Breaking the x86 Instruction Set | Video instructions

Breaking the x86 Instruction Set

A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we’ll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset.

Full Abstract & Presentation Materials:

About the author


  1. A lot of these "instructions" are just logic gaps created due top the way that the decoding logic within the CPU works. The reason the aren't documented is they aren't intended and can change at any time … like when they fee like adding a new instruction to do something useful. This was very common and somewhat popular with very old 8 and 16 bit processors such as the "illegal" instructions in the 6502 that were exploited by many development shops. Some times the logic combination allowed the developers to do something "useful" in a possibly faster way as maybe two sets of logic were activated at once. Unless they add extra logic to block out these "undocumented" commands they will still exist. The downside of blocking them goes to the same issue he was talking about with the possible scan surface of trying to find all possible instructions that could be upwards of 15 bytes or more.

    And trying to block that logic out of the CPU architecture requires more silicone which uses more power and generates more heat and creates a possibility of even more bugs being introduced by accident.

  2. i think the tunneling algorithm is clever, but i don't agree that this exhausts instructions. obviously, it doesn't. the idea is maybe it does, if x86 was designed "sanely". but anyone who has read the instruction set manuals at all doubts this..

  3. Can we make a kernel driver that could detect any undocumented instructions on any program in runtime by virtualizing the whole cpu on the lowest level without the help of cpu virtualization technologies?

  4. Intel could still have some completely random bytes instruction that gives you ring-3 or smth for all we know.. or have something hidden and just throwing a #UD exception

  5. One thing I don't like about this approach is that he doesn't even try to analyze what's going on processor pins, physically I mean. How do you know it's locked? Because it doesn't respond to the keyboard? Maybe there is still a lot of other activities happening on the data and/or address buses and what not. Especially with modern SoC processors that have a lot of built-in periphery on the chip.

  6. Proprietary hidden instruction sets within the manufactures' reserved and privileged hardware registers… Hmm, it doesn't seem or appear to be sinister at all! What I get out of this: before any software including an operating system is installed onto your new hardware, there is already embedded spyware on your system that you can't get rid of! How do we not know that these manufacturers are not monitoring every single thing we do so as long as you are connected to the internet through hidden embedded remote protocols that we can never see nor access? And this is just in the Desktop and Server domains… now imagine the portable device domains such as laptops, tablets, and smartphones where most of them today have builtin wifi and Bluetooth… This doesn't even account for other various devices such as appliances, electronic devices such as TVs, DVD players, Bluray players, stereo receivers and the such, nor does it account for embedded devices found in your automobiles and other things…

  7. If you were going to make a backdoor, How would you do it? Possible with 2 or more differant instructions in tandem, creating a false page fault or it might effect something completely hidden or not monitored. There is a backdoor here somewhere but its going to be very well hidden.

  8. I knew of LoadAll when I was around 10-14. I don't know why he says it's undocumented or unacknowledged, but I can guarantee that that wasn't the case in the early 90s. Very weird. The appropriate opposite is SaveAll. Doesn't work in ring3, iirc. Works in DOS, of course. Preferred it over pushA for some reason, but I don't remember.

  9. This is truly disturbing. This guy was able to do this single handed (of course we can assume that a lot of people helped him, im too lazy to watch the video again to see if he said that he was not alone in this project), imagine what a group of malicious people, that literally do this all day, can actually do? I imagined these "malicious people" have literally all the backdoors in every single [Intel, Amd] hardware (processors) . If they were to find and fix a vulnerability, the "malicious people" still have the rest. But what do i know 🙂 im just a student, and I am sorry for my english, I hope you still be able to get my concerning point.

  10. His search scheme seems to exclude some possibilities. From what he described, if say 00 xx is a two-byte instruction, he checks 00-FF for xx. Then he goes back and checks the length of 01. If it's also two bytes as before, he then doesn't search 01 xx, assuming that the last byte won't do anything special. But what if 01 00 is a three-byte instruction, or 01 23 is a three-byte instruction?

    Essentially, he seems to assume that there won't be two different types of instructions of the same length, next to each other in his search order. That is, if say 00 is a two-byte instruction, 01 is a one-byte instruction, and then 02 is a two-byte instruction, he will properly search both two byte instructions' second bytes, but if instead 00 and 01 are the two-byte instructions, he won't search the second one.

    Later he says he has the instruction at the end of a page to use a page fault to detect instruction length. I'd be wary of trusting that mechanism, especially for hidden instructions. I'm sure I've read errata for processors where instructions near or crossing a page boundary have issues.

Leave a Reply

Your email address will not be published. Required fields are marked *