86 state. While all VIA C3 processor processors contain this alternate instruction feature, the invocation details (e.g., the 0x8D8400 “prefix”) may be different between processors. Check the appropriate processor datasheet for details. Reply to This Share twitter facebook linkedin Flag as Inappropriate 1 hidden comment

Re: (Score:1) by Anonymous Coward Espousing a 2003 chip to a backdoor now is useless information. Not really. That was about the point where CPUs became "good enough" for most non-gaming uses. I am typing this on a 2004 vintage CPU (not a Via though), running a 2018 Linux distro, and it's perfectly fine. There are still many CPUs from that era in active use. Plus, this will let him practice for finding similar issues in more modern CPUs.

I wonder, (Score:2) by ReneR ( 1057034 ) , whether my IDT WInChip 2 is also affected: https://www.youtube.com/watch?... [youtube.com] .o?

you can bet your last dollar (Score:2) by FudRucker ( 866063 ) that they can do that with EVERY CPU built, even modern ones out there today in new desktops & laptops, and tablets & smartphones, they obviously have their own key to open root but its still there waiting for the right person to open, people like the NSA and various other high level government goons and spooks, and corporate top dawgs too

Worse than they let on. (Score:2) by Gravis Zero ( 934156 ) It is thought that only VIA C3 CPUs are affected by this issue. The C-series processors are marketed towards industrial automation, point-of-sale, ATM, and healthcare hardware, as well as a variety of consumer desktop and laptop computers. Forget thin clients, if this shit is (still) controlling SCADA stuff then this is worse than the meltdown vulnerability.

Related Links Top of the: day, week, month. 765 commentsDeveloper Accidentally Deletes Three-Month of Work With Visual Studio Code 510 commentsDOJ: Strong Encryption That We Don't Have Access To Is 'Unreasonable' 445 commentsShould Developers Abandon Agile? 430 commentsEquifax CEO Hired a Music Major as the Company's Chief Security Officer 416 comments'Kernel Memory Leaking' Intel Processor Design Flaw Forces Linux, Windows Redesign next

Julia 1.0 Released After a Six-Year Wait 2 comments previous

Should Online Courses Film Students Taking Tests? 48 comments

Slashdot Post

Get more comments 45 of 45 loaded Submit Story Writing software is more fun than working. FAQ Story Archive Hall of Fame Advertising Terms Privacy Statement Privacy Choices Opt-out Choices About Feedback Mobile View Blog

Working...