![Page 1: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/1.jpg)
{Breaking the x86 ISA
domas / @xoreaxeaxeax / Black Hat 2017
![Page 2: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/2.jpg)
Christopher Domas
Cyber Security Researcher @
Battelle Memorial Institute
./bio
![Page 3: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/3.jpg)
We don’t trust software.
We audit it
We reverse it
We break it
We sandbox it
Trust.
![Page 4: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/4.jpg)
But the processor itself?
We blindly trust
Trust.
![Page 5: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/5.jpg)
Why?
Hardware hasall the same problems as software
Secret functionality? Appendix H.
Bugs? F00F, FDIV, TSX, Hyperthreading, Ryzen
Vulnerabilities? SYSRET, cache poisoning, sinkhole
Trust.
![Page 6: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/6.jpg)
We should stop
blindly trusting our hardware.
Trust.
![Page 7: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/7.jpg)
What do we need to worry about?
![Page 8: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/8.jpg)
Historical examples
ICEBP (f1)
LOADALL (0f07)
apicall (0ffff0)
Hidden instructions
![Page 9: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/9.jpg)
![Page 10: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/10.jpg)
![Page 11: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/11.jpg)
So… what’s
this??
![Page 12: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/12.jpg)
Find out what’s really there
Goal: Audit the Processor
![Page 13: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/13.jpg)
How to find hidden instructions?
The challenge
![Page 14: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/14.jpg)
Instructions can be one byte …
inc eax
40
… or 15 bytes ...
lock add qword cs:[eax + 4 * eax + 07e06df23h], 0efcdab89h
2e 67 f0 48 818480 23df067e 89abcdef
Somewhere on the order of
1,329,227,995,784,915,872,903,807,060,280,344,576
possible instructions
The challenge
https://code.google.com/archive/p/corkami/wikis/x86oddities.wiki
![Page 15: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/15.jpg)
The obvious approaches don’t work:
Try them all?
Only works for RISC
Try random instructions?
Exceptionally poor coverage
Guided based on documentation?
Documentation can’t be trusted (that’s the point)
Poor coverage of gaps in the search space
The challenge
![Page 16: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/16.jpg)
Goal:
Quickly skip over bytes that don’t matter
The challenge
![Page 17: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/17.jpg)
Observation:
The meaningful bytes of
an x86 instruction impact either
its length or its exception behavior
The challenge
![Page 18: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/18.jpg)
A depth-first-search algorithm
Tunneling
![Page 19: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/19.jpg)
Guess an instruction:
Tunneling
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 20: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/20.jpg)
Execute the instruction:
Tunneling
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 21: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/21.jpg)
Observe its length:
Tunneling
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 22: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/22.jpg)
Increment the last byte:
Tunneling
00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 23: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/23.jpg)
Execute the instruction:
Tunneling
00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 24: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/24.jpg)
Observe its length:
Tunneling
00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 25: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/25.jpg)
Increment the last byte:
Tunneling
00 02 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 26: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/26.jpg)
Execute the instruction:
Tunneling
00 02 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 27: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/27.jpg)
Observe its length:
Tunneling
00 02 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 28: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/28.jpg)
Increment the last byte:
Tunneling
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 29: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/29.jpg)
Execute the instruction:
Tunneling
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 30: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/30.jpg)
Observe its length:
Tunneling
00 03 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 31: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/31.jpg)
Increment the last byte:
Tunneling
00 04 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 32: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/32.jpg)
Execute the instruction:
Tunneling
00 04 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 33: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/33.jpg)
Observe its length:
Tunneling
00 04 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 34: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/34.jpg)
Increment the last byte:
Tunneling
00 04 01 00 00 00 00 00 00 00 00 00 00 00 00
![Page 35: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/35.jpg)
Execute the instruction:
Tunneling
00 04 01 00 00 00 00 00 00 00 00 00 00 00 00
![Page 36: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/36.jpg)
Observe its length:
Tunneling
00 04 01 00 00 00 00 00 00 00 00 00 00 00 00
![Page 37: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/37.jpg)
Increment the last byte:
Tunneling
00 04 02 00 00 00 00 00 00 00 00 00 00 00 00
![Page 38: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/38.jpg)
000000000000000000000000000000
000100000000000000000000000000
000200000000000000000000000000
000300000000000000000000000000
000400000000000000000000000000
000401000000000000000000000000
000402000000000000000000000000
000403000000000000000000000000
000404000000000000000000000000
000405000000000000000000000000
000405000000010000000000000000
000405000000020000000000000000
000405000000030000000000000000
000405000000040000000000000000
![Page 39: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/39.jpg)
When the last byte is FF…
Tunneling
C7 04 05 00 00 00 00 00 00 00 FF 00 00 00 00
![Page 40: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/40.jpg)
… roll over …
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 41: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/41.jpg)
... and move to the previous byte
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 42: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/42.jpg)
This byte becomes the marker
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 43: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/43.jpg)
Increment the marker
Tunneling
C7 04 05 00 00 00 00 00 00 01 00 00 00 00 00
![Page 44: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/44.jpg)
Execute the instruction
Tunneling
C7 04 05 00 00 00 00 00 00 01 00 00 00 00 00
![Page 45: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/45.jpg)
Observe its length
Tunneling
C7 04 05 00 00 00 00 00 00 01 00 00 00 00 00
![Page 46: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/46.jpg)
If the length has not changed…
Tunneling
C7 04 05 00 00 00 00 00 00 01 00 00 00 00 00
![Page 47: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/47.jpg)
Increment the marker
Tunneling
C7 04 05 00 00 00 00 00 00 02 00 00 00 00 00
![Page 48: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/48.jpg)
And repeat.
Tunneling
C7 04 05 00 00 00 00 00 00 02 00 00 00 00 00
![Page 49: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/49.jpg)
Continue the process…
Tunneling
C7 04 05 00 00 00 00 00 00 FF 00 00 00 00 00
![Page 50: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/50.jpg)
… moving back on each rollover
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 51: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/51.jpg)
… moving back on each rollover
Tunneling
C7 04 05 00 00 00 00 00 FF 00 00 00 00 00 00
![Page 52: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/52.jpg)
… moving back on each rollover
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 53: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/53.jpg)
…
Tunneling
C7 04 05 00 00 00 00 FF 00 00 00 00 00 00 00
![Page 54: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/54.jpg)
…
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 55: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/55.jpg)
…
Tunneling
C7 04 05 00 00 00 FF 00 00 00 00 00 00 00 00
![Page 56: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/56.jpg)
…
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 57: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/57.jpg)
…
Tunneling
C7 04 05 00 00 FF 00 00 00 00 00 00 00 00 00
![Page 58: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/58.jpg)
…
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 59: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/59.jpg)
…
Tunneling
C7 04 05 00 FF 00 00 00 00 00 00 00 00 00 00
![Page 60: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/60.jpg)
…
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 61: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/61.jpg)
…
Tunneling
C7 04 05 FF 00 00 00 00 00 00 00 00 00 00 00
![Page 62: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/62.jpg)
…
Tunneling
C7 04 05 00 00 00 00 00 00 00 00 00 00 00 00
![Page 63: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/63.jpg)
When you increment a marker…
Tunneling
C7 04 06 00 00 00 00 00 00 00 00 00 00 00 00
![Page 64: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/64.jpg)
… execute the instruction …
Tunneling
C7 04 06 00 00 00 00 00 00 00 00 00 00 00 00
![Page 65: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/65.jpg)
… and the length changes …
Tunneling
C7 04 06 00 00 00 00 00 00 00 00 00 00 00 00
![Page 66: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/66.jpg)
… move the marker to
the end of the new instruction …
Tunneling
C7 04 06 00 00 00 00 00 00 00 00 00 00 00 00
![Page 67: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/67.jpg)
Tunneling
C7 04 06 00 00 00 01 00 00 00 00 00 00 00 00
… and resume the process.
![Page 68: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/68.jpg)
Tunneling through the instruction space
lets us quickly skip over the bytes
that don’t matter,
and exhaustively search the bytes that do…
Tunneling
![Page 69: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/69.jpg)
… reducing the search space
from 1.3x1036 instructions
to ~100,000,000
(one day of
scanning)
Tunneling
![Page 70: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/70.jpg)
Catch:
requires knowing the instruction length
Instruction lengths
![Page 71: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/71.jpg)
Simple approach: trap flag
Fails to resolve the length of faulting instructions
Necessary to search privileged instructions:
ring 0 only: mov cr0, eax
ring -1 only: vmenter
ring -2 only: rsm
Instruction lengths
![Page 72: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/72.jpg)
Solution: page fault analysis
Instruction lengths
![Page 73: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/73.jpg)
Choose a candidate instruction
(we don’t know how long this instruction is)
Page fault analysis
0F 6A 60 6A 79 6D C6 02 6E AA D2 39 0B B7 52
![Page 74: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/74.jpg)
Configure two consecutive pages in memory
The first with read, write, and execute permissions
The second with read, write permissions only
Page fault analysis
![Page 75: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/75.jpg)
Place the candidate instruction in memory
Place the first byte at the end of the first page
Place the remaining bytes at the start of the second
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 76: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/76.jpg)
Execute (jump to) the instruction.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 77: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/77.jpg)
The processor’s instruction decoder checks
the first byte of the instruction.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 78: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/78.jpg)
If the decoder determines that another byte is
necessary, it attempts to fetch it.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 79: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/79.jpg)
This byte is on a non-executable page,
so the processor generates a page fault.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 80: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/80.jpg)
The #PF exception provides
a fault address in the CR2 register.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 81: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/81.jpg)
If we receive a #PF, with CR2 set
to the address of the second page,
we know the instruction continues.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 82: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/82.jpg)
Move the instruction back one byte.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 83: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/83.jpg)
Execute the instruction.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 84: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/84.jpg)
The processor’s instruction decoder checks
the first byte of the instruction.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 85: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/85.jpg)
If the decoder determines that another byte is
necessary, it attempts to fetch it.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 86: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/86.jpg)
Since this byte is in an executable page,
decoding continues.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 87: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/87.jpg)
If the decoder determines that another byte is
necessary, it attempts to fetch it.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 88: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/88.jpg)
This byte is on a non-executable page,
so the processor generates a page fault.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 89: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/89.jpg)
Move the instruction back one byte.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 90: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/90.jpg)
Execute the instruction.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 91: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/91.jpg)
Continue the process while
we receive #PF exceptions
with CR2 = second page address
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 92: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/92.jpg)
Move the instruction back one byte.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 93: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/93.jpg)
Execute.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 94: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/94.jpg)
Eventually, the entire instruction
will reside in the executable page.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 95: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/95.jpg)
The instruction could run.
The instruction could throw a different fault.
The instruction could throw a #PF,but with a different CR2.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 96: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/96.jpg)
In all cases, we know the instruction has been
successfully decoded, so must reside entirely
in the executable page.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 97: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/97.jpg)
With this, we know the instruction’s length.
Page fault analysis
0F 6A 60 6A 79 6D C6 02 …
![Page 98: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/98.jpg)
We now know how many bytes the
instruction decoder consumed
But just because the bytes were decodeddoes not mean the instruction exists
If the instruction does not exist,
the processor generates the #UD exception
after the instruction decode
(invalid opcode exception)
Page fault analysis
![Page 99: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/99.jpg)
If we don’t receive a #UD, the instruction exists.
Page fault analysis
![Page 100: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/100.jpg)
Resolves lengths for:
Successfully executing instructions
Faulting instructions
Privileged instructions:
ring 0 only: mov cr0, eax
ring -1 only: vmenter
ring -2 only: rsm
Page fault analysis
![Page 101: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/101.jpg)
The “injector” process performs
the page fault analysis and
tunneling instruction generation
The Injector
![Page 102: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/102.jpg)
We’re fuzzing the same
device that we’re running on
How do we make sure we don’t crash?
Surviving
![Page 103: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/103.jpg)
Step 1:
Limit ourselves to ring 3
We can still resolve instructions
living in deeper rings
This prevents accidental total system failure
(except in the case of serious processor bugs)
Surviving
![Page 104: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/104.jpg)
Step 2:
Hook all exceptions the instruction might generate
In Linux:
SIGSEGV
SIGILL
SIGFPE
SIGBUS
SIGTRAP
Process will clean up after itself when possible
Surviving
![Page 105: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/105.jpg)
Step 3:
Initialize general purpose registers to 0
Arbitrary memory write instructions like
add [eax + 4 * ecx], 0x9102
will not hit the injecting process’s address space
Surviving
![Page 106: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/106.jpg)
Step 3 (continued):
Memory calculations using an offset:
add [eax + 4 * ecx + 0xf98102cd6], 0x9102
would still result in non-zero accesses
Could lead to process corruption
if the offset falls into the injector’s address space
Surviving
![Page 107: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/107.jpg)
Step 3 (continued):
The tunneling approach ensures
offsets are constrained
0x0000002F
0x0000A900
0x00420000
0x1E000000
The tunneled offsets will not fall into
the injector’s address space
They will seg fault, but seg faults are caught
The process still won’t corrupt itself
Surviving
![Page 108: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/108.jpg)
We’ve handled faulting instructions
What about non-faulting instructions?
The analysis needs to continue
after an instruction executes
Surviving
![Page 109: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/109.jpg)
Set the trap flag prior to
executing the candidate instruction
On trap, reload the registers to a known state
Surviving
![Page 110: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/110.jpg)
With these…
Ring 3
Exception handling
Register initialization
Register maintenance
Execution trapping
… the injector survives.
Surviving
![Page 111: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/111.jpg)
So we now have a way to search the
instructions space.
How do we make senseof the instructions we execute?
Analysis
![Page 112: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/112.jpg)
The “sifter” process parses
the executions from the injector,
and pulls out the anomalies
The Sifter
![Page 113: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/113.jpg)
We need a “ground truth”
Use a disassembler
It was written based on the documentation
Capstone
Sifting
![Page 114: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/114.jpg)
Undocumented instruction:
Disassembler doesn’t recognize byte sequence and …
Instruction generates anything but a #UD
Software bug:
Disassembler recognizes instruction but …
Processor says the length is different
Hardware bug:
???
No consistent heuristic, investigate when something fails
Sifting
![Page 115: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/115.jpg)
sandsifter - demo
![Page 116: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/116.jpg)
(sandsifter)
![Page 117: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/117.jpg)
(summarizer)
![Page 118: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/118.jpg)
We now have a way to
systematically scan our processor
for secrets and bugs
Scanning
![Page 119: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/119.jpg)
I scanned eight systems in my test library.
Scanning
![Page 120: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/120.jpg)
Hidden instructions
Ubiquitous software bugs
Hypervisor flaws
Hardware bugs
Results
![Page 121: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/121.jpg)
Hidden instructions
![Page 122: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/122.jpg)
Scanned: Intel Core i7-4650U CPU
Intel hidden instructions
![Page 123: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/123.jpg)
0f0dxx
Undocumented for non-/1 reg fields
0f18xx, 0f{1a-1f}xx
Undocumented until December 2016
0fae{e9-ef, f1-f7, f9-ff}
Undocumented for non-0 r/m fields until June 2014
Intel hidden instructions
![Page 124: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/124.jpg)
dbe0, dbe1
df{c0-c7}
f1
{c0-c1}{30-37, 70-77, b0-b7, f0-f7}
{d0-d1}{30-37, 70-77, b0-b7, f0-f7}
{d2-d3}{30-37, 70-77, b0-b7, f0-f7}
f6 /1, f7 /1
Intel hidden instructions
![Page 125: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/125.jpg)
Scanned: AMD Athlon (Geode NX1500)
AMD hidden instructions
![Page 126: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/126.jpg)
0f0f{40-7f}{80-ff}{xx}
Undocumented for range of xx
dbe0, dbe1
df{c0-c7}
AMD hidden instructions
![Page 127: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/127.jpg)
Scanned: VIA Nano U3500, VIA C7-M
VIA hidden instructions
![Page 128: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/128.jpg)
0f0dxx
Undocumented by Intel for non-/1 reg fields
0f18xx, 0f{1a-1f}xx
Undocumented by Intel until December 2016
0fa7{c1-c7}
0fae{e9-ef, f1-f7, f9-ff}
Undocumented by Intel for non-0 r/m fields until June 2014
dbe0, dbe1
df{c0-c7}
VIA hidden instructions
![Page 129: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/129.jpg)
What do these do?
Some have been reverse engineered
Some have no record at all.
Hidden instructions
![Page 130: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/130.jpg)
Software bugs
![Page 131: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/131.jpg)
Issue:
The sifter is forced to use a disassembler
as its “ground truth”
Every disassembler we tried as the
“ground truth” was littered with bugs.
Software bugs
![Page 132: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/132.jpg)
Most bugs only appear in a few tools,
and are not especially interesting
Some bugs appeared in all tools
These can be used to an attacker’s advantage.
Software bugs
![Page 133: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/133.jpg)
66e9xxxxxxxx (jmp)
66e8xxxxxxxx (call)
Software bugs
![Page 134: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/134.jpg)
66e9xxxxxxxx (jmp)
66e8xxxxxxxx (call)
In x86_64
Theoretically, a jmp (e9) or call (e8),
with a data size override prefix (66)
Changes operand size from default of 32
Does that mean 16 bit or 64 bit?
Neither. 66 is ignored by the processor here.
Software bugs
![Page 135: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/135.jpg)
Everyone parses this wrong.
Software bugs
![Page 136: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/136.jpg)
Software bugs (IDA)
![Page 137: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/137.jpg)
Software bugs (VS)
![Page 138: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/138.jpg)
An attacker can use this to
mask malicious behavior
Throw off disassembly and jump targets
to cause analysis tools to miss the real behavior
Software bugs
![Page 139: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/139.jpg)
Software bugs (objdump)
![Page 140: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/140.jpg)
Software bugs (QEMU)
![Page 141: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/141.jpg)
66 jmp
Why does everyone get this wrong?
AMD: override changes operand to 16 bits,
instruction pointer truncated
Intel: override ignored.
Software bugs
![Page 142: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/142.jpg)
Issues when we can’t agree on a standard
sysret bugs
Either Intel or AMD is going to be
vulnerable when there is a difference
Impractically complex architecture
Tools cannot parse a jump instruction
Software bugs
![Page 143: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/143.jpg)
Hypervisor bugs
![Page 144: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/144.jpg)
In an Azure instance,
the trap flag is missed
on the cpuid instruction (cpuid causes a vmexit,
and the hypervisor forgets
to emulate the trap)
Azure hypervisor bugs
![Page 145: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/145.jpg)
Azure hypervisor bugs
![Page 146: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/146.jpg)
Hardware bugs
![Page 147: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/147.jpg)
Hardware bugs are troubling
A bug in hardware means
you now have the same bug
in all of your software.
Difficult to find
Difficult to fix
Hardware bugs
![Page 148: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/148.jpg)
Scanned:
Quark, Pentium, Core i7
Intel hardware bugs
![Page 149: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/149.jpg)
f00f bug on Pentium (anti-climactic)
Intel hardware bugs
![Page 150: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/150.jpg)
Scanned:
Geode NX1500, C-50
AMD hardware bugs
![Page 151: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/151.jpg)
On several systems,
receive a #UD exception
prior to complete instruction fetch
Per AMD specifications, this is incorrect.
#PF during instruction fetch takes priority
… until …
AMD hardware bugs
![Page 152: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/152.jpg)
![Page 153: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/153.jpg)
Scanned:
TM5700
Transmeta hardware bugs
![Page 154: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/154.jpg)
Instructions: 0f{71,72,73}xxxx
Can receive #MF exception during fetch
Example:
Pending x87 FPU exception
psrad mm4, -0x50 (0f72e4b0)
#MF received after 0f72e4 fetched
Correct behavior: #PF on fetch,
last byte is still on invalid page
Transmeta hardware bugs
![Page 155: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/155.jpg)
Found on one processor...
An apparent “halt and catch fire” instruction Single malformed instruction in ring 3
locks the processor
Tested on 2 Windows kernels, 3 Linux kernels
Kernel debugging, serial I/O,interrupt analysis seem to confirm
Unfortunately, not finished with responsible disclosure
No details available on chip, vendor, or instructions
(redacted) hardware bugs
![Page 156: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/156.jpg)
rin
g 3
pro
ce
ss
or D
oS
:
de
mo
![Page 157: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/157.jpg)
First such attack found in 20 years
(since Pentium f00f)
(redacted) hardware bugs
![Page 158: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/158.jpg)
Significant security concern:
processor DoS from unprivileged user
(redacted) hardware bugs
![Page 159: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/159.jpg)
Details (hopefully) released within the next month
(stay tuned)
(redacted) hardware bugs
![Page 160: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/160.jpg)
Open sourced:
The sandsifter scanning tool
github.com/xoreaxeaxeax/sandsifter
Audit your processor,
break disassemblers/emulators/hypervisors,
halt and catch fire, etc.
Conclusions
![Page 161: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/161.jpg)
I’ve only scanned a few systems
This is a fraction of what I found on mine
Who knows what exists on yours
Conclusions
![Page 162: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/162.jpg)
Check your system
Send us results if you can
Conclusions
![Page 163: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/163.jpg)
Don’t blindly trust the specifications.
Conclusions
![Page 164: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/164.jpg)
Sandsifter lets us introspect
the black box at the heart of our systems.
Conclusions
![Page 165: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/165.jpg)
github.com/xoreaxeaxeax
sandsifter
M/o/Vfuscator
REpsych
x86 0-day PoC
Etc.
Feedback? Ideas?
domas
@xoreaxeaxeax
![Page 166: Domas-Breaking-The-x86-ISA.pdf - Black Hat | Home · Breaking the x86 ISA domas / @xoreaxeaxeax / Black Hat 2017](https://reader031.vdocuments.site/reader031/viewer/2022020416/5c7fdfb909d3f293438c0a4c/html5/thumbnails/166.jpg)