2

I didn't follow all the episodes about backdoors in Intel CPUs

What can intelligence or law enforcement agencies potentially do on a computer equipped with a vulnerable Intel CPU (connected to the Internet but not directly - behind a router)?

Can someone continue to develop sensitive applications (using Linux) if the computer is equipped with a vulnerable Intel processor and his enemies are state-level actors?

safesploit
  • 1,847
  • 8
  • 18
user18362
  • 21
  • 2
  • If "enemies are state-level actors", then you should assume it is even worse than your imagination can fathom. These CPU backdoors are a horrible problem even if the attackers are criminals working in small groups with zero funding except what they can steal. – Ben Voigt Aug 25 '18 at 16:34
  • By the time your "enemies are state-level actors", it's probably safe to say that all bets are off. There's a gazillion ways to get into a computer and extract information; no publicly disclosed CPU vulnerability necessary. – user Aug 25 '18 at 18:53
  • 1
    If you mean things like Spectre, those are not backdoors. They are just security vulnerabilities. – forest Sep 01 '18 at 01:39
  • @BenVoigt While nation-state actors are definitely quite resourceful, they are still just human. It's hard to protect from them, but if you have a carefully-developed threat model, it's really not _that_ hard. – forest Sep 01 '18 at 01:40
  • @forest: If you have a nation-state adversary, you need not be concerned with the particulars about vulnerabilities in Intel chips, because you should assume the electronics delivered to you have been intercepted and replaced with clones containing backdoors that are not mere design mistakes. See "Tailored Access Operations" – Ben Voigt Sep 01 '18 at 02:25
  • @BenVoigt Part of mitigating it involves purchasing hardware without having it delivered to you directly. That is fairly easy to do, it just takes the will-power to never order something for your computer online. – forest Sep 01 '18 at 02:27

1 Answers1

0

You should catch up on these vulnerabilities in the canonical question on the subject.

Assuming you are talking about the recent wave of Spectre and Spectre-like vulnerabilities, those are not backdoors, but security vulnerabilities. They generally* allow a local process that is executing on your computer to read memory that they are not otherwise permitted to read. If your adversary is a nation-state actor though, this is the least of your concerns. These attackers usually have access to a large repository of 0days from security contractors. It's more likely that they will exploit a flaw in some exposed service on your router or computer and then escalate privileges using a 0day, known vulnerability, or misconfiguration on your part. If they had to use these vulnerabilities, they would use it to skip the privilege escalation stage and directly read memory.

Normally, a CPU executing code will eventually run into a fork in the road where the specific path it takes depends on some variable. If that variable takes some time to access (e.g. querying hardware peripherals or accessing memory that is not in the CPU cache), then the CPU will engage in an optimization technique dubbed speculative execution. This technique involves speculatively executing both possible paths in code, later discarding the path which it was not supposed to take. The Spectre vulnerabilities typically exploit the fact that this "discarding" is not perfect and still leaves some information behind that a side-channel attack can later discover.

* A few variants allow for a little bit more, such as covert side-channel communication and, in at least one example dubbed NetSpectre, attack certain theoretically vulnerable protocols to read memory over a network very, very slowly. Another variant allows setting read-only patches to read-write in certain, specific situations.

forest
  • 65,613
  • 20
  • 208
  • 262