Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel's chip hardware.
The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows folks to peek inside the hidden workings and mechanisms of their CPU chipsets – capturing the traffic of individual signals and snapshots of the chip's internal architecture in real time – without any special equipment.
To be clear, this hidden debug access is not really a security vulnerability. To utilize the channel, you must exploit a 2017 elevation-of-privilege vulnerability, or one similar to it, which itself requires you to have administrative or root-level access on the box. In other words, if an attacker can even get at VISA on your computer, it was already game over for you: they need admin rights.
Rather, Ermolov and Goryachy explained, the ability to access VISA will largely be of interest to researchers and chip designers who want to get a window into the lowest of the low-level operations of Chipzilla's processor architecture.
What lies within
VISA is one of a set of hidden, non-publicly or partially publicly documented, interfaces called Trace Hub that Intel produced so that its engineers can see how data moves through the chips, and to help debug the flow of information between the processor and other hardware components. Specifically, the Platform Controller Hub, which hooks up CPU cores to the outside world of peripherals and other IO hardware, houses Trace Hub and VISA.
"This technology allows access to the internal CPU bus used to read and write memory," the duo told The Register. "Using it, anyone now can investigate various aspects of hardware security: access control, internal addressing, and private configuration."
Alongside VISA is an on-chip logic analyzer, and mechanisms for measuring architecture performance, inspecting security fuses, and monitoring things like speculative execution and out-of-order execution.
Intel VISA demo: extracting one's of Intel SoCs security fuses (debug root key for TPM, ME file system, Intel IPT and others): pic.twitter.com/gD4L7ndKFC— Mark Ermolov (@_markel___) March 29, 2019
So, if the VISA controller isn't much help to directly pwn someone else's computer, where would it have use for non-Intel folks? Goryachy and Ermolov say that hardware hackers and researchers focused on the inner-workings of Intel chips would find VISA of great use when trying to suss out possible side-channel or speculative execution issues, secret security configurations, and so on.
"For example, the main issue while studying the speculative execution is getting feedback from the hardware," they explained. "This technology provides an exact way to observe the internal state of the CPU or system-on-chip, and confirm any suppositions."