Alternate Instruction Set

The Alternate Instruction Set (AIS) is a second 32-bit instruction set architecture found in some x86 CPUs made by VIA Technologies. On VIA C3 processors, the second hidden processor mode is accessed by executing the x86 instruction ALTINST (0F 3F) with a pointer to the instructions in the EAX register.^[1]

Instruction format

Every Alternate Instruction Set instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA) instructions. The manufacter describes AIS as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms".^[1]

Availability

From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a CPUID with the EAX register set to 0xc0000001 and then examining the EDX register. If EDX bit 0 is set to 1, then AIS is supported. If EDX bit 1 is also set to 1, then AIS is enabled.^[2] If AIS is supported by the CPU, then its status can be checked and altered through the Machine state registers, by checking and setting the Feature Control Register (FCR, register 0x1107). If bit 0 ("ALTINST") is set to 1, then AIS is enabled.^[2] Setting the AIS enable bit requires privileged access must be set using a read-modify-write sequence.^[3]

If the x86 ALTINST jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exeception.^[3]

Privilege elevation

In 2018 Christopher Domas discovered that some systems came with the Alternate Instruction Set enabled by default and that by executing AIS instructions, privilege escalation from Ring 3 to Ring 0 was possible.^[4] The instruction format was reverse engineered using automated fuzzing.^[5] Domas used the name "deeply embedded instruction set" (DEIS).

References

^ ^a ^b Alternate Instruction Set (PDF). VIA Eden (Report). Embedded System Platform Processor Datasheet. November 2002. p. 70‒71. Retrieved 10 August 2018.
^ ^a ^b Centaur Extended CPUID Instruction Functions (PDF). VIA Eden-N Embedded System Platform Processor Datasheet (Report). 22 October 2004. p. 20, 74. Retrieved 10 August 2018.
^ ^a ^b Alternative Instruction Execution (PDF). VIA C3 Samuel 2 Processor Datasheet (Report). October 2004. p. 60.
^ Domas, Christopher. "Rosenbridge: Hardware backdoors in x86 CPUs". Retrieved 10 August 2018.
^ Wagenseil, Paul (9 August 2018). "Hacker Finds Hidden 'God Mode' on Old x86 CPUs". Tom's Hardware. Retrieved 10 August 2018.

[via-200211-1] Alternate Instruction Set (PDF). VIA Eden (Report). Embedded System Platform Processor Datasheet. November 2002. p. 70‒71. Retrieved 10 August 2018.

[via-20041022-2] Centaur Extended CPUID Instruction Functions (PDF). VIA Eden-N Embedded System Platform Processor Datasheet (Report). 22 October 2004. p. 20, 74. Retrieved 10 August 2018.

[via-samuel-200410-3] Alternative Instruction Execution (PDF). VIA C3 Samuel 2 Processor Datasheet (Report). October 2004. p. 60.

[4] Domas, Christopher. "Rosenbridge: Hardware backdoors in x86 CPUs". Retrieved 10 August 2018.

[5] Wagenseil, Paul (9 August 2018). "Hacker Finds Hidden 'God Mode' on Old x86 CPUs". Tom's Hardware. Retrieved 10 August 2018.

[1]

[2]

[3]

[4]

[5]