CPU bugs, CPU backdoors and consequences on security

Duflot, Loïc

doi:10.1007/s11416-008-0109-x

Cited by 13 publications

(8 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Existing work on processor bugs as security vulnerabilities takes the approach of finding a single processor bug and realizing a usable software-level attack with that bug as a foothold [3,11,12,23]. While this level of analysis highlights the threat of a specific security-critical processor bug, it does not give an idea of how pervasive security-critical bugs are, their range of effects, or what they have in common.…”

Section: Security-critical Erratamentioning

confidence: 99%

“…11 Jump and link instructions store the address of the instruction immediately following the delay slot instruction to the link register (LR). 12 The reserved bits of a given instruction are set to 0 for each instruction encoding class 13 The address of the current instruction is the address of the previous instruction plus four. This invariant is a building block used to trigger other invariants that verify control flow discontinuities.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Specs

Hicks

Sturton

King

et al. 2015

Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

Processor implementation errata remain a problem, and worse, a subset of these bugs are security-critical. We classified 7 years of errata from recent commercial processors to understand the magnitude and severity of this problem, and found that of 301 errata analyzed, 28 are security-critical.We propose the SECURITY-CRITICAL PROCESSOR ER-RATA CATCHING SYSTEM (SPECS) as a low-overhead solution to this problem. SPECS employs a dynamic verification strategy that is made lightweight by limiting protection to only security-critical processor state. As a proof-ofconcept, we implement a hardware prototype of SPECS in an open source processor. Using this prototype, we evaluate SPECS against a set of 14 bugs inspired by the types of security-critical errata we discovered in the classification phase. The evaluation shows that SPECS is 86% effective as a defense when deployed using only ISA-level state; incurs less than 5% area and power overhead; and has no software run-time overhead.

show abstract

Section: Security-critical Erratamentioning

confidence: 99%

mentioning

confidence: 99%

Specs

Hicks

Sturton

King

et al. 2015

Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

View full text Add to dashboard Cite

show abstract

“…Over the last few years, the security community has mainly focused on backdoors in integrated circuits and ways to detect or implement such hardware backdoors [6,19,21,24,33,34,36]. Furthermore, several backdoors in different components of a computer such as network cards [32] or directly in the CPU [14] were proposed. Our approach is orthogonal to such work since we focus on the detection of backdoors on the binary level, an area that has received almost no attention so far.…”

Section: Related Workmentioning

confidence: 99%

Towards reducing the attack surface of software backdoors

Schuster

Holz

2013

Proceedings of the 2013 ACM SIGSAC Conference on Computer &Amp; Communications Security - CCS '13

View full text Add to dashboard Cite

Backdoors in software systems probably exist since the very first access control mechanisms were implemented and they are a well-known security problem. Despite a wave of public discoveries of such backdoors over the last few years, this threat has only rarely been tackled so far.In this paper, we present an approach to reduce the attack surface for this kind of attacks and we strive for an automated identification and elimination of backdoors in binary applications. We limit our focus on the examination of server applications within a client-server model. At the core, we apply variations of the delta debugging technique and introduce several novel heuristics for the identification of those regions in binary application that backdoors are typically installed in (i.e., authentication and command processing functions). We demonstrate the practical feasibility of our approach on several real-world backdoors found in modified versions of the popular software tools ProFTPD and OpenSSH. Furthermore, we evaluate our implementation not only on common instruction set architectures such as x86/x64, but also on commercial off-the-shelf embedded devices powered by a MIPS32 processor.

show abstract

“…The hardware components on which the kernel depends to execute itself do not contain exploitable bugs, backdoors or undocumented functions [6] with regard to security.…”

Section: Assumptionmentioning

confidence: 99%

“…So it involves the MCH. These access vectors can be divided in two categories depending on whether the access is initiated by the device or ordered by the CPU: 6 • In the case the access is initiated by the device, it concerns the devices that are connected on a bus capable of bus mastering (like the PCI or PCI Express bus on IA-32 and Intel 64 architectures). These devices can then take control of the bus and perform a data transfer to the memory without the processor involvement.…”

Section: Access Vectors To Kernel Memorymentioning

confidence: 99%

Enforcing kernel constraints by hardware-assisted virtualization

2009

View full text Add to dashboard Cite

This article deals with kernel security protection. We propose a characterization of malicious kernel-targeted actions, based on how the way they act to corrupt the kernel. Then, we discuss security measures able to counter such attacks. We finally expose our approach based on hardwarevirtualization that is partially implemented into our demonstrator Hytux, which is inspired from bluepill (Rutkowska in subverting vista kernel for fun and profit. In: Black Hat in Las Vegas, 2006), a malware that installs itself as a lightweight hypervisor-on a hardware-virtualization compliant CPUand puts a running Microsoft Windows Operating System into a virtual machine. However, in contrast with bluepill, Hytux is a lightweight hypervisor that implements protection mechanisms in a more privileged mode than the Linux kernel.

show abstract

CPU bugs, CPU backdoors and consequences on security

Cited by 13 publications

References 9 publications

Specs

Specs

Towards reducing the attack surface of software backdoors

Enforcing kernel constraints by hardware-assisted virtualization

Contact Info

Product

Resources

About