Hello guest, if you read this it means you are not registered. Click here to register in a few simple steps, you will enjoy all features of our Forum.
Rules have been updated! Here

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

c3 in via discovered x86 processors backdoor mechanism

Backdoor Mechanism Discovered in VIA C3 x86 Processors
Backdoor Mechanism Discovered in VIA C3 x86 Processors

[Image: VIA_C3.jpg]

At the Black Hat 2018 and DEF CON 26 security conferences held in Las Vegas last week, a security researcher detailed a backdoor mechanism in x86-based VIA C3 processors, a CPU family produced and sold between 2001 and 2003 by Taiwan-based VIA Technologies Inc.
The affected CPU family was designed with PC use in mind but was more widely known for being deployed with point-of-sale units, smart kiosks, ATMs, gaming rigs, healthcare devices, and industrial automation equipment.

The Rosenbridge backdoor mechanism

Christopher Domas, a well-known hardware security expert, says that VIA C3 x86-based CPUs contain what he referred to as a "hidden God mode" that lets an attacker elevate the execution level of malicious code from kernel ring 3 (user mode) to kernel ring 0 (OS kernel). See here about CPU protection rings.
Domas says that this backdoor mechanism —which he named Rosenbridge— is a RISC (Reduced Instruction Set Computer) co-processor that sits alongside the main C3 processor.
The researcher says that by using a launch-instruction (.byte 0x0f, 0x3f) he can flip a register control bit that enables this additional coprocessor, which he argues doesn't benefit from the same security protections the main C3 chipset.
Any instructions sent to this additional coprocessor are all run under ring 0, and not under the normal ring 3 level.

[Image: rosenbridge.gif]

Domas says he identified this "hidden God mode" feature in VIA C3 Nehemiah chips, but he says all other C3 chipsets are bound to feature a similar mechanism.
The expert says he discovered the Rosenbridge backdoor system while sifting through patents. In his DEF CON slides, the researcher lists US8341419, US8880851, US9292470, US9317301, US9043580, US9141389, and US9146742.

But is it really a "backdoor?"

But on social media sites such as Twitter and Reddit, several other hardware experts have disputed Domas' findings, saying that Rosenbridge may not be an actual backdoor, as it's been first referenced in official VIA documentation since September 2004.
According to this document (page 82), the hidden RISC coprocessor's purpose is to provide an "alternate instruction set" that offers hardware vendors (OEMs) more control over the CPU.
"This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture," the document reads.
The VIA document also mentions that the additional instruction set is specifically meant for testing, debugging, or other special conditions, hence the reason it is not "documented for general usage."

Rosenbridge difficult to exploit, but is sometimes enabled by default

The good news is that this controversial "backdoor" —as Domas explains himself— "should require kernel level access to activate."
Nevertheless, Domas also points out that the Rosenbridge backdoor mechanism "has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel" without any prior exploitation. In these scenarios, the attacker only needs to send the specially-crafted instructions to the additional RISC processors, which will be ready to read and execute them.
The expert released a GitHub repository containing tools to identify if VIA C3 x86 CPUs contain the Rosenbridge "backdoor" mechanism, and close it to prevent any possible intentional or accidental exploitation. More details about the Rosenbbridge research can be found in Domas' DEF CON presentation.
The VIA C3 research is not Domas' first brush with x86 chipset security. Three years ago, at the Black Hat 2015 security conference, Domas also detailed a similar method of elevating the execution level of malicious code inside x86 CPUs via the System Management Mode (SMM) feature. He said Intel and AMD x86-based processors were affected.


Anything wrong?!
Doubt about something in the forums?!

Please push Report button or send me a PM!!! 


Member Ranks

How to use various forum functionalities

AiOwares is a community whose existence takes place by itself, not by movements unrelated to it.

[-] The following 1 user says Thank You to WALLONN7 for this post:
  • nodnar
Talk about a blast from the past. I ran a cyrix chip back in the 90's. it amazes me that there are still people out there trying to exploit old un-popular hardware.
[-] The following 1 user says Thank You to aemalakai for this post:
  • nodnar
Wouldn't updating the processor system software or the like fix such problems? Forgive me if am wrong, have not dealt into processors.
what amazes me more why so-called security crooks need to go public with very-hard-to-implement-hardware-flaws decide to do it at all;
melt-down & spectre spring to mind here; after all the panic it caused, it would have been more appropriate if those crooks
codenamed [another disease of their crooked minds; give it a code name,] it laurel&hardy..for what actually happened in the wild?
sweet fanny adams..i am afraid that so-called backdoor will turn out be the same.we will see; just follow the money.
and i also wonder why this particular fool had to think of a charming codename like that..
The moron who came up with Plundervolt comes to mind.   
I bought a *fanless* I5  surface pro 7 specifically to run undervolted, the reasons for which are many for a notebook designed like this.
It can't anymore,  or ever again.  Because of a stupid exploit some guy "discovered" that is practically impossible.  Forever annoyed at that.
[-] The following 1 user says Thank You to Wiz for this post:
  • nodnar
Even thought it is for an old cpu in many cases it can still be relevant.
As mentioned in the article a similar 'vulnerability' could exist in newer similar cpus,
and legacy systems tend to use old hardware.
More often than not legacy systems are just working fine and too expensive to upgrade/replace.

Forum Jump:

Users browsing this thread: 1 Guest(s)