Hidden Debug Mode Found In AMD Processors 154
An anonymous reader writes "A hidden (and hardware password protected, by means of required special values in processor registers) debug mode has been found in AMD processors, and documented by a reverse engineer called Czernobyl on the RCE Forums community today. It enables powerful hardware debugging features long longed for by reverse engineers, such as hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints. And the best part is, it's sitting right there in your processor already, just read the details and off you go with the debugging ninja powers!"
Re:Just a matter of time... (Score:5, Informative)
(As the original article was instantly slashdotted, I can only guess that the AMD exploit was found through software avenues.)
Some extra info, whilst the site is 'dotted... (Score:1, Informative)
http://webcache.googleusercontent.com/search?q=cache:EzsEFcoAZDAJ:www.woodmann.com/forum/archive/index.php/t-13891.html+amd+hardware+debugging+features&cd=5&hl=en&ct=clnk&gl=uk
Re:Security? (Score:2, Informative)
Not necessarily. Memory access can be blocked because the MMU controls what and where an application can write, transferring control to known code (the OS) on violations. Interrupts can be blocked because invoking them gives control to the OS. Priviliged instructions can be blocked because non-ring0 execution gives control to the OS.
The OS can't choose to block for example the "xor" instructions in any reasonable way. It's possible by basically single-stepping through instructions at 100x the overhead, but it's not feasible.
Re:Coral Cache link (Score:3, Informative)
Try this [nyud.net]
Re:The ultimate security disaster? (Score:5, Informative)
Not a security hole. This debug mode is not some kind of eleet hax0r backdoor. It's for debugging the processor and microcode.
It's the OS responsibility to ensure that normal applications can't simply do whatever they like directly to the hardware, including the CPU.
Re:Security? (Score:3, Informative)
IIRC, microcode updates are typically packaged as part of BIOS updates.
Tell me, how many PCs - as a percentage of those sold - get their BIOS regularly updated?
google cache of the article (Score:3, Informative)
Re:Security? (Score:5, Informative)
Just an extension of existing debug facilities (Score:5, Informative)
Based solely on the Google cache of the forum post describing this (linked above), there's no need to go into hysterics. For hardware and systems geeks, this is very cool. It's an extension of the existing x86 debug registers (DR0-7) that allows you to set a debug watchpoint that only fires when specific data is loaded in.
There are a lot of researchers and tool builders that would love to have this because it would allow them to take a watchpoint fault whenever they only when they have a specific value from a specific location. For instance, let's say that every so often you get a null pointer exception at a specific address. However, if you current go into gdb and set 'watch 0x{address}', you're going to take a breakpoint every single time that pointer is accessed.. Wouldn't it be great to do something like 'watch 0x{address} NULL' and only stop your debugger whenever 0 gets written into that address?
That's what the forum posts imply, at least. "Guys, I've reversed this in part... breakpoints defined in DR0 can be made to fire only on data match (under optional mask), plus masking of any or all of 12 low address bits ! Works also for I/O break points, provided CR4_DE is set, of course !"
I would wager that this is not a large security concern. Access to DR7 is restricted to ring 0, and therefore enabling debug breakpoints must be done by the operating system. While extremely interesting (I wish I could read more!), Czernobyl appears to be describing a modification to debug breakpoints that are already enabled.
Re:Security? (Score:5, Informative)
Okay, the site's still down but I found a cache:
In fact, this is a fairly small incremental improvement over the existing hardware debugging support in x86 chips. It provides some extra control codes allowing the address in DR0 (one of the four registers i386 provides for hardware watchpoints) to do some slightly more clever things. For example, a watchpoint can be triggered on a partial match, rather than an exact match, to the address - this is really nice because it lets you put a watchpoint on the whole of any data structure that fits within a page. With the i386 watchpoints, you can only watch a single word with each register (4 words in total), while this means you can watch anything smaller than a page (and you can watch things bigger than a page by marking the page as no access, trapping the access, then unprotecting, single-stepping through the load / store, and continuing the process, which is how you implement watchpoints when you run out of debug registers).
Re:Security? (Score:4, Informative)
Perhaps the slashdotted site answers this but I have to wonder why not just have a separate opcode to turn the debugging on?
Because there's already a whole bunch of privileged MSRs that normal user code mustn't have access to - many of which are undocumented and processor-specific - so adding a few more is no big deal. Adding new opcodes, on the other hand, requires more work and risks them clashing with Intel's opcode choices at a later date.
Re:Just an extension of existing debug facilities (Score:5, Informative)
Oh, and the summary's description, "hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints", matches up with the line I copied & pasted from the forum post. I previously described the "hardware data-aware conditional breakpoints"where you can make hardware take a fault if an address of a memory operation is matched && the value of the memory operation matches. Looking through my notes, embedded Power ISA (Book III-E) processors also let you set value-dependent watchpoints using the Data Address Compare (DAC) Registers. I'm not sure about other ISAs.
The second party of the summary's statement refers to to 'page guard'-style breakpoints. This is referenced by Czernobyl's "masking of any or all of 12 low address bits". Again, this is a very interesting extension of the x86 debug registesr, which only allow debug watchpoints of size 1, 2, 4, or 8 bytes (and the latter only in certain microarchitectures & modes) However, by masking out the low 1--12 bits of the address into don't-cares, it's possible to set watchpoints anywhere from 1-4096 bytes, limited to powers-of-two and size-alignment. This is cool from an x86 standpoint, but ARM, MIPS, and Itanium (off the top of my head) already do this.
Suffice it to say, the stuff that Czernobyl found is very cool in relation to x86, especially if these facilities were officially released to the public at any point in the future. However, it's very unlikely to cause any kind of AMD-only viruses or other scary security concerns. These features exist on other ISAs without any kind of world-shattering problems. :)
Re:Just an extension of existing debug facilities (Score:5, Informative)
Sure, but it's much faster to do it in hardware. This is the whole reason data watchpoints exist (See, for instance, the paper "Some Requirements for Architectural Support of Software Debugging" by Mark Scoctt Johnson from ASPLOS-I), as you could technically have your debugger put address & data checks around every memory access, but that leads to completely unacceptable overheads. It's faster to let the hardware check the addresses in parallel with regular execution and take a fault only if you touch the watchpoint.
Similarly, if the hardware will check the value before taking a debug interrupt to the kernel and subsequently signaling/scheduling of the debugger, it will be much, much faster than performing all that and then have the debugger check the address & throw this particular interrupt away before continuing execution. That constant interrupt cycle can cause 10,000x or more slowdowns if you're constantly accessing a value & taking bad watchpoints on it.
Re:Security? (Score:3, Informative)
AFAIK they are packaged with every major linux distro out there, and I can't but presume that Windows ships with microcode patches as well.
Re:Security? (Score:2, Informative)
I used to work for a processor emulator tools company called Applied Microsystems Corp, Redmond WA. now defunct.
Up thru processors type 68040 emulations tools could be mounted external to the processor chip and performed the functions mentioned ( hardware breakpoints, memory maps, all register shadowing, soft and hard breakpoints, etc, all the things that you need to perform basic computer system development. As the complexity of the systems increased beyong those early 8/16/32 bit cpu, all those hardware functions became embedded into the processor itself and are accesed by usually an I2c serial link. Emulation tools went from hardware and software complex and external to the system to hardware simple internal and software complex and external. The bottom dropped out of the eumlator tools market ( from 50k$ to 5K$ ) and that whole industry went away and got smaller and fewer in number. But the hardware tools remain inside the cpu's now, accessible by hardware licensed developers in NDA contracts. But for a few years even a few technicians had an understanding of the fine details of cpu internals. Now all that is buried again.
Re:Security? (Score:5, Informative)
Re:Security? (Score:3, Informative)
Except the UPS company makes that feature available for money. If AMD isn't releasing this info to anyone, then it isn't golden screwdrivering.
Re:Hidden? (Score:3, Informative)
That is not always the case.
For example they did not properly document and release the docs on the hardware RNG in their first chipsets when it came out. As a result it ended up supported only on Linux on a "friend-of-mine" basis and MSFT (on whatever basis). The other OS developers did not know about it for a while (more than half a year). I remember personally telling Theo De Raadt on BUGTRAQ at the time to stop talking rubbish that AMD does not have a hardware RNG and he was genuinely shocked. However the fact is a fact - it was not open.
This is just an example, i can think of quite a few others.
Re:The ultimate security disaster? (Score:1, Informative)
Actually most of those controls, such as an ordinary user-space program just overwriting arbitrary places in physical memory or running on the CPU for as long as it wishes and not allowing anything else to preempt it, are enforced by hardware. That's the only way they can possibly work.
Re:Security? (Score:3, Informative)
Not that I'm that knowledgeable about virtualization software, but I can't imagine that they would run priviledged code in the virtual machine as priviledged code on the host CPU, so it doesn't matter anyways.
In a VM running under hardware-based virtualization (AMD-V / VT-x) , privileged code in the guest generally does run at privilege level 0, also referred to as (privileged), kernel mode, or ultimate privilege. This is required to implement a protected mode operating system; a modern guest OS needs to be able to implement its kernel mode, user mode, and have the hardware implement restrictions on its user processes, typically by reducing its user processes to RING 3, or RING1 / 2, which are permission levels the OS can configure to specify the allowed privileges. However, code in the VM is running as a guest OS.
It means the guest OS must run with ultimate privilege. To address this, CPU manufacturers created a new privilege level called "ring -1". When the virtualization feature is active in hardware, the virtual machine monitor runs at ring -1, and runs guest OS code at ring 0.
As Intel puts it: VT-x and VT-i allow guest software to run at its intended privilege level. Guest software is constrained, not by privilege level, but because for VT-x it runs in VMX non-root operation
In a software-emulated VM, instructions are translated and rewritten by the hypervisors anyways, and the hypervisor itself generally runs in Ring 3 user mode not kernel mode in that case, It is up to the hypervisor to protect itself.