

Unreal Mode: Breaking Protected Processes [pdf] - striking
http://www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf

======
userbinator
Note that the term "unreal mode" is already historically taken to refer to
running an x86 processor in realmode with unlimited segment limits
([http://en.wikipedia.org/wiki/Unreal_mode](http://en.wikipedia.org/wiki/Unreal_mode)
).

What I find most interesting about all these protections is that they
theoretically could be defeated completely with a series of small single-byte
changes, since ultimately everything rests on a series of decisions
(conditional jumps) - "is the certificate valid?" "is the certificate
trusted?" "is the user allowed to do X?" \- and all that you have to do is
make that decision always go one way or the other. It doesn't matter how much
crypto is behind that verification, it all rests on that one decision,
literally a one-bit difference in the output of a gate in the CPU at runtime.
Even if the OS itself doesn't allow this, as long as there is no real
decryption involved, you can boot a LiveCD or remove the drive and plug it
into another machine. "Secure boot" and TPM just require going a bit deeper
into modifying the BIOS itself, but the same principle of changing the
decision applies.

~~~
aionescu
Yep -- if you listen to the talk you'll see I made that joke on purpose :)

------
mmastrac
The content of this presentation is very interesting, but it just serves to
illustrate a distressing slide into the non-ownership of your own devices.
Apple has thankfully not gone too far down this path (beyond gatekeeper at
least).

Why should I give up control of my own devices just so media that'll end up
pirated at some point regardless of the level of protection that Microsoft
throws at the PC can have its own dedicated path to a video card?

