Alternate Instruction Set

  1. Home
  2. Wiki

The Alternate Instruction Set (AIS) is a unique secondary instruction set architecture found in the VIA C3 series of x86-32 CPUs made by VIA Technologies. The hidden processor mode is accessed by executing the x86 instruction JMPAI (0F 3F).[1] If AIS mode has been enabled, the processor will perform a JMP EAX[2] and begin executing AIS instructions at the address of the EAX register. Using AIS allows native access to the Centaur Technology-designed RISC core inside the processor.[3]

Instruction format

[edit]
Register mapping between AIS and x86
AIS number x86 name
R0 EAX
R1 ECX
R2 EDX
R3 EBX
R4 ESP
R5 EBP
R6 ESI
R7 EDI
R8‒R15

The manufacturer describes the Alternate Instruction Set as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms".[2] Every AIS instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA) instructions. In 2018 researcher Christopher Domas reported that the prefix 0x620405 (x86 BOUND) also worked.

A proposal made in 2002 to add AIS support to the Netwide Assembler (NASM) was partially declined in 2005, on the basis that NASM was an x86 assembler, and AIS is a separate instruction set.[4] An assembler is available from Domas's 2018 research.[5]

In 2007 a patent named some microcode instructions as load and store to/from main RAM, and loadPRAM and storePRAM to/from private-RAM inside the processor.[6] The Centaur Technologies verification team, in a 2014 paper about the VIA Nano, included some short lists of micro-instructions including ADDIG, JLINK, JMP_ALL, MVIG, NLOOPE, STORE_PRAM, plus micro-operations XADD and XSUB. Micro-operations were shown to have a format that includes the fields opcode, exec unit, src width, src1, src2, dest width, dest, write flags? and end routine?.[7]

A 2002 programming reference for the Alternate Instruction set[8] and an accompanying appnote[1] were added to the Bitsavers archive in May 2021.

Availability

[edit]

From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a CPUID with the EAX register set to 0xc0000001 and then examining the EDX register. If EDX bit 0 is set to 1, then AIS is supported. If EDX bit 1 is also set to 1, then AIS is enabled.[9] If AIS is supported by the CPU, then its status can be checked and altered through the Model-specific registers, by checking and setting the Feature Control Register (FCR, register 0x1107). If bit 0 ("ALTINST") is set to 1, then AIS is enabled.[9]

The Microsoft Windows NT kernel KiGetFeatureBits() initialisation function proactively disables Alternate Instruction mode on boot up.[10] If the x86 JMPAI jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exception.[11] Setting the AIS-enabled bit requires privileged access, and should be set using a read-modify-write sequence.[11]

Privilege elevation

[edit]

In 2018 Christopher Domas discovered that some Samuel 2 processors came with the Alternate Instruction Set enabled by default and that by executing AIS instructions from user space, it was possible to gain privilege escalation from Ring 3 to Ring 0.[5] Domas had partially reverse engineered the AIS instruction set using automated fuzzing against a cluster of seven thin clients.[12] Domas used the terms "deeply embedded core" (DEC) plus "deeply embedded instruction set" (DEIS) for the RISC instruction set, "launch instruction" for JMPAI, "bridge instruction" for the x86 prefix wrapper, "global configuration register" for the Feature Control Register (FCR), and gave the exploit the physics inspired name "Rosenbridge".[5]

See also

[edit]
  • NEC V20/V30, an x86-compatible CPU implementing a similar scheme to enter and exit into an alternate instruction set mode to support Intel 8080 instructions.

References

[edit]
  1. ^ a b VIA, VIA C3 Processor Alternate Instruction Set Application Note, version 0.24, 2002. Accessed on Apr 26, 2023.
  2. ^ a b Alternate Instruction Set (PDF). VIA Eden (Report). Embedded System Platform Processor Datasheet. November 2002. p. 70‒71. Retrieved 2018-08-10.
  3. ^ Stiller, Andreas (2003-01-22). "VIAs Prozessor der siebten Generation" [VIA's seventh-generation processor]. Heise Online (in German). Heinz Heise. Retrieved 2018-08-12. Als … kann man Nehemiahs RISC-artigen Core auch native programmieren (AIS: Alternate Instruction Set). Auch hier wird sich zeigen, ob findige Programmierer das für den einen oder anderen Treiber nutzen können, um hier mehr Performance herauszukitzeln.
  4. ^ "#21 add support for Centaur's AIS". The Netwide Assembler. 2002-12-18. Retrieved 2018-08-12 – via Sourceforge.
  5. ^ a b c Domas, Christopher. "Rosenbridge: Hardware backdoors in x86 CPUs". GitHub. Retrieved 2018-08-10.
  6. ^ US patent 20080256336, Henry, G. Glenn; Eddy, Colin & Hooker, Rodney E. et al., "Microprocessor with private microcode ram", published 2008-10-16, issued 2010-11-02 
  7. ^ Davis, Jared; Slobodova, Anna; Swords, Sol (2016-04-20). "Microcode Verification – Another Piece of the Microprocessor Verification Puzzle" (PDF). Retrieved 2018-08-14.
  8. ^ VIA, VIA C3 Processor Alternate Instruction Set Programming Reference, version 0.25, november 2002. Accessed on Apr 26, 2023.
  9. ^ a b Centaur Extended CPUID Instruction Functions (PDF). VIA Eden-N Embedded System Platform Processor Datasheet (Report). 2004-10-22. p. 20, 74. Retrieved 2018-08-10.
  10. ^ Microsoft. "kernlini.c". Microsoft Windows NT kernel source. Retrieved 2018-08-14. KiGetFeatureBits() … // Disable bit 0 which controls the Cyrix ALTINST feature.
  11. ^ a b Alternative Instruction Execution (PDF). VIA C3 Samuel 2 Processor Datasheet (Report). October 2004. p. 60.
  12. ^ Wagenseil, Paul (2018-08-09). "Hacker Finds Hidden 'God Mode' on Old x86 CPUs". Tom's Hardware. Retrieved 2018-08-10.

Further reading

[edit]