20180904 https://www.youtube.com/watch?v=_eSAF_qT_FY GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs Black Hat USA 2018 Published on Aug 28, 2018 This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors. By Christopher Domas Full Abstract & Presentation Materials: https://www.blackhat.com/us-18/briefings/schedule/#god-mode-unlocked---hardware-backdoors-in-x86-cpus-10194 Another version of his talk, with _much_ better audio... https://www.youtube.com/watch?v=jmTwlEh8L7g DEF CON 26 - Christopher Domas - GOD MODE UNLOCKED Hardware Backdoors in redacted x86 46:03 29,008 views Oct 23, 2018 DEFCON Conference Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors. posted http://www.eevblog.com/forum/chat/deliberate-hardware-backdoor%28s%29-in-x86-cpus/ https://www.youtube.com/watch?v=_eSAF_qT_FY GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs Black Hat USA 2018 Published on Aug 28, 2018 His method of finding this is awesome. This implications... urrgh. Oh well, I already knew Wintel machines cannot be trusted. Interesting that the NSA malware toolkit leaked in 2016 didn't (so far as I know) have any reference to this stuff. Which means it was probably a limited hangout. SMM, IME (running a modified MINIX OS, always-on, with a TCP/IP stack), and now this. A kind of system 'bug' that's best fixed with baseball bats. -------- 20180906 http://www.eevblog.com/forum/chat/deliberate-hardware-backdoor(s)-in-x86-cpus/msg1802450/#msg1802450 This one is going to be fascinating to watch. One aspect will be the fallout as everyone with any interest in computer security uses the tools now available, to probe for deeply embedded RISC backdoor engines in their own x86 machines. Another aspect is the interesting spread of reactions, among those who hear of it. "Too boring" and "it's not relevant to me" forms of denial even here in a tech-forum... He's shown an absolutely indisputable total circumvention of ALL security protections, deliberately and secretly built into the processor core of at least one x86 CPU. And released the tools for others to investigate/exploit the hole in any x86 system. Whether this exists in most or all recent/current x86 variants, remains to be proven. (But now soon will be, given the tools released.) I'm guessing it will turn out to be all of them, and 'parties who need this feature and were given the details' will include the three letter agencies. I wonder if this is documented in the Intel Gray Books, or if it's even more secret than those? Another detail to be determined - everyone is assuming the 'god mode bit' is only set or cleared by BIOS at startup. I'd lay a bet it turns out that Windows has a 'hidden feature' to enable it in response to some innocent-looking external communication event. I'd also not be surprised if 'GOD remote enable' turns out to have been slipped into Linux somewhere as well. Or BIOSs always turning it on if the OS being booted is Linux. ---------------------------------------------------- 20190511 http://www.eevblog.com/forum/chat/is-intels-management-engine-something-to-worry-about/msg2403201/#msg2403201 Intel happily does what the intelligence agencies want. So does Microsoft. You can absolutely bank on it that all modern Wintel PCs are entirely open to government access, via multiple channels. SMM. System Management Mode. Many years ago a friend of mine (since deceased) and I had A CPU emulator for Pentium One CPUs. Plug its pod into a PC motherboard's CPU socket, and it could see _everything_ going on. We tried it in a standard Windows machine. Very curious! We found the CPU spent about 20% of its time running SMM code. Kicked off via a regular NMI. We didn't have a SMM code disassembler, so couldn't tell what it was doing. System and user code have NO WAY to detect the occurrence of SMM execution - it's just like 'vanished time'. So we cut the track on the motherboard that was passing the NMIs to the CPU. No more SMM code. And the PC still worked exactly as before. I think that was the point at which I started to get seriously paranoid about the PC architecture. IME. Intel Management Engine. A feature added after SMM. Yes, it's impossible to trust a machine that has a ME running. Yes, it runs MINIX, complete with a TCP/IP stack, and it is always running so long as the PC has power. It has total access to all hardware and memory, ie higher than ring zero authority. Incidentally there's some question that MINIX version may be unauthorized, ie Intel stole it contrary to Tannenbaum's release terms. But there's an even deeper level of hardware backdoor built into modern Intel CPUs. One so obfuscated and obviously treacherous, it buries any notion that Intel is your friend. See this: https://www.youtube.com/watch?v=_eSAF_qT_FY GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs Black Hat USA 2018, Published on Aug 28, 2018 This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors. By Christopher Domas Full Abstract & Presentation Materials: https://www.blackhat.com/us-18/briefings/schedule/#god-mode-unlocked---hardware-backdoors-in-x86-cpus-10194 Previously mentioned here: http://www.eevblog.com/forum/chat/deliberate-hardware-backdoor%28s%29-in-x86-cpus/ I should also mention the Intel yellow and gray books again. Later, got to go now. ================================== 20210305 https://www.youtube.com/watch?v=LoTx9LQIKEA Intel - From Inventors of the CPU to Laughing Stock [Part 2] https://www.youtube.com/watch?v=LoTx9LQIKEA&lc=UgycbZgBqMsu3tB21z94AaABAg Intel DELIBERATELY builds spy agency backdoors into their CPUs. And have been caught doing it, so now all security researchers know Intel CPUs can never be trusted. For eg: https://www.youtube.com/watch?v=jmTwlEh8L7g DEF CON 26 - Christopher Domas - GOD MODE UNLOCKED Hardware Backdoors in redacted x86 This is why Intel persists in using their own chip factories. They cannot simultaneously build in CPU backdoors, and expose their designs to external chip fabs (that don't work for the US gov.) Summary: Intel is f*cked.