[J-core] Breaking the x86 Instruction Set - Lot's of undocumented instructions found in x86 at this years black hat conference

Joh-Tob Schäg johtobsch at gmail.com
Wed Sep 6 11:16:22 EDT 2017


When you prepare a presentation for future j-core talks on why open
hardware is a good idea you can show several examples of undocumented
instructions in the main processor.
These sometimes are exploitable but not under anybodies control.

The talk is here: https://www.youtube.com/watch?v=KrksBdWcZgQ

TL;DW:

   - we test, reverse engineer and disassemble programs because we can not
   trust them because software is shown to be broken.
   - We do not do that for CPUs.
   - Documentations are full of holes and sometimes introduce new
   instruction to the public many years after they were in silicon
   - The presenter wrote a fuzzer for cpu instructions. It places an blob
   at a page boundary (from executable to non executable) and executes it. If
   the instructions is longer than what is on the page he catches the fault
   and shifts everything to the left. That way he can find out what bit
   changes of an instruction change the length of the instruction (heuristic
   for change in behavior).
   - He found many undocumented instructions
   - He found bugs in disassemblers which parse code wrongly which allows
   to hide malicious code
   - Found an azure hypervisor detector
   - He found an hold and catch fire instruction on an esoteric
   instructions.
   - available on GitHub as sandsifter

A Sandsifter like tool can be used to compare actual behavior and simulated
behavior of a CPU family. That approach might be interesting for j-core too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.j-core.org/pipermail/j-core/attachments/20170906/3c7122d2/attachment.html>


More information about the J-core mailing list