Breaking the x86 Instruction Set

preview_player
Показать описание
A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset.

Full Abstract & Presentation Materials:
  1. Black Hat
  2. Black Hat
  3. BHUSA
  4. InfoSec
  5. Information Security
  6. BlackHat
Рекомендации по теме
DEF CON 25 0:40:40

DEF CON 25 - Christopher Domas - Breaking the x86 Instruction Set

Breaking the x86 0:44:29

Breaking the x86 Instruction Set

Breaking the x86 0:40:40

Breaking the x86 Instruction Set

Top 10 Craziest 0:15:19

Top 10 Craziest Assembly Language Instructions

Breaking the x86 0:44:29

Breaking the x86 Instruction Set

Black Hat USA 0:44:29

Black Hat USA 2017 Breaking the x86 Instruction Set

CS 134 OS—2.6 0:10:49

CS 134 OS—2.6 X86 Instruction Set

computers suck at 0:05:09

computers suck at division (a painful discovery)

[Disobey 2020] Breaking 0:24:44

[Disobey 2020] Breaking Detection with X86 ISA Specific Malware - Chris Hernandez

DEF CON 31 0:36:42

DEF CON 31 - Backdoor in the Core - Altering Intel x86 Instruction Set at Runtime - Krog, Skovsende

x86 Instruction Encoding 0:11:40

x86 Instruction Encoding - Compiler Programming

x86-64 Assembly Programming 0:20:11

x86-64 Assembly Programming Part 1: Registers, Data Movement, and Addressing Modes

x86 Internals for 0:54:01

x86 Internals for Fun & Profit • Matt Godbolt • GOTO 2014

2 x86 History 0:03:58

2 x86 History History and Origin of the x86 Instruction Set

The Evolution Of 0:22:06

The Evolution Of CPU Processing Power Part 2: Rise Of The x86

Intel Tried To 0:04:44

Intel Tried To Kill x86! - Itanium Explained

Texplained: What is 0:04:38

Texplained: What is x86..??What is an Instruction Set Architecture..??32-Bit vs. 64-Bit

assembly instructions are 0:01:13

assembly instructions are WILD

Architecture All Access: 0:18:58

Architecture All Access: Modern CPU Architecture Part 1 – Key Concepts | Intel Technology

What is an 0:06:20

What is an instruction set? (AKIO TV)

A Complete Formal 0:20:54

A Complete Formal Semantics of x86-64 User Level Instruction Set Architecture

God Mode Unlocked 0:55:41

God Mode Unlocked Hardware Backdoors In x86 CPUs Christopher Domas

GOD MODE UNLOCKED 0:51:00

GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs

Instruction Set Architecture 0:17:13

Instruction Set Architecture | x86 Instruction Set Architecture | ISA vs. Microarchitecture

Комментарии
Автор

This guy is impressively good at what he does.

ppp
Автор

The use of No Execute on memory to find instruction length made me go "oh man" out loud. Genius.

tspshilt
Автор

Oh man, that page fault analysis is genius.

NiKi-hlzs
Автор

I am jealous. Not only is this guy much more capable of mentally processing this complex information than I am, he's also incredibly good at presenting it!

JDManring
Автор

its kind of scary how good some of these guys are at figuring these things out

wildwest
Автор

they should crowdsource the undocumented instructions the same way that pass mark gets benchmarks. Everyone uploads the results and a website shows a nice breakdown of what instruction run on what.

wiipronhi
Автор

I just keep thinking how poor Terry Davis has wasted all his time.

He needs to make his own silicon as well as his own compiler and OS.

axeman
Автор

With Intel's ZombieLoad, PlunderVolt, Meltdown and more severe vulnerabilities these days, this video is more relevant than ever

TheOz
Автор

It looks like the "halt and catch fire" instruction he describes starting at 38:46 was never described publicly, at least that I could find. As he explains in this talk there was no time for vendors to address the issue under responsible disclosure so he couldn't give all the details at Black Hat 2017, but I couldn't find any reference to publications in the following months as he said would happen. There's a question about it on the Reverse Engineering StackOverflow site, but no one seems to know. I'm not particularly looking for a way to execute this instruction, but I'm curious to know if any mitigation was possible for CPUs that had already shipped. If anyone knows and has a reference this would be much appreciated.

desmond-hawkins
Автор

Goddamn, did Intel send assassins after this guy or what?

ShadyNetworker
Автор

My god that page fault technique is so awesome. So clever

sangamo
Автор

I should imagine a lot of these undocumented instructions would be work in progress, perhaps left there for eventual future use, perhaps used to reduce the cost of prototyping, but the coordination between x86 manufacturers does raise some serious concerns. These could be anything from hyperoptimised inverse square root calculations to deliberate holes in x86 security, put in place for "the right people"... See "idiocy of back doors"...

It could also be as simple as Micro$oft (or Apple?) paying them a handsome sum of money to implement a custom instruction set just for them without telling anyone.

kosta
Автор

This is why open source is so important. I would love to see a viable open CPU alternative emerge, on the scale of Linux in the software world. It's not impossible, but it would be a much different and more challenging problem to solve.

ruthlessadmin
Автор

Really good. Having done some Z80 programming once upon a time I know that some undocumented instructions are merely side effects of the microcode and not necessarily intentional. But the point is to figure out the instructions that really are intentional and undocumented.

Unintentional undocumented instructions could of course be fun too if you want to do some "smart" programming, but don't expect them to work in the next generation of processors.

ehsnils
Автор

It's good to see Black Hat uploading videos unlike the other popular tech conference.

kopuz.co.uk.
Автор

Maybe a stupid question, but how does the cursor keep blinking if the CPU is locked up?

bkiffter
Автор

Undocumented instructions have been around at least since the Z80 and perhaps before then. This is an 8-bit CPU which uses a separate 16-bit address bus.

The Z80 has two 16-bit index registers, IX and IY, intended solely for indirectly accessing memory, but people noticed that the binary code for accessing these registers was just one byte to say "Use IX" or "Use IY" followed by exactly the same instructions used to access the HL register pair, which are two 8-bit registers which can be used together as a 16-bit address.

Since the H and L registers can be used as separate 8-bit registers, people decided to try adding the "Use IX" or "Use IY" byte in front of the 8-bit H or L register instructions and discovered that they could access IXH, IXL, IYH and IYL as 8-bit registers.

Many programmers then wrote an include file which defined these undocumented instructions as macros so they could use them directly in their programs.

JasonMasters
Автор

Finally! Someone speaking at a tech event who isn't a stuttering incompetent mess onstage!

edmund-osborne
Автор

A brilliant talk showing persistence and out of the box thinking. As pointed out, the time is well past for trusting the docs of closed hardware designs!

I need to go now and think about working the ideas into my disasm and emulator.

rogerflores
Автор

This is so well done in every aspect. There are smart people and there are people like this, that goes beyond that. Well performed presentation.
As of 2021 I find surprisingly little follow up info on that Halt and Catch Fire instruction - dunno if that's me sucking in searching or that the disclosure still apply.

jemakrol