Jump to content

Two Undocumented x86 Instructions Allegedly Found that can Modify Microcode

InsertPi
By InsertPi
in Tech News
 Share
Posted (edited)

 

Summary

As said in the title, Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy together have allegedly found two undocumented x86 instructions that can modify the architectural state of Intel CPUs. This means that they can modify microcode (for those unaware, this is effectively the code that makes your CPU do what it does). Mark claims that it's decoded in all modes, including user mode, but that the "[microcode] in MSROM throws #UD if not in Red Unlocked state."

 

Ermolov says that details will be posted "a little later." Will add to this post with updates as I see them.

 

Quotes

Quote

"[Y]es, they can modify microcode."


-Mark Ermolov (@_markel__ on Twitter)

 

My thoughts

This has serious implications for computer security, as an exploit could potentially allow hackers to install malicious microcode onto your CPU, change processor behavior, or bypass lots of contemporary CPU-level security measures. As we know, Meltdown was a problem that was patched by updating Intel microcode. Could an exploit un-install this patched microcode, re-exposing systems to serious exploits like Meltdown and Spectre? 

 

Sources

EDIT 1: After doing some research myself, when Mark says "[microcode] in MSROM throws #UD if not in Red Unlocked state," this effectively amounts to the fact that your CPU has to be in debug mode, which itself usually requires a compromised Management Engine (in which case, these new opcodes aren't even your biggest worry). #UD is an error on Intel CPUs that means "undefined instruction," and Red Unlocked state usually requires a hacked ME. So, this discovery will likely cause in influx in related security research, but it in itself should not be too detrimental. 

Edited by iamaperson620

Master's student and student researcher at The University of Alabama in Huntsville, Department of Computer Science

Ask me about high-performance computing, general-purpose GPU programming, or computer architecture

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

"Grandpa, why did you put these in the x86 instruction set when you invented it?"
 

I'm curious where this will go.

Any thoughts on name ideas?

elephants

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, FakeKGB said:

Any thoughts on name ideas?

OhShIntel

Main System (Byarlant): Ryzen 7 5800X | Asus B550-Creator ProArt | EK 240mm Basic AIO | 16GB G.Skill DDR4 3200MT/s CAS-14 | XFX Speedster SWFT 210 RX 6600 | Samsung 990 PRO 2TB / Samsung 960 PRO 512GB / 4× Crucial MX500 2TB (RAID-0) | Corsair RM750X | Mellanox ConnectX-3 10G NIC | Inateck USB 3.0 Card | Hyte Y60 Case | Dell U3415W Monitor | Keychron K4 Brown (white backlight)

 

Laptop (Narrative): Lenovo Flex 5 81X20005US | Ryzen 5 4500U | 16GB RAM (soldered) | Vega 6 Graphics | SKHynix P31 1TB NVMe SSD | Intel AX200 Wifi (all-around awesome machine)

 

Proxmox Server (Veda): Ryzen 7 3800XT | AsRock Rack X470D4U | Corsair H80i v2 | 64GB Micron DDR4 ECC 3200MT/s | 4x 10TB WD Whites / 4x 14TB Seagate Exos / 2× Samsung PM963a 960GB SSD | Seasonic Prime Fanless 500W | Intel X540-T2 10G NIC | LSI 9207-8i HBA | Fractal Design Node 804 Case (side panels swapped to show off drives) | VMs: TrueNAS Scale; Ubuntu Server (PiHole/PiVPN/NGINX?); Windows 10 Pro; Ubuntu Server (Apache/MySQL)


Media Center/Video Capture (Jesta Cannon): Ryzen 5 1600X | ASRock B450M Pro4 R2.0 | Noctua NH-L12S | 16GB Crucial DDR4 3200MT/s CAS-22 | EVGA GTX750Ti SC | UMIS NVMe SSD 256GB / Seagate 1.5TB HDD | Corsair CX450M | Hauppauge ImpactVCB-PCIe | Mellanox ConnectX-2 10G NIC | LG UH12NS30 BD-ROM | Silverstone Sugo SG-11 Case | Sony XR65A80K

 

Camera: Sony ɑ7II w/ Meike Grip | Sony SEL24240 | Samyang 35mm ƒ/2.8 | Sony SEL50F18F | Sony SEL2870 (kit lens) | PNY Elite Perfomance 512GB SDXC card

 

Network:

Spoiler 
                           ┌─────────────── Office/Rack ────────────────────────────────────────────────────────────────────────────┐
Google Fiber Webpass ────── UniFi Security Gateway ─── UniFi Switch 8-60W ─┬─ UniFi Switch Flex XG ═╦═ Veda (Proxmox Virtual Switch)
(500Mbps↑/500Mbps↓)                             UniFi CloudKey Gen2 (PoE) ─┴─ Veda (IPMI)           ╠═ Veda-NAS (HW Passthrough NIC)
╔═══════════════════════════════════════════════════════════════════════════════════════════════════╩═ Narrative (Asus USB 2.5G NIC)
║ ┌────── Closet ──────┐   ┌─────────────── Bedroom ──────────────────────────────────────────────────────┐
╚═ UniFi Switch Flex XG ═╤═ UniFi Switch Flex XG ═╦═ Byarlant
   (PoE)                 │                        ╠═ Narrative (Cable Matters USB-PD 2.5G Ethernet Dongle)
                         │                        ╚═ Jesta Cannon*
                         │ ┌─────────────── Media Center ──────────────────────────────────┐
Notes:                   └─ UniFi Switch 8 ─────────┬─ UniFi Access Point nanoHD (PoE)
═══ is Multi-Gigabit                                ├─ Sony Playstation 4 
─── is Gigabit                                      ├─ Pioneer VSX-S520
* = cable passed to Bedroom from Media Center       ├─ Sony XR65A80K (Google TV)
** = cable passed from Media Center to Bedroom      └─ Work Laptop** (Startech USB-PD Dock)

 

Retired/Other:

Spoiler

Laptop (Rozen-Zulu): Sony VAIO VPCF13WFX | Core i7-740QM | 8GB Patriot DDR3 | GT 425M | Samsung 850EVO 250GB SSD | Blu-ray Drive | Intel 7260 Wifi (lived a good life, retired with honor)

Testbed/Old Desktop (Kshatriya): Xeon X5470 @ 4.0GHz | ZALMAN CNPS9500 | Gigabyte EP45-UD3L | 8GB Nanya DDR2 400MHz | XFX HD6870 DD | OCZ Vertex 3 Max-IOPS 120GB | Corsair CX430M (?) | HooToo USB 3.0 PCIe Card | NZXT H230 Case (mostly intact, but some parts have been scavenged)

TrueNAS Server (La Vie en Rose): Xeon E3-1241v3 | Supermicro X10SLL-F | Corsair H60 | 32GB Micron DDR3L ECC 1600MHz | 1x Kingston 16GB SSD / Crucial MX500 500GB

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
38 minutes ago, FakeKGB said:

"Grandpa, why did you put these in the x86 instruction set when you invented it?"
 

I'm curious where this will go.

Any thoughts on name ideas?

Has Code Red been used already?

 

 

NOTE: I no longer frequent this site. If you really need help, PM/DM me and my e.mail will alert me. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

It's undocumented for you and me. The feds have probably known about this for years.

Our Grace. The Feathered One. He shows us the way. His bob is majestic and shows us the path. Follow unto his guidance and His example. He knows the one true path. Our Saviour. Our Grace. Our Father Birb has taught us with His humble heart and gentle wing the way of the bob. Let us show Him our reverence and follow in His example. The True Path of the Feathered One. ~ Dimboble-dubabob III

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Is this the precursor as in Fight Club when the entire system breaks down via the most epic global hack ever? 🤔

 

*golf clap*

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Intel... 

Ohh... It's you again. - Worry Mutt - quickmeme

 

What's with these undocumented instructions though? Is this just something Intel put in for future planned feature?

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Are those last names even REAL!?

 

/s

Cor Caeruleus Reborn v6

Spoiler

CPU: Intel - Core i7-8700K

CPU Cooler: be quiet! - PURE ROCK 
Thermal Compound: Arctic Silver - 5 High-Density Polysynthetic Silver 3.5g Thermal Paste 
Motherboard: ASRock Z370 Extreme4
Memory: G.Skill TridentZ RGB 2x8GB 3200/14
Storage: Samsung - 850 EVO-Series 500GB 2.5" Solid State Drive 
Storage: Samsung - 960 EVO 500GB M.2-2280 Solid State Drive
Storage: Western Digital - Blue 2TB 3.5" 5400RPM Internal Hard Drive
Storage: Western Digital - BLACK SERIES 3TB 3.5" 7200RPM Internal Hard Drive
Video Card: EVGA - 970 SSC ACX (1080 is in RMA)
Case: Fractal Design - Define R5 w/Window (Black) ATX Mid Tower Case
Power Supply: EVGA - SuperNOVA P2 750W with CableMod blue/black Pro Series
Optical Drive: LG - WH16NS40 Blu-Ray/DVD/CD Writer 
Operating System: Microsoft - Windows 10 Pro OEM 64-bit and Linux Mint Serena
Keyboard: Logitech - G910 Orion Spectrum RGB Wired Gaming Keyboard
Mouse: Logitech - G502 Wired Optical Mouse
Headphones: Logitech - G430 7.1 Channel  Headset
Speakers: Logitech - Z506 155W 5.1ch Speakers

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 hours ago, iamaperson620 said:

After doing some research myself, when Mark says "[microcode] in MSROM throws #UD if not in Red Unlocked state," this effectively amounts to the fact that your CPU has to be in debug mode, which itself usually requires a compromised Management Engine (in which case, these new opcodes aren't even your biggest worry). #UD is an error on Intel CPUs that means "undefined instruction," and Red Unlocked state usually requires a hacked ME. So, this discovery will likely cause in influx in related security research, but it in itself should not be too detrimental. 

So basically another example of:

If your PC is in a state where this can actually be used, you're already screwed regardless if anyone has run any microcode updates.

 

If someone has the kind of control over your Computer that they can install a hacked ME, yeah, maybe better to just throw it out completely.

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 hours ago, TetraSky said:

Intel... 

 

What's with these undocumented instructions though? Is this just something Intel put in for future planned feature?

Likely these are debugging instructions that Intel engineers use when developing CPUs. By only enabling their execution when in debug mode, it's "in theory" safe, so they never removed them before production.

Master's student and student researcher at The University of Alabama in Huntsville, Department of Computer Science

Ask me about high-performance computing, general-purpose GPU programming, or computer architecture

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 hours ago, iamaperson620 said:

#UD if not in Red Unlocked state."

Then this entire discovery is academically interesting, but a non-issue for users.

If someone can get your processor to enter debug mode (especially without unfettered physical access) then there's a much bigger problem somewhere else, and the end user is already fxed.

 

4 hours ago, DildorTheDecent said:

The feds have probably known about this for years.

The feds can, and have, installed hypervisors that can hide themselves in certain hard drive controllers. This was the major capability of the EquationGroup's espionage platforms, or so says Kaspersky.

ENCRYPTION IS NOT A CRIME

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×