Skip to main content
SpringerLink
Log in

CPU bugs, CPU backdoors and consequences on security

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

In this paper, we present the security implications of x86 processor bugs or backdoors on operating systems and virtual machine monitors. We will not try to determine whether the backdoor threat is realistic or not, but we will assume that a bug or a backdoor exists and analyze the consequences on systems. We will show how it is possible for an attacker to implement a simple and generic CPU backdoor in order—at some later point in time—to bypass mandatory security mechanisms with very limited initial privileges. We will explain practical difficulties and show proof of concept schemes using a modified Qemu CPU emulator. Backdoors studied in this paper are all usable from the software level without any physical access to the hardware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using ic fingerprinting. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 296–310 (2007)

  2. Akkar, M.-L., Bevan, R., Dischamp, P., Moyart, D.: Power analysis, what is now possible. In: Asiacrypt: Proceedings of Advances in Cryptology (2000)

  3. Advanced Micro Devices (AMD). Amd virtualisation solutions. 2007. http://enterprise.amd.com/us-en/AMD-Business/business-Solutions/Consolidation/Virtualization.aspx.

  4. Bellard, F.: Qemu opensource processor emulator (2007). http://fabrice.bellard.free.fr/qemu.

  5. Bertoni, G., Zaccaria, V., Breveglieri, L., Monchiero, M.: Aes power attack based on induced cache miss and countermeasure. In: Proceedings of the International Conference on Information Technology: Coding and Computing (2005)

  6. Bochs IA-32 Emulator Project. Bochs: think inside the bochs (2008). http://bochs.sourceforge.net.

  7. CELAR. Computer and electronics security applications rendez-vous (c&esar 2007). http://www.cesar-conference.fr/.

  8. Collins, R.: Undocumented opcodes: Salc (1999). http://www.rcollins.org/secrets/opcodes/SALC.html.

  9. Intel Corp. Intel core 2 extreme processor x6800 and intel core 2 duo desktop processor e6000 and e4000 sequence: Specification update (2007). http://www.intel.com/technology/architecture-silicon/intel64/index.htm.

  10. David, F., Chan,E., Carlyle, J., Campbell, R.: Cloaker: Hardware supported rootkit concealment. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 296–310 (2008)

  11. Dornseif, M.: Owned by an ipod: Firewire/1394 issues. In: CanSecWest security conference core05 (2005). http://cansecwest.com/core05/2005-firewire-cansecwest.pdf

  12. Duflot, L., Etiemble, D., Grumelard, O.: Security issues related to pentium system management mode. In: Cansecwest security conference Core06 (2006)

  13. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual, vol 1, basic architecture (2007). http://www.intel.com/design/processor/manuals/253665.pdf

  14. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3a: system programming guide part 1 (2007). http://www.intel.com/design/processor/manuals/253668.pdf

  15. Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3b: system programming guide part 2 (2007). http://www.intel.com/design/processor/manuals/253669.pdf

  16. King, S., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the first usenix workshop on large scale exploits and emergent threats, LEET’08 (2008)

  17. Kocher, P.: Timing attacks on implementations of diffie-hellman, rsa, dss and other systems. In: CRYPTO 1996: Proceedings of Advances in Cryptology (1996)

  18. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO’99: Proceedings of Advances in Crytology (1999)

  19. OpenBSD core team. The openbsd project (2007). http://www.openbsd.org

  20. OpenBSD core team. Openbsd security page (2007). http://www.openbsd.org/security.html

  21. PCI-SIG. Pci local bus specification, revision 2.1 (1995)

  22. Smith, S., Perez, R., Weingart, S., Austel, V.: Validating a high-performance, programmable secure coprocessor. In: Proceedings of the 22nd National Information System Security Conference (1999)

  23. Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of des implemented on computers with cache. In: CHES ’03: Proceedings of the 4th Workshop on Cryptographic Hardware and Embedded Software (2003)

  24. University of Cambridge. Xen virtual machine monitor (2007). http://www.cl.cam.ac.uk/research/srg/netos/xen/documentation.html

Download references

Author information

Authors and Affiliations

  1. DCSSI 51 bd. de la Tour Maubourg, 75700, Paris Cedex 07, France

    Loïc Duflot

Authors
  1. Loïc Duflot
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Loïc Duflot.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Duflot, L. CPU bugs, CPU backdoors and consequences on security. J Comput Virol 5, 91–104 (2009). https://doi.org/10.1007/s11416-008-0109-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0109-x

Keywords

Search

Navigation