We missed this Blackhat talk back in August, but it’s so good we’re glad to find out about it now. [Christopher Domas] details his obsession with hidden processor instructions, and how he discovered an intentional backdoor in certain x86 processors. These processors have a secondary RISC core, and an undocumented procedure to run code on that core, bypassing the normal user/kernel separation mechanisms.
The result is that these specific processors have an intentional mechanism that allows any unprivileged user to jump directly to root level access. The most fascinating part of the talk is the methodical approach [Domas] took to discover the details of this undocumented feature. Once he had an idea of what he was looking for, he automated the process of checking every possible x86 instruction, looking for the one instruction that allowed running code on that extra core. The whole talk is entertaining and instructional, check it out after the break!
Oh, the hijinks that the early days of the PC revolution allowed. Back in the days when a 20MB hard drive was a big deal and MS-DOS 3.1 ruled over every plain beige PC-clone cobbled together by enthusiasts like myself, it was great fun to “set up” someone else’s machine to do something unexpected. This generally amounted to finding an unattended PC — the rooms of the residence hall where I lived in my undergrad days were a target-rich environment in this regard — and throwing something annoying in the AUTOEXEC.BAT file. Hilarity ensued when the mark next booted the machine and was greeted with something like an inverted display or a faked hard drive formatting. Control-G was good to me too.
So it was with a sense of great nostalgia that I watched [Ben Cartwright-Cox]’s recent 35C3 talk on the anatomy and physiology of viruses from the DOS days. Fair warning to the seasoned reader that a sense of temporal distortion is inevitable while watching someone who was born almost a decade after the last meaningful release of MS-DOS discuss its inner workings with such ease. After a great overview of the DOS API elements that were key to getting anything done back then, malware or regular programs alike, he dives into his efforts to mine an archive of old DOS viruses, the payloads of most of which were harmless pranks. He built some tools to find viruses that triggered based on the system date, and used an x86 emulator he designed to test every day between 1980 and 2005. He found about 10,000 malware samples and explored their payloads, everything from well-wishes for the New Year to a bizarre foreshadowing of the Navy Seal Copypasta meme.
We found [Ben]’s talk a real treat, and it’s good to see someone from the current generation take such a deep dive into the ways many of us cut our teeth in the computing world.
You have a clean MSDOS system, and you need to write some software for it. What do you do? You could use debug, of course. But there are no labels so while you can get machine code from mnemonics, you’ll still need to figure out the addresses on your own. That wasn’t good enough for [mniip], who created an assembler using mostly batch files. There are a few .COM files and it looks as if the first time you use debug to create those, but there’s also source you can assemble on subsequent builds with the assembler.
Why? We aren’t entirely sure. But it is definitely a hack. The technique sort of reminded us of our own universal cross assembler — sort of.
Dividing by zero — the fundamental no-can-do of arithmetic. It is somewhat surrounded by mystery, and is a constant source for internet humor, whether it involves exploding microcontrollers, the collapse of the universe, or crashing your own world by having Siri tell you that you have no friends.
It’s also one of the few things gcc will warn you about by default, which caused a rather vivid discussion with interesting insights when I recently wrote about compiler warnings. And if you’re running a modern operating system, it might even send you a signal that something’s gone wrong and let you handle it in your code. Dividing by zero is more than theoretical, and serves as a great introduction to signals, so let’s have a closer look at it.
Chances are, the first time you heard about division itself back in elementary school, it was taught that dividing by zero is strictly forbidden — and obviously you didn’t want your teacher call the cops on you, so you obeyed and refrained from it. But as with many other things in life, the older you get, the less restrictive they become, and dividing by zero eventually turned from forbidden into simply being impossible and yielding an undefined result.
And indeed, if a = b/0, it would mean in reverse that a×0 = b. If b itself was zero, the equation would be true for every single number there is, making it impossible to define a concrete value for a. And if b was any other value, no single value multiplied by zero could result in anything non-zero. Once we move into the realms of calculus, we will learn that infinity appears to be the answer, but that’s in the end just replacing one abstract, mind-boggling concept with another one. And it won’t answer one question: how does all this play out in a processor? Continue reading “Creating Black Holes: Division By Zero In Practice”→
It’s about convenience when it comes to single board computers. The trade-off of raw compute power for size means the bulk of them end up being ARM based, but there are a few exceptions like the x86 based Udoo Ultra. The embedded Intel 405 GPU on the Udoo Ultra is better than most in the category, but that won’t begin to play much of anything outside of a browser window. Not satisfied with “standard” [Matteo] put together his build combining an Udoo x86 Ultra with a NVIDIA 1060 GPU. It seems ridiculous to have an expansion card almost three times longer than the entire computer its attached to, but since when did being ridiculous stop anyone in the pursuit of a few more polygons?
Since the Udoo Ultra doesn’t feature a PCIe slot [Matteo] slotted in a M.2 to PCIe adapter board. There are two PCIe lines accessible by the Udoo Ultra’s M.2 port although trimming the adapter board was required in order to fit. The PCIe female slot was cut open to allow the 1060 GPU to slide in. All of the throughput of the 1060 GPU wouldn’t be utilized given the Udoo Ultra’s limitations anyway.
Windows 10 was the OS chosen for the machine so that all those NVIDIA drivers could be installed, and there’s also the added benefit of being able to sneak in a little Trackmania Turbo too. So to accompany the build, [Matteo] created a graphics comparison video to show the remarkable improvement over the embedded graphics chip. You can see the Time Spy benchmark results in the video below.
We live in a time when you don’t have to know assembly language to successfully work with embedded computers. The typical processor these days has resources that would shame early PCs and some of the larger ones are getting close to what was a powerful desktop machine only a few years ago. Even so, there are some cases where you really want to use assembly language. Maybe you need more speed. Or maybe you need very precise control over timing. Maybe you just like the challenge. [Robert G. Plantz] from Sonoma State University has an excellent book online titled “Introduction to Computer Organization: ARM Assembly Langauge Using the Raspberry Pi.” If you are interested in serious ARM assembly language, you really need to check out this book.
If you are more interested in x86-64 assembly and Linux [Plantz] has you covered there, too. Both books are free to read on the Internet, and you can pick up a printed version of the Linux book for a small payment if you want.
Based on [Ben Jojo’s] title — x86 Assembly Doesn’t have to be Scary — we assume that normal programmers fear assembly. Most hackers don’t mind it, but we also don’t often have an excuse to program assembly for desktop computers.
In fact, the post is really well suited for the typical hacker because it focuses the on real mode of an x86 processor after it boots. What makes this tutorial a little more interesting than the usual lecture is that it has interactive areas, where a VM runs your code in the browser after assembling with NASM.