This guy is impressively good at what he does.

The use of No Execute on memory to find instruction length made me go "oh man" out loud. Genius.

Oh man, that page fault analysis is genius.

I am jealous. Not only is this guy much more capable of mentally processing this complex information than I am, he's also incredibly good at presenting it!

its kind of scary how good some of these guys are at figuring these things out

With Intel's ZombieLoad, PlunderVolt, Meltdown and more severe vulnerabilities these days, this video is more relevant than ever

they should crowdsource the undocumented instructions the same way that pass mark gets benchmarks. Everyone uploads the results and a website shows a nice breakdown of what instruction run on what.

I just keep thinking how poor Terry Davis has wasted all his time. He needs to make his own silicon as well as his own compiler and OS.

Goddamn, did Intel send assassins after this guy or what?

My god that page fault technique is so awesome. So clever

This is why open source is so important. I would love to see a viable open CPU alternative emerge, on the scale of Linux in the software world. It's not impossible, but it would be a much different and more challenging problem to solve.

It's good to see Black Hat uploading videos unlike the other popular tech conference.

Neat talk!

Really good. Having done some Z80 programming once upon a time I know that some undocumented instructions are merely side effects of the microcode and not necessarily intentional. But the point is to figure out the instructions that really are intentional and undocumented. Unintentional undocumented instructions could of course be fun too if you want to do some "smart" programming, but don't expect them to work in the next generation of processors.

It looks like the "halt and catch fire" instruction he describes starting at 38:46 was never described publicly, at least that I could find. As he explains in this talk there was no time for vendors to address the issue under responsible disclosure so he couldn't give all the details at Black Hat 2017, but I couldn't find any reference to publications in the following months as he said would happen. There's a question about it on the Reverse Engineering StackOverflow site, but no one seems to know. I'm not particularly looking for a way to execute this instruction, but I'm curious to know if any mitigation was possible for CPUs that had already shipped. If anyone knows and has a reference this would be much appreciated.

This is so well done in every aspect. There are smart people and there are people like this, that goes beyond that. Well performed presentation. As of 2021 I find surprisingly little follow up info on that Halt and Catch Fire instruction - dunno if that's me sucking in searching or that the disclosure still apply.

A brilliant talk showing persistence and out of the box thinking. As pointed out, the time is well past for trusting the docs of closed hardware designs! I need to go now and think about working the ideas into my disasm and emulator.

I should imagine a lot of these undocumented instructions would be work in progress, perhaps left there for eventual future use, perhaps used to reduce the cost of prototyping, but the coordination between x86 manufacturers does raise some serious concerns. These could be anything from hyperoptimised inverse square root calculations to deliberate holes in x86 security, put in place for "the right people"... See "idiocy of back doors"... It could also be as simple as Micro$oft (or Apple?) paying them a handsome sum of money to implement a custom instruction set just for them without telling anyone.

Wow. This just shows me I need to brush up on my awful, awful assembly skills. Hats off to Christopher Domas.

TL;DR: This tool is awesome, thanks for writing it, good thinking all the props. So, some thoughts, sometimes undocumented instructions can be implemented across multiple architectures because it is simply a logical extension of the architecture that isn’t actually documented, but putting in the logic to block those undocumented instructions is more work than it is worth. (i.e. undocumented, or “behaviour undefined” register combinations) similarly, a short-cut in implementation (pinning a behaviour-changing mux to a specific bit of the opcode, rather than actually decoding it) A good example here is the SL1 instruction on the Z80 processor. The three instructions SRA, SLL, SRL are combined in a quad-structure with a section of missing shift-left instructions. Actually executing these instructions results in a shift-left then set bottom-bit. Likely as a result of opcode bits being pinned to muxes. Additionally, there is still a worth in specifications. Specifications detail what is _expected_ behaviour, and what one can rely upon. As such, there’s a giant chasm of instructions that may work at the time, but are not guaranteed to work in the future, or even potentially after a microcode update. So, we get this horrible area, where like the 66 e9 instruction, good software should never include this instruction, because it is non-standard and “a valid implementation of undefined behaviour is to make monkeys fly out of the user’s butt”, but meanwhile, the processor still accepts these instructions, and can potentially then be malicious. At the same time, you can’t _really_ trust that only malicious code uses these instructions… so… poop.

Finally! Someone speaking at a tech event who isn't a stuttering incompetent mess onstage!

*"jk i'm malicious af"*

When I was a kid guys like this were the rockstars and astronauts to me.

Thanks for the talk! You used such fascinating methodology to carry out this project. Definitely learned a lot, not just about hidden instructions but also software searching techniques.

Undocumented instructions have been around at least since the Z80 and perhaps before then. This is an 8-bit CPU which uses a separate 16-bit address bus. The Z80 has two 16-bit index registers, IX and IY, intended solely for indirectly accessing memory, but people noticed that the binary code for accessing these registers was just one byte to say "Use IX" or "Use IY" followed by exactly the same instructions used to access the HL register pair, which are two 8-bit registers which can be used together as a 16-bit address. Since the H and L registers can be used as separate 8-bit registers, people decided to try adding the "Use IX" or "Use IY" byte in front of the 8-bit H or L register instructions and discovered that they could access IXH, IXL, IYH and IYL as 8-bit registers. Many programmers then wrote an include file which defined these undocumented instructions as macros so they could use them directly in their programs.

what a talk! phenomenally creative, important, and useful. i understood almost all of it despite knowing next to nothing about x86, barely anything about process/OS security schemes and how their traps/exceptions are passed around, what the rings mean, and just generally being very new to OS and hardware stuff.

Link to GitHub repositories! github.com/xoreaxeaxeax/sandsifter

Maybe a stupid question, but how does the cursor keep blinking if the CPU is locked up?

Still my favourite talk

This talk takes a while to get interesting but it's worth it

I watched this video 𝟓 𝐓𝐈𝐌𝐄𝐒!... not because I didn't understand it but because it's just wonderful and so INTERESTING. Amazing Black Hat

This guy is a genius

Most of those undefined opcodes could be what LAX was on 6502: opcodes without explicit microcode.

32:56 *_This man is claiming that it would be possible to write a malicious program that is completely benign and undetectable on any x86_64 computer that is not using a physical Intel CPU, but when executed on a computer with an Intel CPU it could arbitrarily execute whatever otherwise deliberately avoided lines of ASM the programmer desired, and also vice versa by inverting the principle._* That's the killing blow of this video and, if his demonstration is true, means that nobody should be using x86 CPUs for cryptography of any meaningful level of security.

I think this was 80% nifty and 20% scary. Nifty for coming up with that approach for finding undocumented opcodes. Scary for the fact that so many were found.

Remarkable person with a unique mind.

Oh my. That's why I love my RISC CPU. Those x86 CPUs are so complex!

holyfuck. I might be high, but tell me if that wasn't the best blackhat talk yet?

Extremely captivating!

My guess is many undocumented opcodes just do nothing. My guess the number of really secret opcodes are few, they just treat the potential execution paths as NOPs. Complex CISC CPUs use microcode to decode instructions so just routing them to NOP is more economical. However I still am concerned that the OEMs have included opcodes which may only be used for debugging but are vectors for abuse. What’s worse, some of the vulnerabilities may require several undocumented opcodes to do something so just poking single opcodes isn’t enough to scope the problem set.

This is truly disturbing. This guy was able to do this single handed (of course we can assume that a lot of people helped him, im too lazy to watch the video again to see if he said that he was not alone in this project), imagine what a group of malicious people, that literally do this all day, can actually do? I imagined these "malicious people" have literally all the backdoors in every single [Intel, Amd] hardware (processors) . If they were to find and fix a vulnerability, the "malicious people" still have the rest. But what do i know :) im just a student, and I am sorry for my english, I hope you still be able to get my concerning point.

so much respect for those smart people

10:25 when you make the processor roll over for you, you know you're next level

26:53 **Puts on tin foil hat** No seriously, that shit's scary

Great talk, nice ideas!

Oh boy. And now it's been revealed that Intel chips created in the past decade have a kernel memory leak "bug"/backdoor. Well, at least the Intel CEO sold as many shares as he could during Q4...

Information dense talk in a manner of John Carmack. Now i need time to digest. Awesome.

great stuff! hopefully resulting in some good microcode updates and more secure cpus in the future.

8086/8088 processors had an instruction prefix interrupt bug which wasn't fixed until the 80c88 was introduced. There was also a rather critical bug in early 8086/8088 processors which would cause an interrupt immediately after a MOV SS or POP SS to push data off the stack into an incorrect memory location, causing data corruption.

Has the hardware bug been disclosed yet?

ok woah.. this guy has some impressive talks here. a bright mind for sure.

good stuff

Incredible job done presenting this critical topic. Keep up the good work :)

The only true way to know is to reverse engineer the die. There might be some secret knock codes that is outside the instruction space that could enable special functionality.

I am reminded of Joe and Gordon running current through every pin of an early 80s IBM, resulting in that 2 inch thick blue binder, which Cameron was subsequently legally barred from reading it while she coded the BIOS for "The Giant."

I understood nothing, but enjoyed it.

22:26 ok this part genuinely looks like what you would see in hollywood movies

Intel ME, AMD PSP...

Wow, that is amazing! Just curious though, any updates on that Ring3 DoS instruction that locked up his CPU?

So did he ever post an update to the undisclosed bug he talks about at 38:43?

Well this video is certainly a great deal more relevant. Fuck.

you know he's really good at what he's doing when he speaks at 200 k/h

I like this. But my approach would be more like: Ok, put the candidate processor to be scanned on it's own, isolated mainboard/breadboard/experimental board, and feed the candidate processor instructions from another machine. That way everything is nice n isolated during crashes and could make scanning the ENTIRE instruction set faster and more reliable.

thank yu very much yu have rightly guided me to pursue a career in reverse engineering software yu are actually a genius and open sourcing those software tools makes yu true master in your field yu can turn those software tools into million dollar startup

This guy is going to mysteriously disappear one day in events which Intel can claim plausible deniability for.

His search scheme seems to exclude some possibilities. From what he described, if say 00 xx is a two-byte instruction, he checks 00-FF for xx. Then he goes back and checks the length of 01. If it's also two bytes as before, he then doesn't search 01 xx, assuming that the last byte won't do anything special. But what if 01 00 is a three-byte instruction, or 01 23 is a three-byte instruction? Essentially, he seems to assume that there won't be two different types of instructions of the same length, next to each other in his search order. That is, if say 00 is a two-byte instruction, 01 is a one-byte instruction, and then 02 is a two-byte instruction, he will properly search both two byte instructions' second bytes, but if instead 00 and 01 are the two-byte instructions, he won't search the second one. Later he says he has the instruction at the end of a page to use a page fault to detect instruction length. I'd be wary of trusting that mechanism, especially for hidden instructions. I'm sure I've read errata for processors where instructions near or crossing a page boundary have issues.

You are my favorit! Love your stuff.

Mind blowing!! Neat and complete... bravo!! :)

This has been fascinating!

Ok thanks for this talk. Just confirmed an old acquaintance must work for an intelligence agency. He told me this in 98 but was drunk and denied saying it after.. Lol..

A few things come to my mind: He talks a lot about "trusting" the processor. I don't think that anyone truly trusts the processor any more than they trust the software. We just have fewer options when it comes to the processor. We can either use a computer or not use it. If I were nefarious and wanted to hide a secret instruction, a couple good candidates would be an "undefined" opcode with ESI and EDI set to special values or DS: MOV AL, AL (an effective no-op that no one would ever use) again with ESI and EDI set to special values. The gaps in the op-code table are supposed to be values that do not correspond to an instruction. They may be filled in by later processors. This is, after all, how the processors have evolved. He says he is doing the entire thing in ring-3. I happen to know that accessing the CR2 register requires ring-0 access. Maybe the operating system is facilitating some of these things. But it still struck me as odd. Setting all the registers to zero is a good start. But some of those instructions include address offsets, which can still overwrite your "supervisor" code. (Okay, he addresses this one.) As for the priority error for undefined opcode vs page fault: Yes, it is an erratum. They decided it was a documentation error and fixed their documentation. First off, I can see where they might miss this. Very few people, outside of maybe myself, are going to deliberately execute an undefined instruction over a page-faulting area. Admittedly, I do a few unusual things. I have used MOV CS, AX as a processor check (runs fine on 8088, undefined opcode on 286, man I'm old.) I miss the days when computers would detect a processor shutdown and just reset the processor. You could use certain memory locations to tell the BIOS where to resume execution. Ah, good times, shut the processor down 20 times and return to DOS like nothing ever happened.

15:40 how that is truth? I thought we don't relay on what's said in documentation and it's sounds like a good idea to hide backdoor/hiden instructions by continuously throwing exceptions.

"You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time." (Abraham Lincoln)

Does anybody have a link for full disclosure?

I don't know heaps about x86 but it seems like it could REALLY do with a "lite" version, with the same speed and set of _useful_ instructions; nothing undocumented, useless or too obscure. I bet people have thought of this before, so why doesn't it something like this exist, or if it does, why haven't I heard of it?

Incredible talk

Awesome. Pretty clever tricks!

This is really well explained.

I'm afraid of running that and NOT GETTING A BLUE SCREEN/KERNEL PANIC, and the CPU just corrupting some files, or doing something crazy with the OS, etc. I'd run with my storage detached physically from the motherboard and no network cards online.

This is awesome! This guy's very resourceful to come up with these tools. Questions tho... Why wouldn't a processor's Instruction Cache prefetch generate the page-fault much earlier than when the straddling instruction was hit?

Couldn't help but notice the venue for your seminar. Kind of puts a different slant on things, doesn't it? What a difference a couple of months can make.

absolutely incredible stuff.

I think the history of intel and the whole x86 ISA is pretty cool and everything but cpu's should definitely be open source/ FOSH

About 6m40s in it says #40 is a single byte instruction `inc eax`. I assumed an #40 would cause a situation where if `ax` reached #ffff it would go back to #0000 and set the carry flag, but #66 #40 should increment eax to #00010000. There are several other minor factually confusing statements throughout the video. On the whole this is a great talk and seems to be presented by an absolute expert so now I'm doubting myself.

The man is a genius!

This is actually something amazing

I'm kind of curious what sort of similar tools the processor developers have. When I've made processors in uni we would generally brute force/cherrypick things we thought may break stuff.

Many assumptions and flaws in the method for example: Assuming #UD means the instruction does not exist is believing the HW manual which is a contradiction to the base line assumption we should never trust the manual.

Outstanding work

One thing I don't like about this approach is that he doesn't even try to analyze what's going on processor pins, physically I mean. How do you know it's locked? Because it doesn't respond to the keyboard? Maybe there is still a lot of other activities happening on the data and/or address buses and what not. Especially with modern SoC processors that have a lot of built-in periphery on the chip.

Fantastic thinking, using PF to find the instruction length, reminds me of when I learnt how traceroute works, ping with TTL 1, ping with TTL 2 etc. And then learning the DNS of assembly is BSing you! And cross platform (Intel.AMD, VIA) GOD BLESS AMERICA

Great well explained video, thanks

It seems like exploiting a f00f-like bug (where it stops the processor) could be a more efficient DDOS-like attack provided you can manage to run unsigned code. Just get a company's servers to execute the processor stop instruction and they'll have to reboot all their computers. If you set it to run on startup, then they'll be locked out of their OS, forcing them to solve the issue from the BIOS.

Not super familiar with these architectures, but isn't it feasible to have certain combinations of instructions be used to cause specific, hidden behaviors? Seems like something that this tool would miss.

I totally understood all of this:) :) :)

Interesting! Generally speaking, should the problem of undocumented instructions also be relevant for RISC as well? Even with an open architecture, implementation can be (and likely will be) done secretly. Manufacturers are risking their brand name to have these hidden instructions that they may lose track of. Agree with the concept of developing more universal tools to audit our hardware. We shouldn't only audit software.

Has the mysterious CPU locking instruction been disclosed yet? I'm guessing it NEVER can be...

What concerns me is let's say he executes one of these unknown instructions and it alters the way the processor executes a currently benign instruction. Perhaps changing a jump and read to a jump and execute. I'm not saying it's changing the hardware, I'm saying maybe this instruction is inside the processor for a reason that we're not supposed to know about. Such as this instruction flips a bit that diverts an execution pipeline to a part of the processor that has been idle for years that now is operating under an altered instruction set. So I suppose that when this scanning tool is run, you should probably run it numerous times to see if you find some different results during the second pass, indicating a new instruction or instruction set has been enabled. (I'm talking like NSA level stuff)

Awesome. Excellent presentation. Am unable in late October, 2017 to yet find disclosure on the new HCF bug.

Bravo! Just brilliant.