Jump to content

Alternate Instruction Set

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Sladen (talk | contribs) at 09:58, 14 August 2018 (Further reading: +"Mechanism for extending the number of registers in a microprocessor" patent listing extra accessible registers R8‒R15). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Alternate Instruction Set (AIS) is a second 32-bit instruction set architecture found in some x86 CPUs made by VIA Technologies. On these VIA C3 processors, the second hidden processor mode is accessed by executing the x86 instruction ALTINST (0F 3F). If AIS mode has been enabled, the processor will perform a JMP EAX[1] and begin executing AIS instructions at the address of the EAX register. Using AIS allows native access to the Centaur Technology-designed RISC core inside the processor.[2]

Instruction format

Register mapping between AIS and x86
AIS number x86 name
R0 EAX
R1 ECX
R2 EDX
R3 EBX
R4 ESP
R5 EBP
R6 ESI
R7 EDI
R8‒R15

Every Alternate Instruction Set instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA) instructions. The manufacter describes AIS as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms".[1]

A proposal made in 2002 to add AIS support to the Netwide Assembler (NASM) was partially declined in 2005, on the basis that NASM was an x86 assember, and AIS is a separate instruction set.[3]

Availability

From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a CPUID with the EAX register set to 0xc0000001 and then examining the EDX register. If EDX bit 0 is set to 1, then AIS is supported. If EDX bit 1 is also set to 1, then AIS is enabled.[4] If AIS is supported by the CPU, then its status can be checked and altered through the Machine state registers, by checking and setting the Feature Control Register (FCR, register 0x1107). If bit 0 ("ALTINST") is set to 1, then AIS is enabled.[4]

The Microsoft Windows NT kernel KiGetFeatureBits() initialisation function proactively disables Alternate Instruction mode on boot up.[5] If the x86 ALTINST jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exeception.[6] Setting the AIS-enabled bit requires privileged access, and should be set using a read-modify-write sequence.[6]

Privilege elevation

In 2018 Christopher Domas discovered that some systems came with the Alternate Instruction Set enabled by default and that by executing AIS instructions, privilege escalation from Ring 3 to Ring 0 was possible.[7] The instruction format was reverse engineered using automated fuzzing.[8] Domas used the name "deeply embedded instruction set" (DEIS) and the documented the privilege escalation with the name "Rosenbridge".

References

  1. ^ a b Alternate Instruction Set (PDF). VIA Eden (Report). Embedded System Platform Processor Datasheet. November 2002. p. 70‒71. Retrieved 10 August 2018.
  2. ^ Stiller, Andreas (22 January 2003). "VIAs Prozessor der siebten Generation" [VIA's seventh-generation processor]. Heise Online (in German). Heinz Heise. Retrieved 12 August 2018. Als … kann man Nehemiahs RISC-artigen Core auch native programmieren (AIS: Alternate Instruction Set). Auch hier wird sich zeigen, ob findige Programmierer das für den einen oder anderen Treiber nutzen können, um hier mehr Performance herauszukitzeln.
  3. ^ "#21 add support for Centaur's AIS". The Netwide Assembler. 18 December 2002. Retrieved 12 August 2018 – via Sourceforge.
  4. ^ a b Centaur Extended CPUID Instruction Functions (PDF). VIA Eden-N Embedded System Platform Processor Datasheet (Report). 22 October 2004. p. 20, 74. Retrieved 10 August 2018.
  5. ^ Microsoft. "kernlini.c". Microsoft Windows NT kernel source. Retrieved 14 August 2018. KiGetFeatureBits() … quote=// Disable bit 0 which controls the Cyrix ALTINST feature. {{cite web}}: Missing pipe in: |quote= (help)
  6. ^ a b Alternative Instruction Execution (PDF). VIA C3 Samuel 2 Processor Datasheet (Report). October 2004. p. 60.
  7. ^ Domas, Christopher. "Rosenbridge: Hardware backdoors in x86 CPUs". Retrieved 10 August 2018.
  8. ^ Wagenseil, Paul (9 August 2018). "Hacker Finds Hidden 'God Mode' on Old x86 CPUs". Tom's Hardware. Retrieved 10 August 2018.

Further reading

  • US patent 20030154359, Henry, Glenn; Hooker, Rodney & Parks, Terry, "Apparatus and method for extending a microprocessor instruction set", published 2003-08-14, issued 2007-02-20, assigned to Centaur Technology 
  • US patent 20030188130A1, Henry, Glenn; Hooker, Rodney & Parks, Terry, "Mechanism for extending the number of registers in a microprocessor", issued 2008-05-13, assigned to Centaur Technology 
Retrieved from "https://en.wikipedia.org/w/index.php?title=Alternate_Instruction_Set&oldid=854867873"