Hidden Debug Mode Found In AMD Processors

An anonymous reader writes "A hidden (and hardware password protected, by means of required special values in processor registers) debug mode has been found in AMD processors, and documented by a reverse engineer called Czernobyl on the RCE Forums community today. It enables powerful hardware debugging features long longed for by reverse engineers, such as hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints. And the best part is, it's sitting right there in your processor already, just read the details and off you go with the debugging ninja powers!"

The ultimate security disaster?

[pyalot]

Since TFA is down by now, and I can't get the exact details... does this mean that any program running and setting the right bits in the right registers can get "processor root" access to everything the processor does, irrespective of any security constraint the OS may place on that process? Oh dear

Re:Security?

[slashqwerty]

Does anyone know - could these debug features be used to do something like break Operating System security models, leading to privilege escalation issues, or for other nefarious purposes?

If there is some way to enable privileged instructions without using a privileged instruction it would completely circumvent operating system security.

Perhaps the slashdotted site answers this but I have to wonder why not just have a separate opcode to turn the debugging on?

Re:Security?

[fuzzyfuzzyfungus]

Any CPU debug mode worthy of the name should be able to violate OS security six ways from Sunday, and silently at that, without any difficulty. By the same token, though, any CPU debug mode worthy of shipping in commercial silicon really ough to be possible for the firmware and/or kernel to lock for the duration of operation. If userspace can kick it off, a brave and exciting new world of AMD-specific malware is about to begin...

Re:Security?

[TrisexualPuppy]

It's probably that AMD doesn't want to claim that they ever marketed the feature as such. If they did, it would put Intel up to create and release a debugging interface for their silicon. Then both would be forced into competing to produce a better debugging interface. This drives production costs up for a component that may be used by less than 1/100 of a percent of the users when they should have been putting their efforts elsewhere.

Re:Security?

[Anonymous Coward]

Also, if it's triggered in userspace, the OS can block it.

Not if your OS is rooted. Or root-kitted. Or both.

Re:Hidden?

[neokushan]

I can think of many reasons why it might be hidden. For example, it may be hidden because the cost of supporting it would outweigh the benefits of admitting the "feature" is there. I don't just mean in terms of documenting it and releasing that info for developers, I mean in termins of testing it for security reasons. Plus, let us say that a theoretical bug is found that creates a hole someone can exploit - is it patchable? It's a whole can of worms AMD may be right to avoid opening.

Re:Security?

[camperdave]

it would put Intel up to create and release a debugging interface for their silicon.

Maybe Intel already has a debugging interface on their silicon. This AMD interface has remained hidden for who knows how many years, why couldn't the same thing happen with Intel? After all, it's not as if just anyone can reverse engineer a CPU.

Re:The ultimate security disaster?

[Smallpond]

Since TFA is down by now, and I can't get the exact details... does this mean that any program running and setting the right bits in the right registers can get "processor root" access to everything the processor does, irrespective of any security constraint the OS may place on that process?

Oh dear

Any program that can read and write to any processor register already has complete access to everything on your computer. The reason this is secret is not to protect your data, its to protect AMD's secrets.

Re:Hidden?

[icebraining]

And how do you know some top black hats don't already know about this for years and have already exploits for it? It's a classic example of security through obscurity.

If it's not safe (and if it's baldly tested, it is), I'd expect AMD to disable it on a physical level, not leave it there "hidden" for someone with poor intentions to find out.

Re:Security?

[Joe U]

Also, if it's triggered in userspace, the OS can block it.

Not if your OS is rooted. Or root-kitted. Or both.

That's already game over. If you own the OS, why would flipping the processor into a new mode help?
  You already own the security system.

Re:Just an extension of existing debug facilities

[deKernel]

If you are an application developers, I would agree with you. Any decent debugger should allow you to set a conditional breakpoint, but I am not sure if you can say that for kernel debuggers which are very different animals typically.

Re:Security?

[wbo]

AFAIK they are packaged with every major linux distro out there, and I can't but presume that Windows ships with microcode patches as well.

Microcode updates for Windows machines are distributed through Microsoft Update and are downloaded and installed automatically if automatic updates is enabled (and it is enabled by default). No BIOS update required.

An example of such an update can be found by looking at Microsoft KB936357 [microsoft.com]

Re:Security?

[LordNimon]

It is possible that the debug features are for their internal use and they don't quite work as intended.

Ding ding ding ding ... we have a winner!

I work for a processor design company. If this feature is kept secret, it's because the company does not want to put in the resources to make sure it works completely on every chip. It probably uses lots of hacks and violates the architecture in some obscure way. AMD does not want customers depending on this feature and then insisting that it works for future design wins.

Re:The ultimate security disaster?

[maxwell demon]

Ultimately it's the CPU which implements the security at the instruction and memory level. The OS only tells the CPU what code should run under which security context.

Re:Just a matter of time...

[GWBasic]

They never make any public info, but it's crazy what kind of logic blocks they find on silicon.

Sometimes scraping can tell simpler things, like an accurate estimate about how much profit a company is making on a chip, and thus how much money the company will have to invest in its next generation of chips.