CPU Bugs, CPU Backdoors and Consequences on Security

  • Loïc Duflot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5283)


In this paper, we present the consequences on the security of operating systems and virtual machine monitors of the presence of a bug or a backdoor in x86 processors. We will not try to determine whether the backdoor threat is realistic or not, but we will assume that a bug or a backdoor exists and analyse the consequences on systems. We will show how it is possible for an attacker to implement a simple and generic CPU backdoor to be later able to bypass mandatory security mechanisms with very limited initial privileges. We will explain practical difficulties and show proof of concept schemes using a modified Qemu CPU emulator. Backdoors studied in this paper are all usable from the software level without any physical access to the hardware.


hardware bug hardware backdoor x86 CPU 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using ic fingerprinting. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 296–310 (2007)Google Scholar
  2. 2.
    Akkar, M.-L., Bevan, R., Dischamp, P., Moyart, D.: Power analysis, what is now possible. In: Asiacrypt: Proceedings of Advances in Cryptology (2000)Google Scholar
  3. 3.
    Advanced Micro Devices (AMD). Amd virtualisation solutions (2007), http://enterprise.amd.com/us-en/AMD-Business/business-Solutions/Consolidation/Virtualization.aspx
  4. 4.
    Bellard, F.: Qemu opensource processor emulator (2007), http://fabrice.bellard.free.fr/qemu
  5. 5.
    Bertoni, G., Zaccaria, V., Breveglieri, L., Monchiero, M.: Aes power attack based on induced cache miss and countermeasure. In: Proceedings of the International Conference on Information Technology: Coding and Computing (2005)Google Scholar
  6. 6.
    CELAR. Computer and electronics security applications rendez-vous (c&esar 2007) (2007), http://www.cesar-conference.fr/
  7. 7.
    Collins, R.: Undocumented opcodes: Salc. (1999), http://www.rcollins.org/secrets/opcodes/SALC.html
  8. 8.
    Intel Corp. Intel core 2 extreme processor x6800 and intel core 2 duo desktop processor e6000 and e4000 sequence: Specification update (2007), http://www.intel.com/technology/architecture-silicon/intel64/index.htm
  9. 9.
    David, F., Chan, E., Carlyle, J., Campbell, R.: Cloaker: Hardware supported rootkit concealment. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 296–310 (2008)Google Scholar
  10. 10.
    Dornseif, M.: Owned by an ipod: Firewire/1394 issues. In: CanSecWest security conference core 2005 (2005), http://cansecwest.com/core05/2005-firewire-cansecwest.pdf
  11. 11.
    Duflot, L., Etiemble, D., Grumelard, O.: Security issues related to pentium system management mode. In: Cansecwest security conference Core 2006 (2006)Google Scholar
  12. 12.
    Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 1: basic architecture (2007), http://www.intel.com/design/processor/manuals/253665.pdf
  13. 13.
    Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3a: system programming guide part 1 (2007), http://www.intel.com/design/processor/manuals/253668.pdf
  14. 14.
    Intel Corp. Intel 64 and ia 32 architectures software developer’s manual volume 3b: system programming guide part 2 (2007), http://www.intel.com/design/processor/manuals/253669.pdf
  15. 15.
    King, S., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the first usenix workshop on large scale exploits and emergent threats, LEET 2008 (2008)Google Scholar
  16. 16.
    OpenBSD core team. The openbsd project (2007), http://www.openbsd.org
  17. 17.
    PCI-SIG. Pci local bus specification, revision 2.1 (1995)Google Scholar
  18. 18.
    Smith, S., Perez, R., Weingart, S., Austel, V.: Validating a high-performance, programmable secure coprocessor. In: Proceedings of the 22nd National Information System Security Conference (1999)Google Scholar
  19. 19.
    Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of des implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    University of Cambridge. Xen virtual machine monitor (2007), http://www.cl.cam.ac.uk/research/srg/netos/xen/documentation.html

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Loïc Duflot
    • 1
  1. 1.DCSSI 51 bd. de la Tour MaubourgParis Cedex 07France

Personalised recommendations