Ask HN: Can we trust our CPUs?

87 点作者 freeduck将近 12 年前

There is allot of buzz around darknets and encrypted mesh-nets. But can we trust our hardware? A modern computer contains allot of different CPUs or CPU like circuits. Is there any way to determine if any of these chips are "Phoning home"?

20 条评论

_b8r0将近 12 年前

Actually it's not the CPU you need to be worried about.Earlier this year at 44Café in London I did a talk in which I dropped about 16 bugs in SuperMicro's IPMI BMC implementation (through the medium of a drinking game), some of which were picked up by Farmer and Moore's recent research into IPMI, some not[1]. The Baseboard Management Controller (BMC) is a completely separate computer, often running unmaintained Linux firmware that has full South-Bridge and i2c access to your computer's memory. Basically it has Direct Memory Access (DMA) but your computer doesn't appear to going the other way around (although I haven't investigated this yet).The board I looked at ran an ARM chipset and a custom Linux distro built by an OEM called ATEN[1] and customised by SuperMicro. It's not that the system appears to be phoning home, it's more that there are a lot of bugs and defaults in the implementation, and compromising this allows you to compromise the underlying server.For desktop and laptop systems you don't usually have IPMI, so no BMC. Instead you have intel's iAMT which is very similar in some respects. There's some really fantastic research done in this space by Patrick Stewin and Iurii Bystrov[3] who have implemented a hardware keylogger. I've been in contact with them and they've updated their work since publishing the paper and intend to present the results at the 44CON[4] security conference in London this September.Again it's not a case of these chips phoning home per se but a non-well documented nor well-publicised attack surface with real-world implications for espionage and malware.Disclaimer: I'm one of the co-founders and co-organisers of 44Con.[1] - <a href="http://www.wired.com/threatlevel/2013/07/ipmi/" rel="nofollow">http://www.wired.com/threatlevel/2013/07/ipmi/</a>[2] - <a href="http://www.aten.com/IPMI.htm" rel="nofollow">http://www.aten.com/IPMI.htm</a>[3] - <a href="http://stewin.org/papers/dimvap15-stewin.pdf" rel="nofollow">http://stewin.org/papers/dimvap15-stewin.pdf</a>[4] - <a href="http://www.44con.com/" rel="nofollow">http://www.44con.com/</a>

评论 #6025512 未加载

评论 #6026191 未加载

unclebucknasty将近 12 年前

I think concern about other points of compromise that would render encryption less useful is very, very valid. Not sure about the CPU itself per se, and perhaps it could be a combination of components, not to mention the firmware, software, etc.With all of the emphasis on endpoint encryption as a solution in particular, I have been raising this concern. The NSA has already carved out an exception that allows them to keep encrypted data forever as they attempt to crack it. So, that reveals their determination to defeat protective measures. Why wouldn't they attempt to build in other back doors at the hardware/firmware/software level?It just seems to me that too much emphasis on technical solutions to government intrusions is not the right way to go. As a back-stop, technical solutions like encryption are fine. But, why should we have to play cat-and-mouse with our government to protect our privacy? This posture lets them off the hook and esentially says, "if they can get your information, it's fair game". We shouldn't have to look over our shoulders this way.Instead, their activity should be outlawed and there should be legal protection, such that whistleblowers like Snowden are considered heros instead of criminals.

评论 #6025504 未加载

评论 #6025786 未加载

评论 #6025604 未加载

mkup将近 12 年前

There's a microcontroller with ARCompact architecture inside Intel chipsets, which has access to all devices, to the RAM, has its own network stack and running custom real-time OS (ThreadX). All technologies actively advertised by Intel such as Active Management, AntiTheft, Identity Protection, Rapid Start, Smart Connect, Protected Audio Video Path - are powered by this controller.More info: <a href="https://ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%202012%20Skochinsky.pdf" rel="nofollow">https://ruxconbreakpoint.com/assets/Uploads/bpx/Breakpoint%2...</a>So basically every desktop motherboard or notebook has a chip which runs unknown software and has full access to your RAM and network interface. There's something to worry about.

kryten将近 12 年前

Any system of significant complexity be it hardware or software cannot be trusted unless it is 100% open source both from the hardware level to the software level and all systems that are used to manufacture it are open source as well and the whole process has open oversight.Even if you tape out a CPU and ship it to the fab, they could still add stuff before it is packaged.In conclusion, no you can't trust anything we use today. Even Stallman's open-everything laptop is open to compromise.Pen, paper, box of dice, OTP or accept these facts.

评论 #6025487 未加载

评论 #6025981 未加载

trotsky将近 12 年前

Short answer is you can trust building block type components like CPUs if they're designed by a company that is in the camp of the same nation state/alliance that you align with as well. Very similar to the thought process you would use when deciding if you can trust that guy over there with a gun.Theoretically the answer is no if you're talking about gear (say highly integrated Socs) designed and fabbed in a country that has demonstrated a trust issue or two with the folks that issue your passport.Practically though this is one of the last things you should be spending time worrying about assuming you're not currently engaged in global politics or things that have a blast radius.You can pretty much hide a semitrucks worth of nastyness inside any modern chip these days. And while it wouldn't be impossible to find, it requires a well financed effort to try.But the real answer is you didn't really ask the right question. Computers (and phones/etc etc) are so inundated with security holes between the endless streams of bugs, opaque supply chains, exploitable design errors and a pervasive belief that better security = less sales that there's simply no need to go after the cpu, it's far cheaper and provides credible deniability to all involved.While I have no doubt there are at times intentional flaws introduced into big name chip designs, any use of such things would be limited to extremely unique circumstances as the blowback if discovered would be pretty damn apocalyptic if you're talking say intel/ibm/oracle.Anybody that's going to get at your data is ether going to convince you to give it to them, or spend an hour or two and beat your software stack.Even when the NSA testifies in congress to convince them to block telecom mergers unless they get a clause barring zte/huawei gear it's primarily the software stack that they're worried about. Even listening devices need point releases from time to time.

wladimir将近 12 年前

I'm not sure about CPUs. They don't have direct connections to the outside world. If you want to distrust any hardware, it makes sense to focus on communication peripherals such as network cards, wifi/gsm modems etc.For example the baseband processors in phones contain a complicated firmware of 16 MB+. This contains many hidden diagnostic modes on various subsystem levels. Baseband processors have been known to be exploited remotely, and as they have direct connection to the main CPU, giving full control over the device, including GPS, camera etc.There have also been bugs in wired networking hardware in which specially crafted packets resulted in low-level crashes. It was not exploitable in the cases I remember, but I'm sure someone persistent enough and with the right skills may be able to find some.None of these examples actually "phone home" in the classic sense, but my point is that these peripherals have proprietary firmware that is hardly under public scrutiny, and anything can be hidden in them.

评论 #6025250 未加载

yungchin将近 12 年前

You might be interested in <a href="https://blogs.oracle.com/ksplice/entry/hosting_backdoors_in_hardware" rel="nofollow">https://blogs.oracle.com/ksplice/entry/hosting_backdoors_in_...</a> - they show that devices connected to the PCI bus can potentially modify your kernel at boot time, without changing its on-disk signature.

etiam将近 12 年前

I'm glad you raise the question freeduck. I was actually going to post something like it once the more important discussion about opposing surveillance by social and political means has got going properly (technical solutions won't fix the deeper problem of authoritarian tendencies in society). A few years ago I read about remote control by hardware in this article: <a href="http://www.tgdaily.com/hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-pcs-compliments-of-intels-vpr" rel="nofollow">http://www.tgdaily.com/hardware-opinion/39455-big-brother-po...</a>Be sure to check the video linked at the end: <a href="http://www.youtube.com/watch?v=wlj7u3tOQ9s" rel="nofollow">http://www.youtube.com/watch?v=wlj7u3tOQ9s</a>I don't know much about this myself but I'll be very interested to see the HN community's take on to what extent we can trust out hardware.

conductor将近 12 年前

This is a copy-paste of my comment from an older thread [0]:<a href="http://www.xakep.ru/post/58104/" rel="nofollow">http://www.xakep.ru/post/58104/</a> (use Google Translate)TL;DRThe author has found an undeclared software module (backdoor?) working as a hyper-visor in the System Management Block chip on the South Bridge working with Intel CPU with VT virtualization technology.[0] - <a href="https://news.ycombinator.com/item?id=4462782" rel="nofollow">https://news.ycombinator.com/item?id=4462782</a>

anonymous将近 12 年前

"Is there any way...?"Generally, if you mean phoning home over the internet, yes! If you mean over cellular networks, no.To get things started, there should first be some "buzz" around kernelspace packet filters. Because that is what you need to start using.Computers running packet filter software are sometimes called "firewalls". But that terminology does not promote much understanding among users who are not also career network administrators.If you are concerned with what your device is communicating over the public internet, then you can monitor these communications first to confirm your suspicions. And then, if necessary, you can exercise some control over it.How? Run packet filter software in your OS's kernel. Numerous open source, free OS's allow you to do this. And what does it cost? Nothing! With commercial, proprietary OS's that are sold for money (which are often just modified versions of open source free OS's) it may not be so easy. In fact, they may make it impossible to do. Go figure.With a packet filter, you can view and, if desired, block packets entering and leaving your machine, according to your rules. Assuming you can get this set up easily (and indeed you can), why would anyone not want to do this? You can even use an old computer repurposed just to do packet filtering. Have your new devices use it as a gateway.For the avoidance of doubt, popular "firewall" software like ZoneAlarm or whatever are not what I'm talking about. Those are userspace software."Can we trust hardware?"In general, I'd say the more bundled it is, the less trustworthy it is. If you cannot even open the enclosure let alone run your own OS (hello Apple), that's not going to help users who want to "trust, but verify". Building your own computer (think something like RaspberryPi) gives you freedom and more peace of mind.

vacri将近 12 年前

Wireshark or similar network sniffer. Any phone-home is going to require using the usual channels to get out of your location to the general internet. Things like TEMPEST require external sniffers; an autonomous agent will have to use what is going to be available, and your modem isn't going to be transferring custom protocols... and if it is, then the ISP's equipment probably wouldn't. And if all three units are, well, things are worse than we could have imagined, but you'd be talking about a conspiracy that would require the silence of an incredible amount of people.

评论 #6025300 未加载

zamalek将近 12 年前

I don't think you could fit enough transistors into a CPU die to do any form of monitoring - you would need to basically have an incredibly complex software package do it (which you could store on a ROM on the die). The only problem with that is you would need to translate a set of machine code instructions into an intent in real-time: we can't even do this offline (the best we have is IDA, but that needs crazy amounts of human intervention). So as far as the physical chip goes it's irrationally paranoid to worry about it.However, Realtek, as a good example, love to home-grow their own [shitty] protocols and hence always require drivers - so if you want to realistically question whether or not your hardware could monitor you, looks at its inseparable twin: drivers. They run in the kernel and have access to pretty-much everything else on your system: no amount of UAC, sudo or whatever else not will keep your data safe from it - and most users won't think twice when installing them.

X4将近 12 年前

Can someone please explain if this is true?"Computers with particular Intel® Core™ vPro™ processors enjoy the benefit of a VNC-compatible Server embedded directly onto the chip, enabling permanent remote access and control."<a href="http://www.realvnc.com/products/viewerplus/" rel="nofollow">http://www.realvnc.com/products/viewerplus/</a>Because if it is true, then your CPU is a potential backdoor given that they have a masterkey or masterpassword.And I really don't understand how this can work when the computer is turned off, any ideas??

评论 #6032842 未加载

评论 #6031086 未加载

Proleps将近 12 年前

You can always use a second device with different hardware to monitor your own network traffic. If you don't fully trust that hardware use yet another device with different hardware behind it :P

sehugg将近 12 年前

It's certainly interesting to think about, at least: <a href="http://theinvisiblethings.blogspot.ru/2009/06/more-thoughts-on-cpu-backdoors.html" rel="nofollow">http://theinvisiblethings.blogspot.ru/2009/06/more-thoughts-...</a>Given the huge downside of a CPU exploit leaking or being detected, I'd expect them to be used very sparingly if at all. This XKCD comes to mind: <a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a>

venomsnake将近 12 年前

I think you cannot trust anything that is not behind an air gap and powered by a source not connected in the general grid.

评论 #6026319 未加载

flyinRyan将近 12 年前

The answer is clearly, and obviously: no you can't trust CPUs, memory, compilers, disassemblers, microcode or anything else.The better question is: what is being done to address this? What can be done (are you going to trust an "open source" CPU producer who swears they have no back doors?)?

Steve_NM将近 12 年前

Intel actually sells the capability of most post-1st gen Intel processors phone home in a way that is transparent to the end user as a feature.<a href="http://intel.ly/14U14JW" rel="nofollow">http://intel.ly/14U14JW</a>

uptown将近 12 年前

I've always wondered about those dirt-cheap USB devices sold on eBay. Seems like an easy target for a malicious device masquerading as a USB hub.

mariuz将近 12 年前

The only solution is opencore cpu based hardware<a href="http://opencores.org/donation" rel="nofollow">http://opencores.org/donation</a>