[J-core] Breaking the x86 Instruction Set - Lot's of undocumented instructions found in x86 at this years black hat conference
Joh-Tob Schäg
johtobsch at gmail.com
Wed Sep 6 11:16:22 EDT 2017
When you prepare a presentation for future j-core talks on why open
hardware is a good idea you can show several examples of undocumented
instructions in the main processor.
These sometimes are exploitable but not under anybodies control.
The talk is here: https://www.youtube.com/watch?v=KrksBdWcZgQ
TL;DW:
- we test, reverse engineer and disassemble programs because we can not
trust them because software is shown to be broken.
- We do not do that for CPUs.
- Documentations are full of holes and sometimes introduce new
instruction to the public many years after they were in silicon
- The presenter wrote a fuzzer for cpu instructions. It places an blob
at a page boundary (from executable to non executable) and executes it. If
the instructions is longer than what is on the page he catches the fault
and shifts everything to the left. That way he can find out what bit
changes of an instruction change the length of the instruction (heuristic
for change in behavior).
- He found many undocumented instructions
- He found bugs in disassemblers which parse code wrongly which allows
to hide malicious code
- Found an azure hypervisor detector
- He found an hold and catch fire instruction on an esoteric
instructions.
- available on GitHub as sandsifter
A Sandsifter like tool can be used to compare actual behavior and simulated
behavior of a CPU family. That approach might be interesting for j-core too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.j-core.org/pipermail/j-core/attachments/20170906/3c7122d2/attachment.html>
More information about the J-core
mailing list