Breaking the x86 Instruction Set

love you !

x86 was created by HP in the 60s. They didn't really do anything with it.
The military was working with it and john wrote some theory for ai to help create solutions to make things better by looking for solutions for calculations etc..(I have no idea how it works).
They were able to make big jumps in the 70s in tech and then role out cpu tech slowly in small jumps rather than a large one to stay competitive.

Remarkable person with a unique mind.

The Altair 8800 was a mistake

Fascinating.

well if you have
E5 DF 00 00 00 00 00 00 FF 00
why rollback and not try
E5 DF 00 00 00 00 00 00 01 01
to see if that also changes anything

every shareholder/owner of Intel should really be in jail

Just because an instruction executes doesn't necessarily mean it's an undocumented instruction. It might simply be an unintended consequence of the processor's design, a sort of "ghost" instruction that doesn't serve any real purpose.

Wasnt there an instruction that would let you fry eggs on a celery processesor?

strange, but the link to this video was sent to me ChatGpt

through out the presentation I could only think of (QUANTUM-COMPUTING)1 solution to the problem he mentioned.

Is this guy still alive? or did the FBI/men in black visit his house?

sandsifter is a cool name

Ever heard of the Talpiot Program?

Great well explained video, thanks

What is most likely, is that the opcode streams are grouped in such a way that instructions are deduced.

Damn, this has the feel of a physicist in the 1920s first putting enough plutonium into one place and seeing what happens. You just don't know, and what you might find might very well be groundbreaking

what a talk! phenomenally creative, important, and useful. i understood almost all of it despite knowing next to nothing about x86, barely anything about process/OS security schemes and how their traps/exceptions are passed around, what the rings mean, and just generally being very new to OS and hardware stuff.

I'm afraid of running that and NOT GETTING A BLUE SCREEN/KERNEL PANIC, and the CPU just corrupting some files, or doing something crazy with the OS, etc. I'd run with my storage detached physically from the motherboard and no network cards online.

The major banks are ran by men, and they hold the government hostage.

You know where this goes

Did he release info on his f00f bug discovery?

"Rizen" man can't even say Ryzen correctly

I watched this video 𝟓 𝐓𝐈𝐌𝐄𝐒!... not because I didn't understand it but because it's just wonderful and so INTERESTING. Amazing Black Hat

Incredible talk

If you've ever had your mind hijacked by a narcissist, this is how they do it. If your parents, the original Architects of your mental CPU, got you to trust them over your instinct (they hid from you the key to your own TPM...), then anyone who watches you think for more than a split second about your boundaries will exploit that self doubt. Never let anyone escalate their privileges higher than your own TPM. No one can hack THAT but YOU!

Bravo! Just brilliant.

This is incredible

4 years later , intel IME is thriving

Execute Order 66 !!!

I should imagine a lot of these undocumented instructions would be work in progress, perhaps left there for eventual future use, perhaps used to reduce the cost of prototyping, but the coordination between x86 manufacturers does raise some serious concerns. These could be anything from hyperoptimised inverse square root calculations to deliberate holes in x86 security, put in place for "the right people"... See "idiocy of back doors"...

It could also be as simple as Micro$oft (or Apple?) paying them a handsome sum of money to implement a custom instruction set just for them without telling anyone.

Is this Intel sponsored by any chance

This is really well explained.

Guys, do not buy Facebook CPU XD

A few things come to my mind:

He talks a lot about "trusting" the processor. I don't think that anyone truly trusts the processor any more than they trust the software. We just have fewer options when it comes to the processor. We can either use a computer or not use it.

If I were nefarious and wanted to hide a secret instruction, a couple good candidates would be an "undefined" opcode with ESI and EDI set to special values or DS: MOV AL, AL (an effective no-op that no one would ever use) again with ESI and EDI set to special values.

The gaps in the op-code table are supposed to be values that do not correspond to an instruction. They may be filled in by later processors. This is, after all, how the processors have evolved.

He says he is doing the entire thing in ring-3. I happen to know that accessing the CR2 register requires ring-0 access. Maybe the operating system is facilitating some of these things. But it still struck me as odd.

Setting all the registers to zero is a good start. But some of those instructions include address offsets, which can still overwrite your "supervisor" code. (Okay, he addresses this one.)

As for the priority error for undefined opcode vs page fault: Yes, it is an erratum. They decided it was a documentation error and fixed their documentation. First off, I can see where they might miss this. Very few people, outside of maybe myself, are going to deliberately execute an undefined instruction over a page-faulting area. Admittedly, I do a few unusual things. I have used MOV CS, AX as a processor check (runs fine on 8088, undefined opcode on 286, man I'm old.)

I miss the days when computers would detect a processor shutdown and just reset the processor. You could use certain memory locations to tell the BIOS where to resume execution. Ah, good times, shut the processor down 20 times and return to DOS like nothing ever happened.

so much respect for those smart people

absolutely incredible stuff.

How can the pagy fault analysis exist? why the processor allow instructions be loaded from two different pages. and why manufacturer don't kill this buggy function.

This is why we need RISC-V

He is shortlisted for a job in heavens r&d department.

Are there registers they don't tell us about?