Speculating the entire x86-64 instruction set in seconds (2021)

https://blog.can.ac/2021/03/22/speculating-x86-64-isa-with-one-weird-trick/

104 points by fanf2 on 2024-05-14 | 4 comments

Automated Summary

The article discusses a method for discovering x86-64 instruction set opcodes using a side-channel, by attempting to find the undocumented instruction that can read from and write to the CRBUS. The process involves using performance counters to measure the execution of different opcodes and filtering out redundant prefixes and suffixes to narrow down the results. The method is used to identify a list of undocumented instructions and observe their behavior under speculative execution. The full dataset and implementation source can be found at haruspex.can.ac/Github.

Comments

ForOldHack on 2024-05-16

Could they do this with x86-16?

rep_lodsb on 2024-05-16

No, because it depends on speculative execution and performance counters. The earliest microarchitecture where this might be possible would be the P6?

And I don't think there are any more x86-16 opcodes left to be discovered. Some time ago I did quite a bit of experimentation with the 80286 to find what is probably the last one[1], and also looked closely at its "entry point PLA" in die shots, which maps opcodes to microcode addresses. The undefined ones all seem to go to the same entry point, which would be the one that triggers #UD.

[1] or at least, figure out what two "useless" undocumented opcodes actually do, and how to use them together: https://rep-lodsb.mataroa.blog/blog/intel-286-secrets-ice-mo...

LegionMammal978 on 2024-05-16

In modern processors, 16-bit, 32-bit, and 64-bit x86 all use mostly the same instructions, just with different default operand sizes. In particular, with a few big exceptions (like INC/DEC r32 being replaced with the REX prefixes, and segment PUSH/POP being removed), they all have the same encodings. So the set of undocumented instructions, especially in the multibyte encoding ranges, is likely the same. Though their behavior might vary, or be absent altogether.

hggh on 2024-05-14

(2021)

pmayrgundter on 2024-05-15

[flagged]