GOD MODE UNLOCKED: Hardware Backdoors in [redacted] x86 CPUs

Conference:  Defcon 26



The presentation discusses the process of reverse engineering a RISC architecture and finding vulnerabilities that allow for privilege escalation.
  • The speaker used fuzzing to gather data on the RISC architecture and found vulnerabilities that allowed for privilege escalation
  • The vulnerabilities allowed for accessing ring zero data from ring three
  • The speaker demonstrated a payload that could elevate the current process to root permissions
  • The process of reverse engineering and finding vulnerabilities was laborious but yielded exciting results
The speaker used a setup of seven systems hooked up to a master system to perform fuzzing tasks and record results for offline analysis. The relays on the systems were used to reboot targets that became corrupted during the process. After collecting 13-15 gigabytes of logs across 2.3 million different state disks for about 4,000 total hours of computer time, the speaker was able to sift through the logs and find vulnerabilities that allowed for privilege escalation.


Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.