Can ReactOS preclude or inform users of open god mode back door access?

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

Post Reply
Ancient
Posts: 82
Joined: Tue Mar 27, 2018 11:32 pm

Can ReactOS preclude or inform users of open god mode back door access?

Post by Ancient »

Can ReactOS preclude or warn of a back door (ring -3) vulnerability access? Outlined here - https://i.blackhat.com/us-18/Thu-August ... PUs-wp.pdf the author was able to determine an instruction opening a ring -3 backdoor which may or may not be enabled after boot depending on CPU or BIOS that allows execution of an undocumented command to switch from X86 to RISC instruction sets even from ring 3 without causing an exception.

The Intel and AMD RISC subsystems are embedded into the X86 but are not subject to any security (no ring at all from this mode ... all memory is available as are all control registers and more for read and write). A video of how the exploit was determined is at this URL - https://www.youtube.com/watch?v=_eSAF_q ... ex=14&t=0s

Documented X86 rings are 0, 1, 2 and 3. Most OS implementations use ring 0 and 3. These are the documented rings. Ring -1 is the hypervisor ring (ring used to facilitate virtual machines, this is mostly but not comprehensively documented). Ring -2 is considered system management, and is generally reserved to X86 microcode, it it mostly undocumented. Ring -3 is the RISC system which is embedded in all modern X86 CPU's (Q35 / AMT / ME) it is not documented. Even the RISC CPU is not documented (the CPU instructions do not match any commonly known RISC processor but are likely produced by ARM exclusively for Intel or AMD).

On some X86 systems the execute RISC feature is enabled by default from ring 3, if not it can be toggled on or off in ring 3 from ring 0 by setting an undocumented bit in an undocumented register with an undocumented instruction. This permits an application to run with full administrative privilege behind not only the OS but also behind the X86 CPU and support chipset, even to look at and modify cache and internal running microcode. Security through obscurity is an old theme, but as technology to sample evolves, it won't continue to be effective. The author learned where to look by researching patents. Then applied his growing expertise to solve determining a back door attack venue to control PC's. If an individual can do this part time without corporate funding, what can a large organization do?

The RISC CPU's which are embedded over most X86 CPU's designed after 2008 are imo a horrific security backdoor. Maybe a test on each system could be performed at boot to see if the undocumented "execute RISC" instruction is enabled. If so, warn users their systems are not at all protected. It is very annoying to me that backdoors like this are permitted. The author determined the instruction switches a target pointed to by a register from X86 instruction fetch to RISC instruction fetch. He describes how to format and set up the RISC code necessary.

The author creates RISC code to examine operating system memory to locate his task table then modifies it to run in ring 0. This is done on some PC's without any need to ever run anything in ring 0. Only the obscurity of this undocumented command protects the operating system. A failing of Linux, MAC OS and Windows is this back door is not identified at boot.

Disabling IME in BIOS is described here - https://www.youtube.com/watch?v=MujjuTW ... =15&t=246s though not in sufficient detail to produce a generic solution.

If ReactOS at least detects if this is enabled on ring 3 or not and maybe turn it off, then ReactOS could offer security not currently available on most other operating systems.
karlexceed
Posts: 531
Joined: Thu Jan 10, 2013 6:17 pm
Contact:

Re: Can ReactOS preclude or inform users of open god mode back door access?

Post by karlexceed »

This is one of those features that will be a long time to come (if ever), since ReactOS's development focus is still on compatibility / parity with WIndows features. There's not much room for work that's above and beyond yet.

It also begs the question - if your system is compromised to this extent, wouldn't the intruder be able to control what you see when you check for that enable bit? Not to mention there are various other embedded processors that exist in modern systems which are open to compromise, such as the HDD controller...
erkinalp
Posts: 861
Joined: Sat Dec 20, 2008 5:55 pm
Location: Izmir, TR

Re: Can ReactOS preclude or inform users of open god mode back door access?

Post by erkinalp »

You would also install ReactOS into your HDD controller. Turtles all the way.
-uses Ubuntu+GNOME 3 GNU/Linux
-likes Free (as in freedom) and Open Source Detergents
-favors open source of Windows 10 under GPL2
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 35 guests