VIA C3 CPU

At the Black Hat 2018 and DEF CON 26 security conferences held in Las Vegas last week, a security researcher detailed a backdoor mechanism in x86-based VIA C3 processors, a CPU family produced and sold between 2001 and 2003 by Taiwan-based VIA Technologies Inc.

The affected CPU family was designed with PC use in mind but was more widely known for being deployed with point-of-sale units, smart kiosks, ATMs, gaming rigs, healthcare devices, and industrial automation equipment.

The Rosenbridge backdoor mechanism

Christopher Domas, a well-known hardware security expert, says that VIA C3 x86-based CPUs contain what he referred to as a "hidden God mode" that lets an attacker elevate the execution level of malicious code from kernel ring 3 (user mode) to kernel ring 0 (OS kernel). See here about CPU protection rings.

Domas says that this backdoor mechanism —which he named Rosenbridge— is a RISC (Reduced Instruction Set Computer) co-processor that sits alongside the main C3 processor.

The researcher says that by using a launch-instruction (.byte 0x0f, 0x3f) he can flip a register control bit that enables this additional coprocessor, which he argues doesn't benefit from the same security protections the main C3 chipset.

Any instructions sent to this additional coprocessor are all run under ring 0, and not under the normal ring 3 level.

Rosenbridge GIF

Domas says he identified this "hidden God mode" feature in VIA C3 Nehemiah chips, but he says all other C3 chipsets are bound to feature a similar mechanism.

The expert says he discovered the Rosenbridge backdoor system while sifting through patents. In his DEF CON slides, the researcher lists US8341419, US8880851, US9292470, US9317301, US9043580, US9141389, and US9146742.

But is it really a "backdoor?"

But on social media sites such as Twitter and Reddit, several other hardware experts have disputed Domas' findings, saying that Rosenbridge may not be an actual backdoor, as it's been first referenced in official VIA documentation since September 2004.

According to this document (page 82), the hidden RISC coprocessor's purpose is to provide an "alternate instruction set" that offers hardware vendors (OEMs) more control over the CPU.

"This alternate instruction set includes an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms over the x86 instruction architecture," the document reads.

The VIA document also mentions that the additional instruction set is specifically meant for testing, debugging, or other special conditions, hence the reason it is not "documented for general usage."

Rosenbridge difficult to exploit, but is sometimes enabled by default

The good news is that this controversial "backdoor" —as Domas explains himself— "should require kernel level access to activate."

Nevertheless, Domas also points out that the Rosenbridge backdoor mechanism "has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel" without any prior exploitation. In these scenarios, the attacker only needs to send the specially-crafted instructions to the additional RISC processors, which will be ready to read and execute them.

The expert released a GitHub repository containing tools to identify if VIA C3 x86 CPUs contain the Rosenbridge "backdoor" mechanism, and close it to prevent any possible intentional or accidental exploitation. More details about the Rosenbbridge research can be found in Domas' DEF CON presentation.

The VIA C3 research is not Domas' first brush with x86 chipset security. Three years ago, at the Black Hat 2015 security conference, Domas also detailed a similar method of elevating the execution level of malicious code inside x86 CPUs via the System Management Mode (SMM) feature. He said Intel and AMD x86-based processors were affected.

Image credits: Wikimedia Foundation

Related Articles:

Researchers Disclose New Foreshadow (L1TF) Vulnerabilities Affecting Intel CPUs

New NetSpectre Attack Can Steal CPU Secrets via Network Connections

Researchers Detail New CPU Side-Channel Attack Named SpectreRSB

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Academics Announce New Protections Against Spectre and Rowhammer Attacks