DEF CON 25 - Christopher Domas - Breaking the x86 Instruction Set
Ғылым және технология
A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset. We'll disclose new x86 hardware glitches, previously unknown machine instructions, ubiquitous software bugs, and flaws in enterprise hypervisors. Best of all, we'll release our sandsifter toolset, so that you can audit - and break - your own processor.
Пікірлер: 22
This is the coolist thing I've seen in a long time
I had a feeling Christopher already knew what we know now..
@derek5863
6 жыл бұрын
Agree, this is gold. I think there are many other angles from this presentation that we haven't even started to investigate.
The 'Halt and Catch Fire' instruction would be great if it triggered a processor destruction charge i.e. hardware anti-tampering method supporting FIPS 140-2 or one time use secure message device - James Bond style.
@jonharson
5 жыл бұрын
Its all fun and game until you find out that CPU controlling a nuclear power plant emergency controls.
Really good and simple too, I'm inclined to think this hadn't been done before because of legal obstacles rather than being hard to do. But any how it was really really nice to see this talk.
Brilliant..
This is terrifying.
@SupGhostly
5 жыл бұрын
Why is it terrifying?
@TheGoodChap
Жыл бұрын
@@SupGhostly do you know about the NSA? Snowden?
@SupGhostly
Жыл бұрын
@@TheGoodChap I do not. pretty new to security world, but would love to read more if you point me to a good article please
That was hell lot of knowledge transfer
29:30 is the highlight for me
I feel like it's dumb for me to ask but aren't the "rings" (0,1,2,3 ), SMM and other security modes designated by the operating system, so I'm thinking that if you wrote a small OS you wouldn't have those privileged modes of execution if you didn't program them in. So my question is am I right to think this or am I just wrong?
@SpookySkeleton738
5 жыл бұрын
The rings, hypervisor and SMM are all hardware features built into the CPU and chipset. What belongs in Rings 0 and 3 are designated by the kernel, everything below is firmware-level.
@TheGoodChap
Жыл бұрын
They're a part of the cpu hardware, smm and other low level operations and modes can only be accessed by special instructions in the instruction set that can't be used for anything else. Technically your computer boots from bios thinking it's a tiny cpu from the 1970s and you have to set all kinds of special registers and things during boot up to make it realize it's a modern fully featured cpu.
Wait, didn't he violate responsible disclosure by telling us that the HaCF instruction exists, right after laying out the methods he used to find it?
@nullplan01
5 жыл бұрын
In theory yes. In practice you now have to find manufacturer (he was using smaller manufacturers like TransMeta and VIA, remember), and then the specific chip he found the instruction on. Happy hunting!
@dorukayhanwastaken
4 жыл бұрын
This is Intel we're talking about. Anything less than immediate full disclosure might as well be no disclosure.
@kimotroph9683
2 жыл бұрын
Haha. Yeah right. That's why its DEFCON.
A CONCERN: "A VIA x86 Chip was found to have a tiny processor within it. It had it's own operating system (Minix) and bypassed ALL security at the hardware level. It's called the ARC Processor & you can bet it was developed in Israel for worldwide distribution."
Timestamp 50:03 on KZread vid: "179. James O'Keefe & The Deep State, Ukraine, Mike Gill & The..." On Brendon Lee O'Connell channel.