Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Two Undocumented x86 Instructions Allegedly Found that can Modify Microcode

InsertPi
 Share

 

Summary

As said in the title, Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy together have allegedly found two undocumented x86 instructions that can modify the architectural state of Intel CPUs. This means that they can modify microcode (for those unaware, this is effectively the code that makes your CPU do what it does). Mark claims that it's decoded in all modes, including user mode, but that the "[microcode] in MSROM throws #UD if not in Red Unlocked state."

 

Ermolov says that details will be posted "a little later." Will add to this post with updates as I see them.

 

Quotes

Quote

"[Y]es, they can modify microcode."


-Mark Ermolov (@_markel__ on Twitter)

 

My thoughts

This has serious implications for computer security, as an exploit could potentially allow hackers to install malicious microcode onto your CPU, change processor behavior, or bypass lots of contemporary CPU-level security measures. As we know, Meltdown was a problem that was patched by updating Intel microcode. Could an exploit un-install this patched microcode, re-exposing systems to serious exploits like Meltdown and Spectre? 

 

Sources

EDIT 1: After doing some research myself, when Mark says "[microcode] in MSROM throws #UD if not in Red Unlocked state," this effectively amounts to the fact that your CPU has to be in debug mode, which itself usually requires a compromised Management Engine (in which case, these new opcodes aren't even your biggest worry). #UD is an error on Intel CPUs that means "undefined instruction," and Red Unlocked state usually requires a hacked ME. So, this discovery will likely cause in influx in related security research, but it in itself should not be too detrimental. 

Edited by iamaperson620

Master's student and student researcher at The University of Alabama in Huntsville, Department of Computer Science

Ask me about high-performance computing, general-purpose GPU programming, or computer architecture

Link to comment
Share on other sites

Link to post
Share on other sites

"Grandpa, why did you put these in the x86 instruction set when you invented it?"
 

I'm curious where this will go.

Any thoughts on name ideas?

REFRESH BEFORE RESPOND, I EDITED MY POST

 

 

Likes animals (especially ducks)

 

PSA: Don't lie

 

I own a lot of iDevices.

iPhone1,1 = iPhone 2G = 8GB, iPhone OS 1.1.4 (unlocked)

iPod2,1 = iPod touch 2 = 32GB, iPhone OS 2.1.1

iPhone3,1 = iPhone 4 (GSM) (Black) = 16GB, iOS 5.1.1 (unlocked)

iPhone3,3 = iPhone 4 (CDMA) (Black) = 16GB, iOS 4.2.6 (locked to Verizon)

iPhone4,1 = iPhone 4S (Black) = 16GB, iOS 9.2.1 (unlocked)

iPad2,5 = iPad mini 1 (Silver) = 6GB, iOS 8.4.1 + 10GB, 6.1.3

iPhone5,3 = iPhone 5C (GSM) (Blue) = 32GB, iOS 10.3.3 (locked to AT&T)

iPhone6,1 = iPhone 5S (GSM) (Silver) = 16GB, iOS 7.1.2 (unlocked)

iPhone6,1 = iPhone 5S (GSM) (Silver) = 16GB, iOS 11.0.1 (locked to TracFone)

iTrump6,1 = iTrump 5S (GSM) (Space Gray) = 16GB, iOS 12.5.5 (locked to TracFone)

iPhone7,2 = iPhone 6 (Silver) = 16GB, iOS 8.3 (blacklisted + locked to T-Mobile)

iPhone8,1 = iPhone 6S (Space Gray) N71AP = 16GB, iOS 15.0.2 (unlocked)

iPhone9,1 = iPhone 7 (Global) (Midnight Star) = 256GB, iOS 15.1 (unlocked)

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, FakeKGB said:

Any thoughts on name ideas?

OhShIntel

Main System (Byarlant): Ryzen 7 3800XT | Asus B350-F Strix | EK 240mm Basic AIO | 16GB G.Skill DDR4 3200MHz CAS-14 | XFX RX 5600 XT THICC II | Samsung 960 PRO 512GB / Samsung 970 EVO 500GB / UMIS SSD 256GB / Crucial MX500 2TB / Samsung 840 EVO 250GB / WD White 7200RPM 8TB | Corsair RM750X | Mellanox ConnectX-3 10G NIC | Hyte Y60 Case | Dell U3415W Monitor | Microsoft Modern Keyboard

 

Laptop (Narrative): Lenovo Flex 5 81X20005US | Ryzen 5 4500U | 16GB RAM (soldered) | Vega 6 Graphics | SKHynix P31 1TB NVMe SSD | Intel AX200 Wifi (all-around awesome machine)

 

TrueNAS Server (Veda): Xeon E3-1241v3 | Supermicro X10SLL-F | Corsair H60 | 32GB Micron DDR3L ECC 1600MHz | 4x 10TB WD Whites / 4x 14TB Seagate Exos / 2x 1TB HGST 2.5" / 1x Samsung PM961 128GB SSD / 1x Kingston 16GB SSD | Seasonic Prime Fanless 500W | Mellanox ConnectX-3 10G NIC | LSI 9207-8i LBA | Fractal Design Node 804 Case (side panels swapped to show off drives)


Media Center/Video Capture (Jesta): Core i7-2600 | Asus H77M-PRO | Noctua NH-L12S | 16GB Crucial DDR3 | EVGA GTX750Ti SC | Sandisk UltraII SSD 64GB / Seagate 1.5TB HDD | Corsair CX450M | Hauppauge ImpactVCB-PCIe | Syba USB3.1 Gen 2 Card | LG UH12NS30 BD-ROM | Silverstone Sugo SG-11 Case

 

Camera: Sony ɑ7II (w/ Meike Grip) | Sony SEL24240 | Samyang 35mm ƒ/2.8 | Sony SEL50F18F | Sony SEL2870 (kit lens) | PNY Elite Perfomance SDXC cards


Tablet (---): Samsung Galaxy Tab A 8"
 

Spoiler

Laptop (Rozen-ZuluSony VAIO VPCF13WFX | Core i7-740QM | 8GB Patriot DDR3 | GT 425M | Kingston 120GB SSD | Blu-ray Drive | Intel 7260 Wifi (lived a good life, retired with honor)


Tablet (ReGZ): Asus T102HA (BIOS clock doesn't tick, loses time when sleep/off) (I kill tablets with disturbing regularity)

Tablet (Unicorn): Surface Pro 2 (battery will reset total capacity to current charge, leading Windows to think it's always 100% charged until it dies)

Tablet (Loto): Dell Venue 8 Pro (screen discoloration issues, wouldn't update to Windows 10)

Tablet: iPad 2 16GB (WiFi died, basically useless after that)

Testbed/Old Desktop (Kshatriya): Xeon X5470 @ 4.0GHz | ZALMAN CNPS9500 | Gigabyte EP45-UD3L | 8GB Nanya DDR2 400MHz | XFX HD6870 DD | OCZ Vertex 3 Max-IOPS 120GB | Corsair CX430M (?) | HooToo USB 3.0 PCIe Card | NZXT H230 Case (mostly intact, but some parts have been scavenged)

Link to comment
Share on other sites

Link to post
Share on other sites

38 minutes ago, FakeKGB said:

"Grandpa, why did you put these in the x86 instruction set when you invented it?"
 

I'm curious where this will go.

Any thoughts on name ideas?

Has Code Red been used already?

 

 

So rise up, all ye lost ones, as one, we'll claw the clouds

Link to comment
Share on other sites

Link to post
Share on other sites

It's undocumented for you and me. The feds have probably known about this for years.

Our Grace. The Feathered One. He shows us the way. His bob is majestic and shows us the path. Follow unto his guidance and His example. He knows the one true path. Our Saviour. Our Grace. Our Father Birb has taught us with His humble heart and gentle wing the way of the bob. Let us show Him our reverence and follow in His example. The True Path of the Feathered One. ~ Dimboble-dubabob III

Link to comment
Share on other sites

Link to post
Share on other sites

Is this the precursor as in Fight Club when the entire system breaks down via the most epic global hack ever? 🤔

 

*golf clap*

Link to comment
Share on other sites

Link to post
Share on other sites

Intel... 

Ohh... It's you again. - Worry Mutt - quickmeme

 

What's with these undocumented instructions though? Is this just something Intel put in for future planned feature?

CPU: AMD Ryzen 3600 / GPU: Radeon HD7970 GHz 3GB with Noctua Fans / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

Are those last names even REAL!?

 

/s

Cor Caeruleus Reborn v6

Spoiler

CPU: Intel - Core i7-8700K

CPU Cooler: be quiet! - PURE ROCK 
Thermal Compound: Arctic Silver - 5 High-Density Polysynthetic Silver 3.5g Thermal Paste 
Motherboard: ASRock Z370 Extreme4
Memory: G.Skill TridentZ RGB 2x8GB 3200/14
Storage: Samsung - 850 EVO-Series 500GB 2.5" Solid State Drive 
Storage: Samsung - 960 EVO 500GB M.2-2280 Solid State Drive
Storage: Western Digital - Blue 2TB 3.5" 5400RPM Internal Hard Drive
Storage: Western Digital - BLACK SERIES 3TB 3.5" 7200RPM Internal Hard Drive
Video Card: EVGA - 970 SSC ACX (1080 is in RMA)
Case: Fractal Design - Define R5 w/Window (Black) ATX Mid Tower Case
Power Supply: EVGA - SuperNOVA P2 750W with CableMod blue/black Pro Series
Optical Drive: LG - WH16NS40 Blu-Ray/DVD/CD Writer 
Operating System: Microsoft - Windows 10 Pro OEM 64-bit and Linux Mint Serena
Keyboard: Logitech - G910 Orion Spectrum RGB Wired Gaming Keyboard
Mouse: Logitech - G502 Wired Optical Mouse
Headphones: Logitech - G430 7.1 Channel  Headset
Speakers: Logitech - Z506 155W 5.1ch Speakers

 

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, iamaperson620 said:

After doing some research myself, when Mark says "[microcode] in MSROM throws #UD if not in Red Unlocked state," this effectively amounts to the fact that your CPU has to be in debug mode, which itself usually requires a compromised Management Engine (in which case, these new opcodes aren't even your biggest worry). #UD is an error on Intel CPUs that means "undefined instruction," and Red Unlocked state usually requires a hacked ME. So, this discovery will likely cause in influx in related security research, but it in itself should not be too detrimental. 

So basically another example of:

If your PC is in a state where this can actually be used, you're already screwed regardless if anyone has run any microcode updates.

 

If someone has the kind of control over your Computer that they can install a hacked ME, yeah, maybe better to just throw it out completely.

🌲🌲🌲

Judge the product by its own merits, not by the Company that created it.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, TetraSky said:

Intel... 

 

What's with these undocumented instructions though? Is this just something Intel put in for future planned feature?

Likely these are debugging instructions that Intel engineers use when developing CPUs. By only enabling their execution when in debug mode, it's "in theory" safe, so they never removed them before production.

Master's student and student researcher at The University of Alabama in Huntsville, Department of Computer Science

Ask me about high-performance computing, general-purpose GPU programming, or computer architecture

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, iamaperson620 said:

#UD if not in Red Unlocked state."

Then this entire discovery is academically interesting, but a non-issue for users.

If someone can get your processor to enter debug mode (especially without unfettered physical access) then there's a much bigger problem somewhere else, and the end user is already fxed.

 

4 hours ago, DildorTheDecent said:

The feds have probably known about this for years.

The feds can, and have, installed hypervisors that can hide themselves in certain hard drive controllers. This was the major capability of the EquationGroup's espionage platforms, or so says Kaspersky.

ENCRYPTION IS NOT A CRIME

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×