logo

GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs

Conference:  BlackHat USA 2018

2018-08-09

Summary

The speaker discusses their open source tools and techniques for processor security, including a tool called the Collector which automates the reverse engineering of deeply embedded instruction sets.
  • Speaker has open sourced tools, techniques, code, and data for processor security
  • Collector tool automates reverse engineering of deeply embedded instruction sets
  • Collector identifies basic patterns in state differential records and classifies instructions based on those patterns
  • Collector resolves individual bits in instructions and derives bit encoding for specific instructions
  • Speaker wrote a complete assembler for custom assembly language called the Dice Assembler
The Collector tool is able to automatically derive a bit encoding for specific instructions by identifying patterns in state differential records. The speaker used this tool to build a payload for a deeply embedded core, which included instructions to load the global descriptor table, move data around, load immediate values, and read/write data to memory. They then wrote a complete assembler for this custom assembly language called the Dice Assembler.

Abstract

Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.

Materials:

Tags: