flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > God move inside certain x86 processor

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8334
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
https://hackaday.com/2019/02/03/unlocking-god-mode-on-x86-processors/

Quote:
We missed this Blackhat talk back in August, but it’s so good we’re glad to find out about it now. [Christopher Domas] details his obsession with hidden processor instructions, and how he discovered an intentional backdoor in certain x86 processors. These processors have a secondary RISC core, and an undocumented procedure to run code on that core, bypassing the normal user/kernel separation mechanisms.


no doubt, there are backdoor instructions inside x64 processors too,
Post 04 Feb 2019, 13:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16707
Location: In your JS exploiting you and your system
One comment says this:
Quote:


What is with the clickbait title? This exploit only affects ancient VIA C3 CPUs which came out nearly 20 years ago and only some boards with a BIOS which mistakenly leaves it enabled. It is a VIA specific extension so it won’t work on anything else.

It is just a terrible implementation by VIA. They did document this but you needed to sign NDAs and be a big customer to get the documentation. They just referred to it as an “alternate instruction set” designed to be used for debugging and testing. Presumably it would have been used for something like SMM.

If you’re still running a VIA C3 then you need to consider upgrading as they were glacially slow even when brand new.
So it was documented. And the person that "found" this could have simply read the datasheet. I'd be more interested in something that has not been documented.
Post 04 Feb 2019, 17:20
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7312
Location: Kraków, Poland
revolution wrote:
So it was documented. And the person that "found" this could have simply read the datasheet. I'd be more interested in something that has not been documented.
Then this is another case when he (Christopher Domas) discovered undocumented features that were actually already known and documented somewhere (officially or unofficially). I discussed the earlier case in my post about his processor fuzzing. I value the technique, it is quite clever, but the findings were not impressive.
Post 04 Feb 2019, 17:41
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8334
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
documented but only available to those who sign NDA, most likely there are such instructions too in current intel x86/x64, arm,

these backdoor ain't evil, they just trying to save the world,
Post 04 Feb 2019, 17:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16707
Location: In your JS exploiting you and your system
Sometimes backdoors are not intentional. Sometimes they are meant to do another function and people abuse it. Sometimes they are meant to be overrides intended for a particular market segment where there aren't any users to hack. And I suppose there are times when a backdoor is well and truly designed for the express purpose of giving "authorities" exceptional access.

The problem becomes how to tell what is the reason behind it. The CPU won't tell you why it behaves the way it does. You have to go back to the design try to intuit the intent of the engineers. Did they just make a mistake or was it intentional? Were the CPUs sold to the public market segment but meant for someone else's private usage? We might never find out.
Post 04 Feb 2019, 18:30
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 578
Location: /96A
I'm more concerned about
Code:
; This page is intentionally left blank.    


By the way, who does know when UNICODE will contain basic "mark-up"?
Post 04 Feb 2019, 20:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16707
Location: In your JS exploiting you and your system
This post is intentionally left blank
Post 05 Feb 2019, 13:42
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 578
Location: /96A
You could have said you don't know a.. thing, as well.
(always trying to revo something)
(see for it, tom, or you'll end up with f[l]at assembler)
Post 05 Feb 2019, 20:05
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.