TECH

Unlocking God Mode on x86 Processors
We missed this Blackhat talk back in August, but it's so good we're glad to find out about it now. [Christopher Domas] details his obsession with hidden processor instructions, and how he discovered an intentional backdoor in certain x86 processors. These processes have a secondary RISC core, and an undocumented procedure to run on that core code, bypassing the normal user / kernel separation mechanisms.
The result is that these specific processors have an intentional mechanism that allows any unprivileged user to jump directly to root level access. The most fascinating part of the talk is the methodical approach [Domas] took to discover the details of this undocumented feature. Once I had an idea of ​​what I was looking for, I automated the process of checking every possible x86 instruction, looking for the one instruction that allowed running code on that extra core. The whole talk is entertaining and instructional, check it out after the break!
There's a ton of research poking at the level of complication processors. One of our favorites, also by [Domas], is sandsifter which searches for undocumented instructions. Jonathan Bennett