Jump to content

Alternate Instruction Set

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Sladen (talk | contribs) at 15:22, 10 August 2018 (initially populate based on news reports). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

The Alternate Instruction Set (AIS) is a second 32-bit instruction set architecture found in some x86 CPUs made by VIA Technologies. On VIA C3 processors, the second hidden processor mode is accessed by executing the x86 instruction ALTINST (0F 3F) with a pointer to the instructions in the EAX register.[1]

Instruction format

Every Alternate Instruction Set instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA) instructions. The manufacter describes AIS as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms".[1]

Privilege elevation

In 2018 Christopher Domas discovered that some systems came with the Alternate Instruction Set enabled by default and that by executing AIS instructions, privilege escalation from Ring 3 to Ring 0 was possible.[2] The instruction format was reverse engineered using automated fuzzing.[3]

References

  1. ^ a b Alternate Instruction Set (PDF). VIA Eden (Report). Embedded System Platform Processor Datasheet. November 2002. p. 70‒71. Retrieved 10 August 2018.
  2. ^ Domas, Christopher. "Rosenbridge: Hardware backdoors in x86 CPUs". Retrieved 10 August 2018.
  3. ^ Wagenseil, Paul (9 August 2018). "Hacker Finds Hidden 'God Mode' on Old x86 CPUs". Tom's Hardware. Retrieved 10 August 2018.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Alternate_Instruction_Set&oldid=854333527"