Jump to content

Two Undocumented x86 Instructions Allegedly Found that can Modify Microcode

 

Summary

As said in the title, Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy together have allegedly found two undocumented x86 instructions that can modify the architectural state of Intel CPUs. This means that they can modify microcode (for those unaware, this is effectively the code that makes your CPU do what it does). Mark claims that it's decoded in all modes, including user mode, but that the "[microcode] in MSROM throws #UD if not in Red Unlocked state."

 

Ermolov says that details will be posted "a little later." Will add to this post with updates as I see them.

 

Quotes

Quote

"[Y]es, they can modify microcode."


-Mark Ermolov (@_markel__ on Twitter)

 

My thoughts

This has serious implications for computer security, as an exploit could potentially allow hackers to install malicious microcode onto your CPU, change processor behavior, or bypass lots of contemporary CPU-level security measures. As we know, Meltdown was a problem that was patched by updating Intel microcode. Could an exploit un-install this patched microcode, re-exposing systems to serious exploits like Meltdown and Spectre? 

 

Sources

EDIT 1: After doing some research myself, when Mark says "[microcode] in MSROM throws #UD if not in Red Unlocked state," this effectively amounts to the fact that your CPU has to be in debug mode, which itself usually requires a compromised Management Engine (in which case, these new opcodes aren't even your biggest worry). #UD is an error on Intel CPUs that means "undefined instruction," and Red Unlocked state usually requires a hacked ME. So, this discovery will likely cause in influx in related security research, but it in itself should not be too detrimental. 

Edited by iamaperson620

Master's student and student researcher at The University of Alabama in Huntsville, Department of Computer Science

Ask me about high-performance computing, general-purpose GPU programming, or computer architecture

Link to post
Share on other sites

"Grandpa, why did you put these in the x86 instruction set when you invented it?"
 

I'm curious where this will go.

Any thoughts on name ideas?

PLEASE STOP [Killing] ME I WILL GIVE Y OU ANOTHER DEAL.

Link to post
Share on other sites

4 minutes ago, FakeKGB said:

Any thoughts on name ideas?

OhShIntel

Main System (Byarlant): Ryzen 7 5800X | Asus B550-Creator ProArt | EK 240mm Basic AIO | 32GB G.Skill DDR4 3600MT/s CL16 | XFX Speedster SWFT 210 RX 6600 | Samsung 990 PRO 2TB / Samsung 960 PRO 512GB / 4× Crucial MX500 2TB (RAID-0) | Corsair RM750X | Silicom (Intel) X540-AT2 10G NIC | Inateck USB 3.0 Card | Hyte Y60 Case | Dell U3415W Monitor | Keychron K4 Brown (white backlight)

 

Laptop (Narrative): Lenovo Flex 5 81X20005US | Ryzen 5 4500U | 16GB DDR4 3200MT/s (soldered) | Vega II 384SP Graphics | SKHynix P31 1TB NVMe SSD | Intel AX200 Wifi | Asus 2.5G USB NIC | Asus ProArt PA278QV | Keychron K12 Blue (RGB backlight)

 

Proxmox Server (Veda): Ryzen 7 3800XT | ASRock Rack X470D4U | Corsair H80i v2 | 64GB Micron DDR4 ECC 3200MT/s | 4× WD 10TB / 4× Seagate 14TB Exos / 8× WD 12TB (custom external SAS enclosure) / 2× Samsung PM963a 960GB SSD | Seasonic Prime Fanless 500W | Intel X550-T2 10G NIC | LSI 9300-8i HBA | Adaptec 82885T SAS Expander | Fractal Design Node 804 Case

 

Proxmox Server (La Vie en Rose)GMKtec Mini PC | Ryzen 7 5700U | 32GB Lexar DDR4 (SODIMM) | Vega II 512SP Graphics | Lexar 1TB 610 Pro SSD | 2× Realtek 8125 2.5G NICs


Media Center/Video Capture (Jesta Cannon): Ryzen 5 1600X | ASRock B450M Pro4 R2.0 | Noctua NH-L12S | 16GB Crucial DDR4 3200MT/s | EVGA GTX750Ti SC | UMIS NVMe SSD 256GB / TEAMGROUP MS30 1TB | Corsair CX450M | Viewcast Osprey 260e Video Capture | TrendNet (Aquantia AQC107) 10G NIC | LG UH12NS30 BD-ROM | Silverstone Sugo SG-11 Case | Sony XR65A80K

 

Workbench (Doven Wolf): Lenovo m715q | Ryzen Pro 3 2200GE | 16GB Crucial DDR4 3200MT/s (SODIMM) | Vega 8 Graphics | SKHynix (OEM) 256GB NVMe SSD | uni 2.5G USB NIC | HDMI add-in module

 

Network:

Spoiler
                       ┌─────────────── Office/Rack ───────────────────────────────────────────────────────┐
Google Fiber Webpass ── Cloud Gateway Max ═╦════ Flex 2.5-8 ═╦════ Flex XG ═╦═ Veda
                           La Vie en Rose ═╣ La Vie en Rose ═╬═ Doven Wolf  ╠═ Veda-NAS
                                     Veda ─╜      Narrative ═╝              ╟─ Switch 8-60W ─┬─ Veda
╔═══════════════════════════════════════════════════════════════════════════╝                └─ Veda (IPMI)
║    ┌ Closet ┐     ┌───────── Bedroom ─────────┐
╚════ Flex XG ═╦╤═══ Flex XG ═╤╦═ Byarlant
        (PoE)  ║│             │╠═ Narrative 
Kitchen Jack ══╣└─ Dual PoE ┐ │╚═ Jesta Cannon*
   (Testing)   ║┌─ Injector ┘ └── Work Laptop
     Bedroom ══╝│
        Jack #2 │        ┌──────── Media Center ───────────────────────────┐
                └──────── Switch 8 ────────────┬─ nanoHD Access Point (PoE)
Notes:                                         ├─ Sony PlayStation 4 
─── is Gigabit / ═══ is Multi-Gigabit          ├─ Pioneer VSX-S520
* = cable passed from Bedroom to Media Center  └─ Sony XR65A80K (Google TV)

 

Link to post
Share on other sites

38 minutes ago, FakeKGB said:

"Grandpa, why did you put these in the x86 instruction set when you invented it?"
 

I'm curious where this will go.

Any thoughts on name ideas?

Has Code Red been used already?

 

 

NOTE: I no longer frequent this site. If you really need help, PM/DM me and my e.mail will alert me. 

Link to post
Share on other sites

It's undocumented for you and me. The feds have probably known about this for years.

Our Grace. The Feathered One. He shows us the way. His bob is majestic and shows us the path. Follow unto his guidance and His example. He knows the one true path. Our Saviour. Our Grace. Our Father Birb has taught us with His humble heart and gentle wing the way of the bob. Let us show Him our reverence and follow in His example. The True Path of the Feathered One. ~ Dimboble-dubabob III

Link to post
Share on other sites

Intel... 

Ohh... It's you again. - Worry Mutt - quickmeme

 

What's with these undocumented instructions though? Is this just something Intel put in for future planned feature?

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 11 Pro

Link to post
Share on other sites

Are those last names even REAL!?

 

/s

Cor Caeruleus Reborn v6

Spoiler

CPU: Intel - Core i7-8700K

CPU Cooler: be quiet! - PURE ROCK 
Thermal Compound: Arctic Silver - 5 High-Density Polysynthetic Silver 3.5g Thermal Paste 
Motherboard: ASRock Z370 Extreme4
Memory: G.Skill TridentZ RGB 2x8GB 3200/14
Storage: Samsung - 850 EVO-Series 500GB 2.5" Solid State Drive 
Storage: Samsung - 960 EVO 500GB M.2-2280 Solid State Drive
Storage: Western Digital - Blue 2TB 3.5" 5400RPM Internal Hard Drive
Storage: Western Digital - BLACK SERIES 3TB 3.5" 7200RPM Internal Hard Drive
Video Card: EVGA - 970 SSC ACX (1080 is in RMA)
Case: Fractal Design - Define R5 w/Window (Black) ATX Mid Tower Case
Power Supply: EVGA - SuperNOVA P2 750W with CableMod blue/black Pro Series
Optical Drive: LG - WH16NS40 Blu-Ray/DVD/CD Writer 
Operating System: Microsoft - Windows 10 Pro OEM 64-bit and Linux Mint Serena
Keyboard: Logitech - G910 Orion Spectrum RGB Wired Gaming Keyboard
Mouse: Logitech - G502 Wired Optical Mouse
Headphones: Logitech - G430 7.1 Channel  Headset
Speakers: Logitech - Z506 155W 5.1ch Speakers

 

Link to post
Share on other sites

2 hours ago, TetraSky said:

Intel... 

 

What's with these undocumented instructions though? Is this just something Intel put in for future planned feature?

Likely these are debugging instructions that Intel engineers use when developing CPUs. By only enabling their execution when in debug mode, it's "in theory" safe, so they never removed them before production.

Master's student and student researcher at The University of Alabama in Huntsville, Department of Computer Science

Ask me about high-performance computing, general-purpose GPU programming, or computer architecture

Link to post
Share on other sites

5 hours ago, iamaperson620 said:

#UD if not in Red Unlocked state."

Then this entire discovery is academically interesting, but a non-issue for users.

If someone can get your processor to enter debug mode (especially without unfettered physical access) then there's a much bigger problem somewhere else, and the end user is already fxed.

 

4 hours ago, DildorTheDecent said:

The feds have probably known about this for years.

The feds can, and have, installed hypervisors that can hide themselves in certain hard drive controllers. This was the major capability of the EquationGroup's espionage platforms, or so says Kaspersky.

ENCRYPTION IS NOT A CRIME

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×