Abstract
In this paper, we present the security implications of x86 processor bugs or backdoors on operating systems and virtual machine monitors. We will not try to determine whether the backdoor threat is realistic or not, but we will assume that a bug or a backdoor exists and analyze the consequences on systems. We will show how it is possible for an attacker to implement a simple and generic CPU backdoor in order—at some later point in time—to bypass mandatory security mechanisms with very limited initial privileges. We will explain practical difficulties and show proof of concept schemes using a modified Qemu CPU emulator. Backdoors studied in this paper are all usable from the software level without any physical access to the hardware.
Similar content being viewed by others
References
Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using ic fingerprinting. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 296–310 (2007)
Akkar, M.-L., Bevan, R., Dischamp, P., Moyart, D.: Power analysis, what is now possible. In: Asiacrypt: Proceedings of Advances in Cryptology (2000)
Advanced Micro Devices (AMD). Amd virtualisation solutions. 2007. http://enterprise.amd.com/us-en/AMD-Business/business-Solutions/Consolidation/Virtualization.aspx.
Bellard, F.: Qemu opensource processor emulator (2007). http://fabrice.bellard.free.fr/qemu.
Bertoni, G., Zaccaria, V., Breveglieri, L., Monchiero, M.: Aes power attack based on induced cache miss and countermeasure. In: Proceedings of the International Conference on Information Technology: Coding and Computing (2005)
Bochs IA-32 Emulator Project. Bochs: think inside the bochs (2008). http://bochs.sourceforge.net.
CELAR. Computer and electronics security applications rendez-vous (c&esar 2007). http://www.cesar-conference.fr/.
Collins, R.: Undocumented opcodes: Salc (1999). http://www.rcollins.org/secrets/opcodes/SALC.html.
Intel Corp. Intel core 2 extreme processor x6800 and intel core 2 duo desktop processor e6000 and e4000 sequence: Specification update (2007). http://www.intel.com/technology/architecture-silicon/intel64/index.htm.
David, F., Chan,E., Carlyle, J., Campbell, R.: Cloaker: Hardware supported rootkit concealment. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 296–310 (2008)
Dornseif, M.: Owned by an ipod: Firewire/1394 issues. In: CanSecWest security conference core05 (2005). http://cansecwest.com/core05/2005-firewire-cansecwest.pdf
Duflot, L., Etiemble, D., Grumelard, O.: Security issues related to pentium system management mode. In: Cansecwest security conference Core06 (2006)
Intel Corp. Intel 64 and ia 32 architectures software developer’s manual, vol 1, basic architecture (2007). http://www.intel.com/design/processor/manuals/253665.pdf
Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3a: system programming guide part 1 (2007). http://www.intel.com/design/processor/manuals/253668.pdf
Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3b: system programming guide part 2 (2007). http://www.intel.com/design/processor/manuals/253669.pdf
King, S., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the first usenix workshop on large scale exploits and emergent threats, LEET’08 (2008)
Kocher, P.: Timing attacks on implementations of diffie-hellman, rsa, dss and other systems. In: CRYPTO 1996: Proceedings of Advances in Cryptology (1996)
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO’99: Proceedings of Advances in Crytology (1999)
OpenBSD core team. The openbsd project (2007). http://www.openbsd.org
OpenBSD core team. Openbsd security page (2007). http://www.openbsd.org/security.html
PCI-SIG. Pci local bus specification, revision 2.1 (1995)
Smith, S., Perez, R., Weingart, S., Austel, V.: Validating a high-performance, programmable secure coprocessor. In: Proceedings of the 22nd National Information System Security Conference (1999)
Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of des implemented on computers with cache. In: CHES ’03: Proceedings of the 4th Workshop on Cryptographic Hardware and Embedded Software (2003)
University of Cambridge. Xen virtual machine monitor (2007). http://www.cl.cam.ac.uk/research/srg/netos/xen/documentation.html
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Duflot, L. CPU bugs, CPU backdoors and consequences on security. J Comput Virol 5, 91–104 (2009). https://doi.org/10.1007/s11416-008-0109-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0109-x