This is about ancient VIA C3 CPUs processors - not your modern Intel/AMD. This isn't to say backdoors are implausible on modern processors (vulnerabilities in Intel ME/AMD PSP come to mind), but I would like to see some hard evidence before we panic and freak out. For now, "God Mode on x86 Processors" isn't something I will be losing sleep over, but I will cry about it into my beer ...
AMD's Geode LX SoC won't ship its last order until this year, 2019. The Geode line predates the C3, and the Geode LX is just as old as the C3. I can't confirm when the C3 stopped shipping, but it was probably this decade.
As for microcode vulnerabilities, don't be surprised if they start coming down the pipeline. It was only recently that researchers figured out (publicly, at least) how to hack and upload microcode on Intel chips: https://media.ccc.de/v/34c3-9058-everything_you_want_to_know...
Even more, this isn't even a backdoor. It's in the official documentation since at least 2004. [0]
> This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture.
> This alternate instruction set is intended for testing, debug, and special application usage. Accordingly, it
is not documented for general usage. If you have a justified need for access to these instructions, contact
your VIA representative.
It then goes on to explain in detail the mechanism for initiating execution of this alternate set of instructions. So while I am sure the researchers put plenty of work in this it seems reading the manual helped a lot more than one would expect for a "backdoor"...
Plus this isn't as undocumented as he would have you believe. .. I can't find it now, but I had a thread somewhere about how easy it was to find the PDF with the specific commands he had to reverse engineer; documented in published VIA specs.
One of the interesting things that article points out is that apparently Windows automatically disables this feature on boot, so it's not going to be exploitable on most Windows systems.
It seems naive to me to believe that there aren't backdoors in AMD and Intel processors. Intelligence agencies have done far worse in our history than backdooring some electronic components. I'm not so sure why this is so unlikely, especially after the Snowden leaks showing us how far agencies like the NSA are willing to go.
I see someone found this. kudos op.
The most important takeaway from this is the practice of instruction set walking. The method has wide utility. All digital devices on the mobo can be probed with similar methods, this includes but is not limited to memory controllers bus controllers harddrive controllers, basically any embedded or integrated device. This is all about showing you how to get your foot in the door for a wild ride into low level hardware reversing. my favorite sport.
I guess,it's maybe because VIA's CPU is translate x86 instruction to RISC.So there is not hide RISC core,the core is RISC core,it can be configure to x86 mode,and this guy find the hidden op code to switch the two.
What motivates a person to give a talk like this at Blackhat? A method to compromise cpus by feeding them secret instructions seems like trouble the world doesn't need. Sure, he's only focused on an outdated system, but he's shown how to do it, and even gives away the tool. Is it like making smallpox virus available, so it can be studied? But how can hardware designers make any system safe from such tenacious probing? Imagine how different the world would be if there was no threat of exploitation.
it is sort of assumed that such back doors already exist, but only the big players (NSA, et al) have access. This (and talks like this in general) aren't to let others know about this so they can own people, it's to empower the more regular people to be able to catch these backdoors and better choose which companies we support with our wallets
https://en.wikipedia.org/wiki/VIA_C3