Breaking the x86 instruction set: secret instructions on our hardware
primesuspect
Beepin n' BoopinDetroit, MI Icrontian
in Hardware
Comments
A lot of this was WAY over my head, but yeah. Incredibly interesting, if not moderately terrifying.
tl;dw?
Intel has a set of documents detailing the CPU instructions. There are one or more appendices that are only available if you know the secret handshake. This guy figured out a way to poke at the CPU to get an idea of some of these instructions.
He was also able to find a single, completely undocumented instruction that, when executed on a particular processor (he hasn't named it yet because they haven't had a chance to respond) will hard-lock it. Not CPU busy, spinlock, etc, but full on processor stop.
This wouldn't be so terrifying if that instruction wasn't accessible through ring3, aka unprivileged userland.
I always wondered why we couldn't just naively fuzz the CPU and discover hidden features. I guess over an undecillion (10^36) possible instructions are why.
Yeah, 20+ years ago in the 8088, and maybe up to the i386 days, maybe. But now, with all the extensions that have been added, it's an insane amount of stuff crammed into there.
This is super neat. I was especially interested to hear him talk about that DoS in the one processor.
I watched the whole thing and am neither surprised nor alarmed. x86 is the quintessential CISC architecture, its huge instruction set is comparable to a rolling toolchest filled with single-purpose specialty tools. Contrast with RISC architectures like ARM and Power that are more like toolboxes that have what you need to do most things and, skillfully-used together, can do the same things as the specialty tools though perhaps not as quickly or easily. There's bound to be some tools in the CISC toolchest that are broken, aren't quite right, do different things under different circumstances, or you can't figure out what they're for. Most of the stuff you use is right on top though so it's not something you really worry about.
Regardless of what kind of tools you use, the key to avoiding problems is not letting bad or negligent people into your house and use your tools.
While I definitely agree with the sentiment, in the context of security it can be pretty alarming that there are calls that are accessible that you don't know how they're supposed to work. This is mostly for security critical items and like you said protecting yourself against bad or negligent people is the big first step. Just not always easy.
They're not your tools if the only person who knows about them is the guy breaking into your house. Makes you wonder who the tools were designed for, anyway.
With things like Broadpwn and Intel ME vulnerabilities, these aren't merely academic concerns.
Right. The particular CPU DoS he demonstrated in this video would be trivial for a malicious person to include in a bad ad. It doesn't need privilege escalation, which is a very bad thing ™