Manufacturers are adding secret machine instructions to x86 chips, and it’s putting us all at risk. These instructions are undocumented, unacknowledged, and potentially dangerous – but they’re sitting in your processor right now. Last year, with the sandsifter project, we discovered how to find these hidden instructions, by combining a page fault analysis and a depth-first-search algorithm to intelligently generate machine code and search through the x86 instruction set. Using this technique, we found new x86 hardware glitches, previously unknown machine instructions, ubiquitous software bugs, and flaws in enterprise hypervisors. But now a year has passed, and we have a lot more to share. In this presentation, we present the first major update to the sandsifter x86 processor fuzzer since its release. We’ll disclose entirely new hypervisor flaws, show how to take down BSD with two bytes of code, and release all the gory details of a denial-of-service ‘halt-and-catch-fire’ instruction found in some x86 processors. With these flaws and more in mind, we’ll illustrate how to use sandsifter to audit your own processor and expose its bugs and secrets.
Christopher Domas is a security researcher and embedded systems engineer, currently investigating scalable IoT security. He is best known for releasing impractical solutions to non-existent problems, including the world’s first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), showing that all programs can be reduced to the same instruction stream (reductio), and the branchless DOOM meltdown mitigations. His more relevant work includes the sandsifter processor fuzzer, the binary visualization tool ..cantor.dust.., and the memory sinkhole x86 privilege escalation exploit.