News
home
โ˜๐Ÿฝ

Ring -4?: Hardware Backdoors in CPUs

Intro

์ง€๋‚œ์—ฌ๋ฆ„, ํ•˜์ž„์‹œํ๋ฆฌํ‹ฐ ๋‚ด๋ถ€ ์„ธ๋ฏธ๋‚˜์—์„œ ๋ฐ•์„œ๋นˆ(moonoik) ์„ ์ž„ ์—ฐ๊ตฌ์›๋‹˜์ด ํ•œ๋•Œ ๋œจ๊ฑฐ์šด ๊ฐ์ž์˜€๋˜ ํ”„๋กœ์„ธ์„œ ์ทจ์•ฝ์ ์— ๋Œ€ํ•œ ๋Œ€์‘์œผ๋กœ ์ œ์‹œ๋œ ๋‹น์‹œ Intel, AMD ๋“ฑ์˜ microcode ๋ณด์•ˆ ์—…๋ฐ์ดํŠธ๋ฅผ ํ•„๋‘๋กœ, ํ•˜๋“œ์›จ์–ด ๋ฐฑ๋„์–ด์— ๋Œ€ํ•œ ๋‚ด์šฉ์„ ๋ฐœํ‘œํ–ˆ์Šต๋‹ˆ๋‹ค. ๋ฐœํ‘œ๋ฅผ ๋“ค์—ˆ์„ ๋•Œ๋„ ํฌ๊ฒŒ ํฅ๋ฏธ๋ฅผ ๋Š๊ผˆ์ง€๋งŒ ํšŒ์‚ฌ ์ผ์ด ํ•œ์ฐฝ ๋ฐ”์  ๋•Œ๋ผ ์šฐ์„ ์ˆœ์œ„์—์„œ ๋ฐ€๋ ธ์—ˆ๋Š”๋ฐ, ์—ฐ์ดˆ์— ๊ฐœ์ธ ์—ฐ๊ตฌ ์‹œ๊ฐ„์ด ์ผ๋ถ€ ์ฃผ์–ด์ ธ ์กฐ๊ธˆ์€ ์—ฌ์œ ๋กญ๊ฒŒ ๊ด€๋ จ ์—ฐ๊ตฌ๋ฅผ ์‚ดํŽด๋ณด์•˜์Šต๋‹ˆ๋‹ค.
ํ•˜๋“œ์›จ์–ด ๋ฐฑ๋„์–ด์—๋Š” ๋‹ค์–‘ํ•œ ๋ฐฉ๋ฒ•๋ก ์ด ์ ์šฉ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Intel Management Engine(ME), AMD Platform Security Processor(PSP) ๋“ฑ๊ณผ ๊ด€๋ จํ•œ ๋ฐฉ๋ฒ•๋ก ๋„ ์žˆ๊ณ , 2018๋…„ ์ค‘๊ตญ ์ŠคํŒŒ์ด๊ฐ€ ๋ฏธ๊ตญ ๊ธฐ์ˆ  ๊ณต๊ธ‰๋ง์— ์นจํˆฌํ•ด Supermicro ์‚ฌ์˜ ๋งˆ๋”๋ณด๋“œ์— ๋ฌผ๋ฆฌ์ ์ธ ์นฉ์„ ์‹ฌ์€ ๊ฒƒ๋„ ํ•˜๋“œ์›จ์–ด ๋ฐฑ๋„์–ด์˜ ์ผ๋ก€์ž…๋‹ˆ๋‹ค.
์—ฌ๋Ÿฌ ๋ณด์•ˆ ์ปจํผ๋Ÿฐ์Šค์— ๊ฑฐ์˜ ๋งค๋…„ ๋ฐœํ‘œ ์ฃผ์ œ๋กœ ๋“ฑ์žฅํ•  ์ •๋„๋กœ ์ง€์†ํ•ด์„œ ์—ฐ๊ตฌ๋˜๋Š” ๋ถ„์•ผ์ด๊ณ , ์ตœ๊ทผ์—๋Š” chip-red-pill ํŒ€์— ์˜ํ•ด Intel microcode decryptor๊ฐ€ ๊ฐœ๋ฐœ๋˜์–ด ์ด๋ชฉ์„ ๋Œ์—ˆ์Šต๋‹ˆ๋‹ค.
Today we've published Intel Microcode decryptor! It gives you an amazing opportunity for researching x86 platforms. You can understand how Intel mitigated spectre vulnerability, explore the implementation of Intel TXT, SGX,VT-x technologies! Enjoy it!ย https://t.co/CrMYbrPu03ย pic.twitter.com/pW6iQoUGLJ โ€” Maxim Goryachy (@h0t_max) July 18, 2022
ํŒŒ๊ณ ๋“œ๋‹ˆ ํฅ๋ฏธ๋กœ์šด ๊ฒƒ์ด ๋งŽ์•˜์ง€๋งŒ, ๊ทธ๋งŒํผ ์–‘๋„ ๋ฐฉ๋Œ€ํ–ˆ๊ธฐ์— ๋ณธ ๊ธ€์—์„œ๋Š” ์ธ์ƒ ๊นŠ์—ˆ๋˜ ์—ฐ๊ตฌ ์ค‘ ํ•˜๋‚˜๋ฅผ ๊ณจ๋ผ ์–˜๊ธฐํ•ด๋ณด๊ณ ์ž ํ•ฉ๋‹ˆ๋‹ค.

project:rosenbridge

project:rosenbridge๋Š” Christopher Domas(xoreaxeaxeax)๊ฐ€ Black Hat USA 2018์„ ํ†ตํ•ด ๊ณต๊ฐœํ•œ ์—ฐ๊ตฌ์ž…๋‹ˆ๋‹ค. ์—ฐ๊ตฌ๊ฐ€ ์‹œ์‚ฌํ•˜๋Š” ๋ฐ”์™€ ์—ฐ๊ตฌ์— ํ™œ์šฉํ•œ ์ ‘๊ทผ๋ฒ•, ๋ฐฉ๋ฒ•๋ก ์ด ์žฌ๋ฐŒ๊ณ  ์ฐธ์‹ ํ•˜๋‹ค๊ณ  ์ƒ๊ฐ๋˜๋Š” ์ ์ด ์—ฌ๋Ÿฟ ์žˆ์–ด์„œ(ํŠนํ—ˆ๋ฅผ ๋ฆฌ๋ฒ„์‹ฑ ํ•œ๋‹ค๊ฑฐ๋‚˜...) ๊ธ€์˜ ์ฃผ์ œ๋กœ ์„ ์ •ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ๊ธ€์„ ์ฝ๊ธฐ ์ „ ๊ทธ์˜ ๋ฐœํ‘œ๋ฅผ ๊ฐ€๋ณ๊ฒŒ ๋“ค์–ด๋ณธ๋‹ค๋ฉด ์ดํ•ด์— ๋„์›€์ด ๋  ๊ฒƒ์ž…๋‹ˆ๋‹ค.

Overview

๋ณธ ์—ฐ๊ตฌ์—์„œ proof-of-concept์œผ๋กœ ๊ตฌํ˜„ํ•œ ๋ฐฑ๋„์–ด๋Š” ring 3(userland)์—์„œ ring 0(kernel)๋กœ์˜ ๊ถŒํ•œ ์ƒ์Šน์„ ์ œ๊ณตํ•˜์—ฌ arbitrary unprivileged code์—์„œ ์ปค๋„์— ๋Œ€ํ•œ ์ œํ•œ ์—†๋Š” ์ ‘๊ทผ์„ ๊ฐ€๋Šฅ์ผ€ ํ•ฉ๋‹ˆ๋‹ค. ์ด๋•Œ ๋ฐฑ๋„์–ด๋Š” ํ•˜๋“œ์›จ์–ด ๋ฐ ์†Œํ”„ํŠธ์›จ์–ด ์ปค๋„ ๋ณด์•ˆ ๋ฉ”์ปค๋‹ˆ์ฆ˜์— ๋Œ€ํ•œ ์ˆ˜์‹ญ ๋…„์˜ ์ง„์ „์„ ๋ฌดํšจํ™”ํ•˜๋Š”๋ฐ, antivirus, address space protection, data execution prevention, code signing, control flow integrity, kernel integrity check ๋“ฑ์˜ ๋ณดํ˜ธ ๊ธฐ๋ฒ•์ด ๋ชจ๋‘ ๋ฐฑ๋„์–ด๋ฅผ ํ†ตํ•ด ์šฐํšŒ๋ฉ๋‹ˆ๋‹ค.
๋ฐฑ๋„์–ด๋Š” ํ”„๋กœ์„ธ์„œ ์ œ์ž‘ ๋‹จ๊ณ„ ๋˜๋Š” ๋ถ€ํŒ… ๋‹จ๊ณ„์—์„œ ๊ตฌ์„ฑ๋œ processor configuration bit๋ฅผ ํ†ตํ•ด ํ™œ์„ฑํ™” ๋˜๋Š” ๋น„ํ™œ์„ฑํ™”ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ผ๋ถ€ ํ”Œ๋žซํผ์—์„œ๋Š” ๊ธฐ๋ณธ์ ์œผ๋กœ ํ™œ์„ฑํ™”๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค(= open door).
โ€ข
๋ฐฑ์„œ์—์„œ๋Š” 8086 architecture์—์„œ ํŒŒ์ƒ๋œ ํ”„๋กœ์„ธ์„œ ์„ค๊ณ„๋ฅผ ๊ด‘๋ฒ”์œ„ํ•˜๊ฒŒ ์ง€์นญํ•˜๊ธฐ ์œ„ํ•ด "x86"์ด๋ผ๋Š” ์šฉ์–ด๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์—๋Š” 32-bit์™€ 64-bit ๋ฒ„์ „์ด ๋ชจ๋‘ ํฌํ•จ๋ฉ๋‹ˆ๋‹ค.

Target

์—ฐ๊ตฌ๋Š” x86 ํ”„๋กœ์„ธ์„œ์˜ VIA C3 ์ œํ’ˆ๊ตฐ์„ ๋Œ€์ƒ์œผ๋กœ ํ•ฉ๋‹ˆ๋‹ค.
์—ฐ๊ตฌ ๋Œ€์ƒ์€ ์ผ๋ถ€ x86 ๊ธฐ์ˆ ์— ๋Œ€ํ•ด ์ถœ์›๋œ ํŠนํ—ˆ์—์„œ ํŒŒ์ƒ๋œ ์ •๋ณด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์„ ์ •ํ•˜์˜€์Šต๋‹ˆ๋‹ค. US8341419์— ๋‹ค์Œ๊ณผ ๊ฐ™์€ ๋‚ด์šฉ์ด ์žˆ์Šต๋‹ˆ๋‹ค:
"์ผ๋ถ€ internal control register๋ฅผ ํ†ตํ•ด ์‚ฌ์šฉ์ž๊ฐ€ ๋ณด์•ˆ ๋ฉ”์ปค๋‹ˆ์ฆ˜์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋‹ค. ๊ฐ€๋ น, ring 3์—์„œ ring 0์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋‹ค. ๋˜ํ•œ ์ด๋Ÿฌํ•œ control register๋“ค์€ ํ”„๋กœ์„ธ์„œ ์„ค๊ณ„์ž๊ฐ€ ๋…์ ์ ์œผ๋กœ ์œ ์ง€ํ•˜๋ ค๋Š” ์ •๋ณด๋ฅผ ๋“œ๋Ÿฌ๋‚ผ ์ˆ˜ ์žˆ๋‹ค. ์ด๋Ÿฌํ•œ ์ด์œ ๋กœ ๋งŽ์€ x86 ํ”„๋กœ์„ธ์„œ ์ œ์กฐ์—…์ฒด๋Š” ์ผ๋ถ€ control MSR(Model Specific Register)์˜ ์ฃผ์†Œ๋‚˜ ๊ธฐ๋Šฅ์— ๋Œ€ํ•œ ์–ด๋– ํ•œ ์„ค๋ช…๋„ ๊ณต๊ฐœ์ ์œผ๋กœ ๋ฌธ์„œํ™”ํ•˜์ง€ ์•Š์•˜๋‹ค."
์œ„ ํŠนํ—ˆ์˜ ์†Œ์œ ์ž(VIA Technologies, Inc.) ๋ฐ ์ถœ์› ์—ฐ๋„๋ฅผ ๊ธฐ์ค€์œผ๋กœ, VIA C3 ํ”„๋กœ์„ธ์„œ๊ฐ€ ์—ฐ๊ตฌ ๋Œ€์ƒ์œผ๋กœ ์„ ์ •๋˜์—ˆ์Šต๋‹ˆ๋‹ค. Intel ๋ฐ AMD์—์„œ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ ํ”„๋กœ์„ธ์„œ์— ๋Œ€ํ•œ ์ค‘์š”ํ•œ ํ†ต์ฐฐ์„ ์—ฟ๋ณผ ์ˆ˜ ์žˆ๋Š” ๊ฐœ๋ฐœ์ž ๋งค๋‰ด์–ผ์„ ์ œ๊ณตํ•˜์ง€๋งŒ VIA ๊ฐœ๋ฐœ์ž ๋งค๋‰ด์–ผ์€ ์ฐพ์„ ์ˆ˜ ์—†์—ˆ๊ธฐ์— ๋ณธ ์—ฐ๊ตฌ๋Š” ์ƒ๋‹นํ•œ ์‹œํ–‰์ฐฉ์˜ค๊ฐ€ ์ˆ˜๋ฐ˜๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์—ฐ๊ตฌ๋Š” ์ฃผ๋กœ Nehemiah core์—์„œ ํ…Œ์ŠคํŠธ ๋˜์—ˆ์ง€๋งŒ ๋ชจ๋“  VIA C3 ํ”„๋กœ์„ธ์„œ์— ์ ์šฉํ•  ์ˆ˜ ์žˆ์„ ๊ฒƒ์œผ๋กœ ์‚ฌ๋ฃŒ๋ฉ๋‹ˆ๋‹ค.
๋Œ€์ƒ ํ”„๋กœ์„ธ์„œ๊ฐ€ ํ˜„๋Œ€ ์ปดํ“จํ„ฐ์—๋Š” ๋” ์ด์ƒ ์‚ฌ์šฉ๋˜์ง€ ์•Š์ง€๋งŒ, ์—ฐ๊ตฌ์—์„œ ์ œ์‹œ๋œ ๋ณด์•ˆ ๋ฌธ์ œ๋Š” ์‚ฐ์—… ์ „๋ฐ˜์— ๊ฑธ์ณ ๋งค์šฐ ํ˜„์‹ค์ ์ธ ๊ด€์‹ฌ์‚ฌ๋กœ ๋‚จ์•„ ์žˆ์œผ๋ฉฐ, ํ˜„๋Œ€ ์‹œ์Šคํ…œ์— ๋Œ€ํ•œ ํ”„๋กœ์„ธ์„œ ๋ณด์•ˆ ์—ฐ๊ตฌ์—์„œ ์ตœ์ฒจ๋‹จ ๊ธฐ์ˆ ์„ ํš๊ธฐ์ ์œผ๋กœ ๋ฐœ์ „์‹œํ‚ค๊ธฐ ์œ„ํ•œ ๊ท€์ค‘ํ•œ ์‚ฌ๋ก€ ์—ฐ๊ตฌ๋กœ ๋ณธ ์—ฐ๊ตฌ๋ฅผ ์ œ์•ˆํ•ฉ๋‹ˆ๋‹ค.

Backdoor Architecture

์ด์ „ ์„น์…˜์—์„œ ๋…ผ์˜๋œ ๋ฐ”์™€ ๊ฐ™์ด "Apparatus and method for limiting access to model specific registers in a microprocessor"๋ผ๋Š” ์ œ๋ชฉ์˜ ํŠนํ—ˆ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ ํ”„๋กœ์„ธ์„œ ๋ฐฑ๋„์–ด๋กœ ์ดํ•ด๋˜๋Š” ๊ฒƒ์˜ ์กด์žฌ๋ฅผ ๊ฐ•๋ ฅํ•˜๊ฒŒ ์•”์‹œํ•ฉ๋‹ˆ๋‹ค. ์ด๋ฅผ ํƒ์ƒ‰ํ•˜๊ธฐ ์œ„ํ•ด ๋‹ค๋ฅธ x86 ํŠนํ—ˆ๋ฅผ ์กฐ์‚ฌํ•˜๋ฉฐ ์ •๋ณด ์กฐ๊ฐ์„ ๋ชจ์•˜์Šต๋‹ˆ๋‹ค. (US8880851, US9043580, US9141389, US9146742, US9292470, US9317301, ...)
์—ฌ๋Ÿฌ ์ •๋ณด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ, VIA๊ฐ€ non-x86 core๋ฅผ C3 x86 CPU์— ๋‚ด์žฅํ•˜๊ณ  ์žˆ์œผ๋ฉฐ ์ด ๋‚ด์žฅ core๋Š” ํŠน์ˆ˜ ๋ช…๋ น์„ ํ†ตํ•ด ํ™œ์„ฑํ™”ํ•  ์ˆ˜ ์žˆ๊ณ , ์ด๋ฅผ ํ†ตํ•ด ํ”„๋กœ์„ธ์„œ ๋ณด์•ˆ ๋ฉ”์ปค๋‹ˆ์ฆ˜์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋‹ค๊ณ  ๊ฒฐ๋ก  ๋‚ด๋ ธ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋น„๊ต์  ์ž˜ ์•Œ๋ ค์ง„ Intel ME์™€ AMD PSP๋ฅผ ์–ด๋ ดํ’‹์ด ์—ฐ์ƒ์‹œํ‚ค์ง€๋งŒ, VIA์˜ ๋‚ด์žฅ core๋Š” x86 core์™€ ํ›จ์”ฌ ๋” ๋ฐ€์ ‘ํ•˜๊ฒŒ ๊ฒฐํ•ฉํ•˜์—ฌ ์žˆ๋Š” ๊ฒƒ์ฒ˜๋Ÿผ ๋ณด์˜€๊ณ , ์ด๋Ÿฌํ•œ ๊ธฐ๋Šฅ์— ๋Œ€ํ•œ ๊ณต๊ฐœ ๋ฌธ์„œ๋ฅผ ์ฐพ์„ ์ˆ˜ ์—†์—ˆ๊ธฐ์— ME๋‚˜ PSP๋ณด๋‹ค ๋” ์ˆจ๊ฒจ์ ธ ์žˆ๋Š” ๋‹ค๋ฅธ ๋ฌด์–ธ๊ฐ€๋กœ ๋น„์ถฐ์กŒ์Šต๋‹ˆ๋‹ค. ์ด ๋•Œ๋ฌธ์—, ์—ฐ๊ตฌ์—์„œ๋Š” ์ด non-x86 core๋ฅผ *deeply embedded core(DEC)*๋กœ ์ด๋ฆ„ ๋ถ™์˜€์Šต๋‹ˆ๋‹ค.
US8880851์„ ํ†ตํ•ด DEC๊ฐ€ ์™„์ „ํžˆ ๋ณ„๊ฐœ์˜ core๊ฐ€ ์•„๋‹ˆ๋ผ pipeline ๋ฐ ๊ธฐํƒ€ architecture์˜ ์ƒ๋‹น ๋ถ€๋ถ„์„ x86 core์™€ ๊ณต์œ ํ•œ๋‹ค๊ณ  ์ถ”์ธกํ•˜์˜€์Šต๋‹ˆ๋‹ค.
๋‹ค๋ฅธ ์—ฌ๋Ÿฌ ํŠนํ—ˆ๋Š” DEC๊ฐ€ execution pipeline์˜ ์ผ๋ถ€ ๊ตฌ์„ฑ ์š”์†Œ๋ฅผ x86 core์™€ ๊ณต์œ ํ•˜๋Š” RISC ํ”„๋กœ์„ธ์„œ์ž„์„ ์‹œ์‚ฌํ•˜๋ฉฐ, fetch phase ์ดํ›„ pipeline์ด ๋ถ„๊ธฐ๋  ๊ฐ€๋Šฅ์„ฑ์„ ๋‚˜ํƒ€๋ƒ…๋‹ˆ๋‹ค. RISC์™€ x86 core ๊ฐ„์— ๋ถ€๋ถ„์ ์œผ๋กœ ๊ณต์œ ํ•˜๋Š” register file์— ๋Œ€ํ•œ ์กด์žฌ๋„ ์ถ”์ธกํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
US8880851์— ๋”ฐ๋ฅด๋ฉด ํ”„๋กœ์„ธ์„œ๋Š” RISC core๋ฅผ ํ™œ์„ฑํ™”ํ•˜๊ธฐ ์œ„ํ•ด MSR๋กœ x86 core์— ๋…ธ์ถœ๋œ global configuration register๋ฅผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. RISC core๊ฐ€ ํ™œ์„ฑํ™”๋˜๋ฉด RISC instruction sequence๋Š” x86 instruction set์— ์ถ”๊ฐ€๋œ ์ƒˆ๋กœ์šด instruction์ธ x86 launch instruction์œผ๋กœ ์‹œ์ž‘๋ฉ๋‹ˆ๋‹ค.
Integrated execution pipeline๊ณผ shared register file์„ ํฌํ•จํ•œ DEC์˜ ์„ค๊ณ„๋Š” Intel ME๋‚˜ AMD PSP์™€ ๊ฐ™์€ coprocessor๋ณด๋‹ค ๋” ์€๋ฐ€ํ•˜๊ณ  ๊ฐ•๋ ฅํ•ฉ๋‹ˆ๋‹ค. Protected memory๋ฅผ ์ˆ˜์ •ํ•  ์ˆ˜ ์žˆ๋Š” coprocessor๋“ค์€ kernel, hypervisor, System Management Mode์˜ ๋Šฅ๋ ฅ์„ ๋Šฅ๊ฐ€ํ•˜๋Š” 'ring -3' layer of privilege๋กœ ๋ถˆ๋ ค์™”์Šต๋‹ˆ๋‹ค. ์ด์— ๋ณธ ์—ฐ๊ตฌ๋Š” DEC๊ฐ€ ์ง€๊ธˆ๊นŒ์ง€ ๋ฐœ๊ฒฌ๋œ ๊ฐ€์žฅ ๊นŠ์€ layer์ธ ์ผ์ข…์˜ 'ring -4'๋กœ ์ž‘์šฉํ•œ๋‹ค๊ณ  ์ œ์•ˆํ•ฉ๋‹ˆ๋‹ค.
DEC์— ๋Œ€ํ•œ ๊ฐ€์ •์ด ๋งž๋Š”๋‹ค๋ฉด, DEC๋Š” ํ”„๋กœ์„ธ์„œ์—์„œ ์ผ์ข…์˜ ๋ฐฑ๋„์–ด๋กœ ์‚ฌ์šฉ๋˜์–ด ๊ฐ€์žฅ ์ค‘์š”ํ•œ ํ”„๋กœ์„ธ์„œ ๋ณด์•ˆ ๊ฒ€์‚ฌ๋ฅผ ๋ชจ๋‘ ์€๋ฐ€ํ•˜๊ฒŒ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค; ์šฐ๋ฆฌ๋Š” ์ด๊ฒƒ์„ rosenbridge backdoor๋ผ๊ณ  ๋ถ€๋ฆ…๋‹ˆ๋‹ค.

Register Analysis

x86์˜ MSR์€ 64-bit control register์ž…๋‹ˆ๋‹ค. ๋””๋ฒ„๊น…, ์„ฑ๋Šฅ ๋ชจ๋‹ˆํ„ฐ๋ง, ๋‹ค์–‘ํ•œ ํ”„๋กœ์„ธ์„œ ๊ธฐ๋Šฅ ์ „ํ™˜ ๋“ฑ ๋งŽ์€ ๊ณณ์— ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค. MSR์€ ring 0์—์„œ๋งŒ ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. x86 general- ๋ฐ special-purpose register์™€ ๋‹ฌ๋ฆฌ MSR์€ ์ด๋ฆ„์ด ์•„๋‹ˆ๋ผ ์ฃผ์†Œ๋กœ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ์œ ํšจํ•œ MSR ์ฃผ์†Œ ๋ฒ”์œ„๋Š” 0 ์—์„œ 0xffffffff๊นŒ์ง€ ์ž…๋‹ˆ๋‹ค.
์•ž์„œ ์–ธ๊ธ‰ํ•œ US8341419์˜ ๋‚ด์šฉ์ฒ˜๋Ÿผ MSR์˜ ๋งŽ์€ ๋ถ€๋ถ„์ด ๊ณต๊ฐœ ๋ฌธ์„œ์— ์กด์žฌํ•˜์ง€ ์•Š๋Š” ๊ฒƒ์ด ์ผ๋ฐ˜์ ์ž…๋‹ˆ๋‹ค.
๋ฌธ์„œํ™”๋˜์ง€ ์•Š์€ bit๋Š” ๋‹จ์ˆœํžˆ ๊ตฌํ˜„๋˜์ง€ ์•Š๊ณ  ํ–ฅํ›„ ์‚ฌ์šฉ์„ ์œ„ํ•ด ์˜ˆ์•ฝ๋˜๋Š” ๊ฒฝ์šฐ๋„ ๋งŽ์Šต๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ํ”„๋กœ์„ธ์„œ์— ํ™•์—ฐํ•œ ์˜ํ–ฅ์„ ๋ฏธ์น˜๋Š” ๋ฌธ์„œํ™”๋˜์ง€ ์•Š์€ bit๋ฅผ ์ฐพ๋Š” ๊ฒƒ์€ ๊ทธ๋ฆฌ ๋“œ๋ฌธ ์ผ์ด ์•„๋‹™๋‹ˆ๋‹ค.
์—ฐ๊ตฌ์—์„œ๋Š” ๋ฌธ์„œํ™”๋˜์ง€ ์•Š์€ ์ž„์˜์˜ MSR ์ฃผ์†Œ์— ๋Œ€ํ•ด rdmsr ๋ช…๋ น์„ ์ˆ˜ํ–‰ํ•˜์—ฌ #GP(0) exception์ด ๋ฐœ์ƒํ•œ๋‹ค๋ฉด ํ•ด๋‹น MSR์ด ๊ตฌํ˜„๋˜์ง€ ์•Š์€ ๊ฒƒ์œผ๋กœ ์ถ”๋ก ํ•˜๊ณ , exception ์—†์ด ์„ฑ๊ณต์ ์œผ๋กœ ๋ช…๋ น์ด ์ˆ˜ํ–‰๋œ๋‹ค๋ฉด MSR์ด ์กด์žฌํ•˜๋Š” ๊ฒƒ์œผ๋กœ ์ถ”๋ก ํ•˜๋Š” ๋ฐฉ์‹์„ ์‚ฌ์šฉํ•˜์˜€์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  (๋ถˆํ–‰ํžˆ๋„) C3์— ๋Œ€ํ•ด ์ด๋Ÿฌํ•œ MSR fault analysis๋ฅผ ์ˆ˜ํ–‰ํ•œ ๊ฒฐ๊ณผ, ๋ฌธ์„œํ™”๋˜์ง€ ์•Š์•˜์ง€๋งŒ ๊ตฌํ˜„๋˜์–ด ์žˆ๋Š” 1300๊ฐœ์˜ MSR์ด ์‹๋ณ„๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๋ถ„์„ํ•˜๊ธฐ์—๋Š” ๋„ˆ๋ฌด ๋งŽ์Šต๋‹ˆ๋‹ค.
๋ถ„์„์„ ์ˆ˜์›”ํ•˜๊ฒŒ ํ•˜๋„๋ก ์—ฐ๊ตฌ์—์„œ๋Š” x86 MSR์— ๋Œ€ํ•œ side-channel attack์„ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค. rdmsr ์‹คํ–‰ ์ „ํ›„๋กœ rdtsc ๋ช…๋ น์„ ์‚ฌ์šฉํ•ด rdmsr์˜ ์•ก์„ธ์Šค ์‹œ๊ฐ„์„ ์ธก์ •ํ•ฉ๋‹ˆ๋‹ค. ์ด๋ฅผ ๋ชจ๋“  MSR์— ๋Œ€ํ•ด ์ž๋™์œผ๋กœ ์ˆ˜ํ–‰ํ•˜๋Š” MSR timing analysis code๋ฅผ ๋ณ„๋„์˜ ํ”„๋กœ์ ํŠธ์ธ project:nightshyft๋กœ ๊ตฌํ˜„ํ•˜์˜€์ง€๋งŒ ํ˜„์žฌ ํ•ด๋‹น GitHub directory๊ฐ€ ์‚ญ์ œ๋œ ์ƒํƒœ์ž…๋‹ˆ๋‹ค.
๊ฐ MSR์— ๋Œ€ํ•œ microcode๊ฐ€ ๋‹ค๋ฅด๋ฏ€๋กœ ๊ธฐ๋Šฅ์ ์œผ๋กœ ๋‹ค๋ฅธ MSR์€ ์ผ๋ฐ˜์ ์œผ๋กœ ์•ก์„ธ์Šค ์‹œ๊ฐ„์ด ๋‹ค๋ฅผ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ๊ฐ€๋ น, thermal sensor MSR์— ์•ก์„ธ์Šคํ•˜๋Š” ๋ฐ์— ๊ฑธ๋ฆฌ๋Š” ์‹œ๊ฐ„๊ณผ time stamp counter MSR์— ์•ก์„ธ์Šคํ•˜๋Š” ๋ฐ์— ๊ฑธ๋ฆฌ๋Š” ์‹œ๊ฐ„์€ ๋‹ค๋ฅผ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ๋ฐ˜๋ฉด์— ๊ธฐ๋Šฅ์ ์œผ๋กœ ๋™๋“ฑํ•œ MSR์€ ๊ฐ MSR์— ๋Œ€ํ•œ microcode๊ฐ€ ๋Œ€๋žต ๋™์ผํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๊ฑฐ์˜ ๋™์ผํ•œ ์•ก์„ธ์Šค ์‹œ๊ฐ„์„ ๊ฐ€์งˆ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์˜ˆ๋ฅผ ๋“ค์–ด, MTRR_PHYSBASE0์— ์•ก์„ธ์Šคํ•˜๋Š” ๊ฒƒ์€ MTRR_PHYSBASE1์— ์•ก์„ธ์Šคํ•˜๋Š” ๊ฒƒ๊ณผ ๋น„์Šทํ•œ ์‹œ๊ฐ„์ด ๊ฑธ๋ฆด ๊ฒƒ์œผ๋กœ ์˜ˆ์ƒ๋ฉ๋‹ˆ๋‹ค.
์ด ์ ‘๊ทผ ๋ฐฉ์‹์„ ์‚ฌ์šฉํ•˜๋ฉด register ์•ก์„ธ์Šค ์‹œ๊ฐ„์„ ๋น„๊ตํ•˜์—ฌ "์œ ์‚ฌ" ๋ฐ "๋น„์œ ์‚ฌ" MSR์„ ๊ตฌ๋ณ„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ฌผ๋ก  ๊ธฐ๋Šฅ์ ์œผ๋กœ ๋‹ค๋ฅธ ๋‘ MSR์ด ๋™์ผํ•œ ์•ก์„ธ์Šค ์‹œ๊ฐ„์„ ๊ฐ€์งˆ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ "์œ ์‚ฌ" register๋Š” ์ธ์ ‘ํ•œ register์— ํ•œํ•ด ์ •์˜ํ•˜์˜€์Šต๋‹ˆ๋‹ค.
Global configuration register์—๋Š” ๊ธฐ๋Šฅ์ ์œผ๋กœ ๋™์ผํ•˜๊ฑฐ๋‚˜ ์œ ์‚ฌํ•œ ๋ฒ„์ „์ด ์žˆ์„ ๊ฐ€๋Šฅ์„ฑ์€ ๊ฑฐ์˜ ์—†์„ ๊ฒƒ์œผ๋กœ ์ถ”์ธกํ•˜์˜€์Šต๋‹ˆ๋‹ค. ๋Œ€์‹ , ์ด register๋Š” ์šฐ๋ฆฌ๊ฐ€ ๊ฐ€์ •ํ•œ ์†์„ฑ์— ๋”ฐ๋ผ ๊ณ ์œ (์œ ์ผ)ํ•  ๊ฒƒ์œผ๋กœ ์˜ˆ์ƒํ•˜์˜€์Šต๋‹ˆ๋‹ค. ๋”ฐ๋ผ์„œ ์—ฐ๊ตฌ์—์„œ๋Š” functionally unique MSR์—๋งŒ ์ดˆ์ ์„ ๋งž์ถ”๊ธฐ ์œ„ํ•ด functional family๋กœ ๋ฌถ์ด๋Š” MSR๋“ค์„ ํ›„๋ณด์—์„œ ์ œ๊ฑฐํ•ด๋‚˜๊ฐ”์Šต๋‹ˆ๋‹ค. ์˜ˆ์‹œ๋กœ, ์•„๋ž˜ ๊ทธ๋ฆผ์—์„œ 145h์™€ 207h, 26bh ๋ถ€๋ถ„์— ์œ„์น˜ํ•œ MSR์€ ๊ฐ๊ฐ functional family๋ฅผ ํ˜•์„ฑํ•˜๋ฉฐ ๋ฌถ์ด๋‹ˆ ํ›„๋ณด์—์„œ ์ œํ•ฉ๋‹ˆ๋‹ค.
์ด๋Ÿฌํ•œ ๋ฐฉ๋ฒ•์„ ํ†ตํ•ด VIA C3 ํ”„๋กœ์„ธ์„œ์—์„œ ๊ตฌํ˜„๋œ 1300๊ฐœ์˜ MSR ์ค‘ 43๊ฐœ์˜ functionally unique MSR์„ ์‹๋ณ„ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์ด๋กœ์จ ๋ถ„์„ํ•ด์•ผ ํ•  ์ˆซ์ž๊ฐ€ ํ•ฉ๋ฆฌ์ ์ธ ์„ ์œผ๋กœ ์ค„์—ˆ์Šต๋‹ˆ๋‹ค.
๋‹ค์Œ ๋‹จ๊ณ„๋กœ, 43๊ฐœ์˜ ํ›„๋ณด MSR ์ค‘ ์–ด๋–ค ๊ฒƒ์ด global configuration register์ธ์ง€ ํ™•์ธํ•˜๊ณ , ํŠนํ—ˆ ๋ฌธํ—Œ์— ๋”ฐ๋ผ, DEC๋ฅผ ํ™œ์„ฑํ™”ํ•  ์ˆ˜ ์žˆ๋Š” ์ƒˆ๋กœ์šด x86 instruction(launch instruction)์„ ํ™œ์„ฑํ™”ํ•˜๋Š” MSR bit๋ฅผ ์ฐพ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค.
43๊ฐœ์˜ MSR๊ณผ MSR๋‹น 64 bit์ด๋‹ˆ ํ™•์ธํ•ด์•ผ ํ•  bit๋Š” ์ด 2752๊ฐœ์ž…๋‹ˆ๋‹ค. ๋Œ€๋ถ€๋ถ„์˜ ๊ฒฝ์šฐ ๋ฌธ์„œํ™”๋˜์ง€ ์•Š์€ MSR bit๋ฅผ toggle ์‹œ, general protection exceptions, kernel panics, system instability, system reset, total processor lock ๋“ฑ์ด ๋ฐœ์ƒํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๋ˆˆ์— ๋„๋Š” side effect๊ฐ€ ์žˆ์„ ๋•Œ๋งˆ๋‹ค ํ•ด๋‹น bit๋Š” ํ›„๋ณด์—์„œ ์ œ์™ธํ•˜์˜€์Šต๋‹ˆ๋‹ค.
Hardware system reset tool์„ ์‚ฌ์šฉํ•˜์—ฌ ํ›„๋ณด MSR bit toggle์„ ์ž๋™ํ™”ํ–ˆ์œผ๋ฉฐ bit toggle๋กœ ์˜ค๋ฅ˜๊ฐ€ ๋ฐœ์ƒํ•  ๋•Œ๋งˆ๋‹ค ๋Œ€์ƒ ์‹œ์Šคํ…œ์„ ์ž๋™์œผ๋กœ reset ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์ผ์ฃผ์ผ ๋™์•ˆ ์ˆ˜๋ฐฑ ๋ฒˆ์˜ ์ž๋™ ์žฌ๋ถ€ํŒ…์„ ํ†ตํ•ด 2752 bit ์ค‘ ๋ˆˆ์— ๋„๋Š” side effect ์—†์ด toggle ํ•  ์ˆ˜ ์žˆ๋Š” bit๋“ค์„ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.
ํ™•์ธํ•œ ๋ชจ๋“  stable MSR bit๋ฅผ ํ™œ์„ฑํ™”ํ•œ ์ƒํƒœ๋กœ, ์ถ”๊ฐ€๋œ ์ƒˆ๋กœ์šด instruction์„ ์ฐพ๊ธฐ ์œ„ํ•ด sandsifter๋ฅผ ์‚ฌ์šฉํ–ˆ์Šต๋‹ˆ๋‹ค. 1์–ต ๊ฐœ ์ด์ƒ์˜ instruction์„ ์Šค์บ”ํ•œ ๊ฒฐ๊ณผ, ํ”„๋กœ์„ธ์„œ์—์„œ ์ •ํ™•ํžˆ ํ•˜๋‚˜์˜ ์ƒˆ๋กœ์šด ์˜ˆ๊ธฐ์น˜ ์•Š์€ instruction์ธ 0f3f๊ฐ€ ๋ฐœ๊ฒฌ๋์Šต๋‹ˆ๋‹ค. ์–ด๋– ํ•œ verdor์˜ ํ”„๋กœ์„ธ์„œ ๋ฌธ์„œ์—์„œ๋„ ์ด instruction์— ๋Œ€ํ•œ ๋‚ด์šฉ๋ฅผ ์ฐพ์„ ์ˆ˜ ์—†์—ˆ์Šต๋‹ˆ๋‹ค. ์ด๊ฒƒ์€ ์•„๋งˆ๋„ VIA ํŠนํ—ˆ์—์„œ ์•”์‹œ๋œ launch instruction์ผ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์•ฝ๊ฐ„์˜ ์‹œํ–‰์ฐฉ์˜ค๋ฅผ ๊ฑฐ์ณ GDB๋กœ instruction์„ ๊ด€์ฐฐํ•œ ๊ฒฐ๊ณผ, launch instruction์ด ์‚ฌ์‹ค์ƒ jmp %eax instruction ์ด๋ผ๋Š” ๊ฒƒ์„ ํ™•์ธํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์ฆ‰, eax register์— ์žˆ๋Š” ์ฃผ์†Œ๋กœ ๋ถ„๊ธฐ๋ฉ๋‹ˆ๋‹ค.
Launch instruction์ด ์‹๋ณ„๋˜๊ณ  ๋‚˜๋ฉด ์•ž์„œ ์ฐพ์•„๋‚ธ stable MSR bit ์ค‘ launch instruction์„ ํ™œ์„ฑํ™”ํ•œ ๊ฒƒ์ด ์–ด๋–ค ๊ฒƒ์ธ์ง€ ๋น ๋ฅด๊ฒŒ ์•Œ์•„๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ฐ stable MSR bit๋ฅผ ํ•˜๋‚˜์”ฉ ํ™œ์„ฑํ™”ํ•˜๋ฉฐ 0f3f ์‹คํ–‰์„ ์‹œ๋„ํ•˜๋‹ˆ, MSR 1107h, bit 0์ด C3 ํ”„๋กœ์„ธ์„œ์—์„œ launch instruction์„ ํ™œ์„ฑํ™”ํ•œ๋‹ค๋Š” ์‚ฌ์‹ค์ด ๊ธˆ์„ธ ๋“œ๋Ÿฌ๋‚ฌ์Šต๋‹ˆ๋‹ค.
๋”ฐ๋ผ์„œ global configuration register๋Š” MSR 1107h์˜€๊ณ , MSR 1107h์˜ bit 0๋Š” god mode bit๋ผ๊ณ  ๋ช…๋ช…ํ•˜์˜€์Šต๋‹ˆ๋‹ค.

The x86 Bridge

God mode bit๋ฅผ ๋ฐœ๊ฒฌํ•˜์˜€๊ณ , launch instruction๋„ ์•Œ์•„๋ƒˆ์œผ๋‹ˆ ์ด์ œ๋Š” RISC core์—์„œ ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ฐพ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค. US8880851์„ ๋ณด๋ฉด launch instruction ์ดํ›„์˜ instruction์„ fetch ํ•  ๋•Œ ๋ณ„๋„์˜ RISC pipeline์œผ๋กœ ๋ณด๋‚ด์ง€๋Š” ๊ฒƒ์œผ๋กœ ๋‚˜ํƒ€๋‚ฉ๋‹ˆ๋‹ค.
๊ทธ๋Ÿฌ๋‚˜ ๋Œ€์ƒ ํ”„๋กœ์„ธ์„œ๋ฅผ ์กฐ์‚ฌํ•œ ๊ฒฐ๊ณผ, ๊ทธ๋ ‡์ง€ ์•Š์€ ๊ฒƒ์œผ๋กœ ๋ณด์˜€์Šต๋‹ˆ๋‹ค. God mode bit๋ฅผ ํ™œ์„ฑํ™”ํ•˜๊ณ  launch instruction์„ ์‹คํ–‰ํ•ด๋„ ํ”„๋กœ์„ธ์„œ๊ฐ€ ๊ณ„์† x86 instruction์„ ์‹คํ–‰ํ•˜๋Š” ๊ฒƒ์ฒ˜๋Ÿผ ๋ณด์˜€์Šต๋‹ˆ๋‹ค.
์ƒ๋‹นํ•œ ์‹œํ–‰์ฐฉ์˜ค๋ฅผ ๊ฑฐ์นœ ํ›„, launch instruction์ด decoder๋ฅผ ์ง์ ‘ ์ „ํ™˜ํ•˜๋Š” ๋Œ€์‹ , x86 decoder๊ฐ€ ์ฒซ ๋ฒˆ์งธ decode pass๋ฅผ ์ˆ˜ํ–‰ํ•˜๊ณ  decoded instruction์˜ ์ผ๋ถ€๋ฅผ ๋‘ ๋ฒˆ์งธ RISC decoder๋กœ ์ „์†กํ•˜๋„๋ก x86 decoder ๋‚ด์˜ ๊ธฐ์ž‘์„ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ๋‹ค๋Š” ๊ฐ€์„ค์„ ์„ธ์› ์Šต๋‹ˆ๋‹ค. ์ด ๊ตฌํ˜„์—์„œ pipeline์€ ํŠนํ—ˆ์— ํ‘œ์‹œ๋œ ๊ฒƒ์ฒ˜๋Ÿผ instruction fetch phase ์งํ›„์— ๋‚˜๋‰˜์ง€ ์•Š๊ณ , ๋Œ€์‹  x86 decoder ๋‚ด์—์„œ ๋ถ„๊ธฐ๋ฉ๋‹ˆ๋‹ค.
์œ„ ๊ทธ๋ฆผ์— ๋‚˜ํƒ€๋‚˜๋Š” ๊ฒƒ๊ณผ ๊ฐ™์ด, instruction cache์—์„œ x86 pre-decoder๋กœ instruction์ด ์ „๋‹ฌ๋œ ํ›„ pre-decoder๋Š” instruction์„ prefix, opcode, modr/m, scale-index-base, displacement, immediate bytes์™€ ๊ฐ™์€ ๊ตฌ์„ฑ ์š”์†Œ๋กœ ๋‚˜๋ˆ•๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์ด ์‹œ์ ์—์„œ ๊ฒ€์‚ฌ๊ฐ€ ์ˆ˜ํ–‰๋ฉ๋‹ˆ๋‹ค: ํ”„๋กœ์„ธ์„œ๊ฐ€ RISC mode(= ์ง์ „์— launch instruction์ด ์‹คํ–‰๋œ ๊ฒฝ์šฐ)์— ์žˆ๊ณ  instruction์ด 32-bit immediate value๋ฅผ ์‚ฌ์šฉํ•˜๋ฉฐ ๋‚˜๋จธ์ง€ ๊ตฌ์„ฑ ์š”์†Œ๊ฐ€ ๊ตฌ์กฐ์ ์œผ๋กœ ์ •์˜๋œ ๊ฐ’๊ณผ ์ผ์น˜ํ•˜๋ฉด 32-bit immediate์€ RISC decoder๋กœ ์ „๋‹ฌ๋ฉ๋‹ˆ๋‹ค.
์ด ๊ฐ™์€ ๊ตฌํ˜„์—์„œ RISC core์— 32-bit immediate value๋ฅผ ์ „๋‹ฌํ•˜๋Š” ๋ฐ์— ์‚ฌ์šฉ๋˜๋Š” x86 instruction์„ ์•Œ์•„๋‚ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ์ด instruction์€ ๋‘ ๊ฐœ์˜ core๋ฅผ ์—ฐ๊ฒฐํ•˜๊ธฐ ๋•Œ๋ฌธ์— bridge instruction์œผ๋กœ ๋ช…๋ช…ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์˜ˆ์‹œ๋กœ, bridge instruction์ด mov eax,xxxxxxxx์ด๋ผ๊ณ  ํ•  ๋•Œ, xxxxxxxx๋Š” RISC core๊ฐ€ ํ™œ์„ฑํ™”๋œ ๊ฒฝ์šฐ RISC core๋กœ ์ „์†ก๋˜๋Š” 32-bit immediate value์ž…๋‹ˆ๋‹ค.
RISC instruction์˜ ํ˜•์‹์„ ๋ชจ๋ฅด๊ธฐ ๋•Œ๋ฌธ์— bridge instruction์„ ์•Œ์•„๋‚ด๊ธฐ ์œ„ํ•ด์„œ๋Š” x86 core์—์„œ์˜ ๊ฐ„์ ‘์ ์ธ ๊ด€์ฐฐ์„ ํ†ตํ•ด ์œ ์ถ”ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. RISC core๊ฐ€ ์‹ค์ œ๋กœ ๊ถŒํ•œ ์šฐํšŒ ๋ฉ”์ปค๋‹ˆ์ฆ˜์„ ์ œ๊ณตํ•˜๋Š” ๊ฒฝ์šฐ ring 3์—์„œ ์‹คํ–‰๋˜๋Š” ์ผ๋ถ€ RISC instruction์€ ์‹œ์Šคํ…œ์„ ์†์ƒํ•  ์ˆ˜ ์žˆ์–ด์•ผ ํ•˜๋ฉฐ(invalid value๋ฅผ control register ๋˜๋Š” kernel memoty์— ์“ฐ๋Š” ๋“ฑ) ์ด๋Ÿฌํ•œ ์‹œ์Šคํ…œ ์†์ƒ์€ processor lock, kernel panic, system reset์˜ ํ˜•ํƒœ๋กœ ๊ฐ์ง€๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Unprivileged x86 instruction์€ ์ผ๋ฐ˜์ ์œผ๋กœ processor lock, kernel panic, system reset์„ ์œ ๋ฐœํ•  ์ˆ˜ ์—†์œผ๋ฏ€๋กœ unprivileged x86 instruction์„ ์‹คํ–‰ํ•  ๋•Œ ์ด๋Ÿฌํ•œ ๋™์ž‘ ์ค‘ ํ•˜๋‚˜๊ฐ€ ๊ด€์ฐฐ๋˜๋ฉด bridge instruction์ด๋ผ๊ณ  ํŒ๋‹จํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
์ด๋Ÿฌํ•œ ์ ‘๊ทผ๋ฒ•์„ ์‚ฌ์šฉํ•œ๋‹ค๋ฉด sandsifter tool์„ ์ ์šฉํ•˜์—ฌ random processor fuzzing์„ ํ†ตํ•ด bridge instruction์„ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค: 1. God mode bit ์„ค์ •. 2. Launch instruction์— ์ด์–ด random x86 instruction ์‹คํ–‰. 3. ๋ฐ˜๋ณต.
1์‹œ๊ฐ„ ์ด๋‚ด๋กœ fuzzing ํ•œ ๊ฒฐ๊ณผ, bridge instruction์€ bound %eax,0x00000000(,%eax,1)์œผ๋กœ ๊ฒฐ์ •๋˜์—ˆ์œผ๋ฉฐ ์—ฌ๊ธฐ์„œ 0x00000000์€ DEC๋กœ ์ „์†ก๋˜๋Š” 32-bit RISC instruction์— ํ•ด๋‹นํ•ฉ๋‹ˆ๋‹ค. Bridge instruction์€ microarchitecture์— ๋”ฐ๋ผ ๋‹ฌ๋ผ์ง€๋ฉฐ bound bridge๋Š” VIA C3 Nehemiah core์—์„œ ์œ ํšจํ•ฉ๋‹ˆ๋‹ค.

A Deeply Embedded Instruction Set

์–ด๋–ป๊ฒŒ DEC์—์„œ instruction์„ ์‹คํ–‰ํ•˜๋Š”์ง€ ์•Œ์•˜์œผ๋‹ˆ, ๋‹ค์Œ์œผ๋กœ๋Š” ๋ฌด์—‡์„ ์‹คํ–‰ํ• ์ง€ ์•Œ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ˜„์žฌ ์ƒํƒœ๋กœ์„œ๋Š” DEC์—์„œ ์‹คํ–‰๋˜๋Š” instruction์ด ์–ด๋–ป๊ฒŒ ์ƒ๊ฒผ๋Š”์ง€, ์–ด๋–ค architecture๋ฅผ ๋”ฐ๋ฅด๋Š”์ง€ ๋”ฐ์œ„๋„ ์•Œ์ง€ ๋ชปํ•ฉ๋‹ˆ๋‹ค.
์ฒ˜์Œ์—๋Š” ARM, PowerPC, MIPS์™€ ๊ฐ™์€ RISC architecture์˜ ๊ฐ„๋‹จํ•œ instruction์ด big ๋ฐ little endian ํ˜•์‹์œผ๋กœ ์‹œ๋„๋์Šต๋‹ˆ๋‹ค(์˜ˆ๋ฅผ ๋“ค์–ด, ARM์˜ ๊ฒฝ์šฐ ADD R0,R0,#1). ๋ช‡ ๋ฒˆ์˜ ์‹œ๋„ ํ›„, instruction์„ ์•Œ๋ ค์ง„ architecture์™€ ๋ช…ํ™•ํ•˜๊ฒŒ ์ผ์น˜์‹œํ‚ค๋Š” ๊ฒƒ์€ ์–ด๋ ต์ง€๋งŒ architecture๋ฅผ ๋ฐฐ์ œํ•˜๋Š” ๊ฒƒ์€ ๊ฐ€๋Šฅํ•˜๋‹ค๋Š” ๊ฒƒ์„ ๊นจ๋‹ฌ์•˜์Šต๋‹ˆ๋‹ค. DEC๋กœ ์ „์†ก๋œ ๋งŽ์€ instruction์ด processor lock์„ ์œ ๋ฐœํ–ˆ์Šต๋‹ˆ๋‹ค. ADD R0,R0,#1๊ณผ ๊ฐ™์ด ํ›„๋ณด architecture์— ๋Œ€ํ•ด ๊ฐ„๋‹จํ•œ non-locking instruction์„ ์‹คํ–‰ํ•œ ํ›„ processor lock์ด ์œ ๋ฐœ๋œ ๊ฒฝ์šฐ ํ•ด๋‹น architecture๋ฅผ ๋ฐฐ์ œํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด 30๊ฐœ์˜ architecture๊ฐ€ ๋ฐฐ์ œ๋๊ณ  ์ด๋Š” ์‚ฌ์‹ค์ƒ ์‹œ๋„ํ•œ ๋ชจ๋“  ์•Œ๋ ค์ง„ architecture๊ฐ€ ๋ฐฐ์ œ๋œ ๊ฒƒ์ด์—ˆ์Šต๋‹ˆ๋‹ค.
Core๋ฅผ ์•Œ๋ ค์ง„ architecture์™€ ์ผ์น˜์‹œํ‚ฌ ์ˆ˜ ์—†์—ˆ๊ธฐ์— *deep embedded instruction set(DEIS)*์œผ๋กœ ๋ช…๋ช…ํ•œ, DEC์— ๋Œ€ํ•œ instruction set์„ ๋ฆฌ๋ฒ„์‹ฑํ•ด์•ผ ํ–ˆ์Šต๋‹ˆ๋‹ค.
์ด๋Ÿฌํ•œ instruction์˜ ํ˜•์‹์„ ์ดํ•ดํ•˜๋ ค๋ฉด RISC instruction์„ ์‹คํ–‰ํ•˜๊ณ  ๊ฒฐ๊ณผ๋ฅผ ๊ด€์ฐฐํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ RISC instruction set์— ๋Œ€ํ•œ ์ง€์‹ ์—†์ด๋Š” RISC core๋ฅผ ์ง์ ‘์ ์œผ๋กœ ๊ด€์ฐฐํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค. ๋Œ€์‹ , US8880851์— ๋”ฐ๋ผ์„œ, x86 core์™€ RISC core๊ฐ€ ๋ถ€๋ถ„์ ์œผ๋กœ ๊ณต์œ ๋œ register file์„ ๊ฐ€์ง„๋‹ค๋Š” ์‚ฌ์‹ค์„ ์ด์šฉํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด x86 core์—์„œ RISC instruction์˜ ๊ฒฐ๊ณผ ์ค‘ ์ผ๋ถ€๋ฅผ ๊ด€์ฐฐํ•  ์ˆ˜ ์žˆ์—ˆ์œผ๋ฉฐ RISC instruction ํ˜•์‹์„ ํ•ด๋…ํ•  ์ˆ˜ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.
์ ‘๊ทผ ๋ฐฉ์‹์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค. ์šฐ์„ , god mode bit๋ฅผ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ ํ›„ system input state๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ์ด๋ฅผ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค. System input state๋Š” processor register state(general purpose register, special purpose register, MMX register)์™€ ํ˜„์žฌ userland process ๋ฐ kernel memory buffer๋กœ ๊ตฌ์„ฑ๋ฉ๋‹ˆ๋‹ค.
x86 bridge instruction์œผ๋กœ wrapping ๋œ ์ž„์˜์˜ RISC instruction์„ DEC์—์„œ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋„๋ก launch instruction๊ณผ ํ•จ๊ป˜ ์‹คํ–‰ํ•ฉ๋‹ˆ๋‹ค. GPR, SPR ๋ฐ MMX register์™€ userland ๋ฐ kernel memory buffer๋ฅผ ํฌํ•จํ•œ system output state๋ฅผ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค. ๊ธฐ๋กํ•œ input state์™€ output state๋ฅผ diffingํ•˜์—ฌ unknown RISC instruction์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ์–ป์Šต๋‹ˆ๋‹ค.
๋‹ค์ˆ˜์˜ node๋กœ 3์ฃผ ๋™์•ˆ fuzzing ํ•œ ๊ฒฐ๊ณผ, 2301295๊ฐœ์˜ state diff๋กœ ๊ตฌ์„ฑ๋œ 15GB์˜ ๋กœ๊ทธ๊ฐ€ ๊ทผ 4000์‹œ๊ฐ„์˜ compute time์— ๊ฑธ์ณ ์ถ•์ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.
Test instruction์€ ์ฒ˜์Œ์—๋Š” ํฐ baseline dataset์„ ์–ป๊ธฐ ์œ„ํ•ด ๋ฌด์ž‘์œ„๋กœ ์ƒ์„ฑ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. Fuzzing์˜ initial round์—์„œ๋Š” x86/RISC system state์˜ ๊ทนํžˆ ์ผ๋ถ€๋งŒ ๊ธฐ๋กํ•  ์ˆ˜ ์žˆ์—ˆ๊ธฐ ๋•Œ๋ฌธ์— ๋Œ€๋ถ€๋ถ„์˜ RISC instruction์œผ๋กœ๋ถ€ํ„ฐ ๋ณ„๋‹ค๋ฅธ ๊ฒฐ๊ณผ๋ฅผ ์–ป์ง€ ๋ชปํ•˜์˜€์Šต๋‹ˆ๋‹ค.
์ด๋ฅผ ๊ทน๋ณตํ•˜๊ธฐ ์œ„ํ•ด ๋‹จ๊ณ„์  fuzzing ์ ‘๊ทผ๋ฒ•์ด ์‚ฌ์šฉ๋˜์—ˆ์Šต๋‹ˆ๋‹ค: System state์— ๊ฐ€์‹œ์ ์ธ ์˜ํ–ฅ์„ ๋ฏธ์น˜๋Š” ์ฒซ ๋ฒˆ์งธ round์˜ instruction์ด ๋‘ ๋ฒˆ์งธ fuzzing round์—์„œ seed instruction์œผ๋กœ ์‚ฌ์šฉ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด ๋‹จ๊ณ„์  ์ ‘๊ทผ๋ฒ•์€ ๊ด€์ฐฐ ๊ฐ€๋Šฅํ•œ instruction ๊ฒฐ๊ณผ๋ฅผ ํ–ฅ์ƒํ•ด dataset์˜ ์™„์„ฑ๋„๋ฅผ ํฌ๊ฒŒ ๋†’์˜€์Šต๋‹ˆ๋‹ค.
ํฐ corpus์˜ state diff๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ instruction ๊ทœ์น™์„ ์‹๋ณ„ํ•˜๋Š” ๊ณผ์ •์„ ์ž๋™ํ™”ํ•˜๊ธฐ ์œ„ํ•ด collector๋ผ๋Š” ๋„๊ตฌ๋ฅผ ์„ค๊ณ„ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์ด๋Š” arithmetic operation๊ณผ memory access์™€ ๊ฐ™์€ ๋‹ค์–‘ํ•œ ์ผ๋ฐ˜์ ์ธ instruction effect์— ๋Œ€ํ•œ state diff๋ฅผ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.
์ดํ›„ ์—ฌ๋Ÿฌ ๊ฐ€์ง€ heuristic์„ ํ†ตํ•ด ์•„๋ž˜์™€ ๊ฐ™์€ instruction bin๊ณผ ๊ฐ bin์— ๋Œ€ํ•œ binary encoding์„ ๋„์ถœํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์ด๋Š” collector์— ์˜ํ•ด ์‹๋ณ„๋œ instruction ์นดํ…Œ๊ณ ๋ฆฌ์˜ ์ผ๋ถ€์ผ ๋ฟ์ด์ง€๋งŒ, DEC์— ๋Œ€ํ•œ proof-of-concept privilege escalation attack์„ ์ˆ˜ํ–‰ํ•˜๊ธฐ์— ์ถฉ๋ถ„ํ•˜์˜€์Šต๋‹ˆ๋‹ค.
์ถ”๊ฐ€์ ์ธ ๋ถ„์„์„ ํ†ตํ•ด collector์˜ ๊ฒฐ๊ณผ๋ฅผ ์™„์ „ํžˆ ํ™œ์šฉํ•œ๋‹ค๋ฉด ๋” ๋งŽ์€ DEIS๋ฅผ ์žฌ๊ตฌ์„ฑํ•˜์—ฌ DEC์—์„œ ๋ฒ”์šฉ RISC computation์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•  ๊ฒƒ์œผ๋กœ ์‚ฌ๋ฃŒ๋ฉ๋‹ˆ๋‹ค.
Register๋Š” 4 bit๋กœ ์ธ์ฝ”๋”ฉ๋˜๋ฉฐ, eax๋Š” 0b0000, ebx๋Š” 0b0011, ecx๋Š” 0b0001, edx๋Š” 0b0010, esi๋Š” 0b0110, edi๋Š” 0b0111, ebp๋Š” 0b0101, esp๋Š” 0b0100์ž…๋‹ˆ๋‹ค. Register ์ธ์ฝ”๋”ฉ์˜ ์ƒ์œ„ bit๋Š” RISC-only ๋˜๋Š” MMX register๋ฅผ ์„ ํƒํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๋Š” ๊ฒƒ์œผ๋กœ ์ถ”์ธก๋ฉ๋‹ˆ๋‹ค.
Instruction์€ 0, 1 ๋˜๋Š” 2๊ฐœ์˜ explicit register์—์„œ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. 0 ๋˜๋Š” 1๊ฐœ์˜ explicit register์—์„œ ์ž‘๋™ํ•  ๋•Œ eax register๋Š” ๋•Œ๋•Œ๋กœ implicit register๋กœ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค. 0์—์„œ 8๊ฐœ์˜ opcode bit๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ instruction์˜ ์‹œ์ž‘ ๋ถ€๋ถ„์— ๋‚˜ํƒ€๋‚˜๋ฉฐ instruction์˜ ๋‹ค๋ฅธ ์œ„์น˜์— ์ถ”๊ฐ€ opcode bit๊ฐ€ ์žˆ์„ ๊ฐ€๋Šฅ์„ฑ์ด ์žˆ์Šต๋‹ˆ๋‹ค.

Privilege Escalation Payload

Proof-of-concept์œผ๋กœ์„œ, rosenbridge backdoor payload๋ฅผ ํ•˜๋‚˜ ์ œ์ž‘ํ•˜์˜€์Šต๋‹ˆ๋‹ค. ์ด payload๋Š” unprivileged userland process์—์„œ ์‹คํ–‰๋˜์–ด kernel memory๋ฅผ ์ฝ๊ณ  ์ˆ˜์ •ํ•˜๋Š” instruction์„ DEC๋กœ ์ „๋‹ฌํ•˜๊ณ  root ๊ถŒํ•œ์„ ํš๋“ํ•ฉ๋‹ˆ๋‹ค.
์œ„ ๊ทธ๋ฆผ์€ payload์— ๋Œ€ํ•œ ๊ฐœ์š”๋ฅผ ๋‚˜ํƒ€๋ƒ…๋‹ˆ๋‹ค. Kernel memory์—์„œ x86 global descriptor table(GDT)์„ ์ฝ์–ด ํ˜„์žฌ ํ”„๋กœ์„ธ์Šค์˜ task_struct structure์— ๋Œ€ํ•œ pointer๋ฅผ ์ฐพ์Šต๋‹ˆ๋‹ค. task_struct์—์„œ ํ”„๋กœ์„ธ์Šค์˜ cred structure์— ๋Œ€ํ•œ pointer๋ฅผ ์ฐพ๊ณ , cred structure์— ์ ‘๊ทผํ•ด root ๊ถŒํ•œ ๊ฐ’์„ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.
์•„๋ž˜ ์ฝ”๋“œ๋Š” privilege escalation payload์— ๋Œ€ํ•œ pseudocode์ž…๋‹ˆ๋‹ค. ๊ตฌํ˜„๋œ payload๋Š” Debian 6.0.10 (i386), Linux kernel version 2.6.32๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ์ž‘์„ฑ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.
Pseudocode๋ฅผ ์ƒ๊ธฐ "A Deeply Embedded Instruction Set" ์„น์…˜์—์„œ ์„ค๋ช…ํ•œ backdoor primitive๋กœ ๋ณ€ํ™˜ํ•˜์—ฌ์•ผ ํ•ฉ๋‹ˆ๋‹ค. ๋ถ„์„๋œ ์ผ๋ถ€ primitive๋งŒ์„ ๊ฐ€์ง€๊ณ  ์›ํ•˜๋Š” ํ–‰์œ„๋ฅผ ๊ตฌํ˜„ํ•˜๋Š” ๊ฒƒ์€, ROP chain์„ ์ž‘์„ฑํ•  ๋•Œ์™€ ๊ฐ™์ด ์•ฝ๊ฐ„์˜ ์ฐฝ์˜์„ฑ์„ ์š”๊ตฌํ•ฉ๋‹ˆ๋‹ค. Custom assembly language๋กœ ์ž‘์„ฑํ•œ ์ตœ์ข… payload๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.
๋งˆ์ง€๋ง‰์œผ๋กœ, prototype์„ ์‹ค์ œ ์ž‘๋™ํ•˜๋Š” ์‹คํ–‰ ํŒŒ์ผ๋กœ ๋ณ€ํ™˜ํ•ฉ๋‹ˆ๋‹ค. 0f3f launch instruction์œผ๋กœ DEC๋ฅผ ํ™œ์„ฑํ™”ํ•˜๊ณ  x86 'bound' bridge instruction์„ ํ†ตํ•ด DEIS instruction์„ ์‹คํ–‰ํ•˜๋„๋ก ํ•ฉ๋‹ˆ๋‹ค.
Pwned:)

Conclusion

rosenbridge backdoor๋Š” x86 ํ”„๋กœ์„ธ์„œ์—์„œ ์•Œ๋ ค์ง„ ์ตœ์ดˆ์˜ hardware level ๋ฐฑ๋„์–ด์ž…๋‹ˆ๋‹ค. ์ด๊ฒƒ์€ ๊ทธ ์ž์ฒด๋กœ ๋ณด์•ˆ ์—ฐ๊ตฌ์—์„œ ๊ธ‰์ง„์ ์ธ ๋ฐœ์ „์ž…๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ๋ฐฑ๋„์–ด๋Š” ๋ฐฑ์„œ์—์„œ ์‚ดํŽด๋ณธ ๋ฐ”์™€ ๊ฐ™์ด ์˜ˆ์ „ ํ”„๋กœ์„ธ์„œ ๋ผ์ธ์˜ ์ผ๋ถ€์—๋งŒ ๋‚˜ํƒ€๋‚ฉ๋‹ˆ๋‹ค. ์˜ค๋Š˜๋‚ ์˜ ์ผ๋ฐ˜ ์‚ฌ์šฉ์ž์—๊ฒŒ๋Š” ์œ„ํ˜‘์ด ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.
๋Œ€์‹ , ๋ณธ ์—ฐ๊ตฌ์˜ ์ฃผ์š” ๊ฐ€์น˜๋Š” ํ•˜๋“œ์›จ์–ด ๋ฐฑ๋„์–ด์˜ ๊ฐ€๋Šฅ์„ฑ(๊ฒฐ์ •์ ์œผ๋กœ ์ž…์ฆ๋œ)์— ๋Œ€ํ•œ ์‚ฌ๋ก€ ์—ฐ๊ตฌ, ๊ทธ๋Ÿฌํ•œ ๋ฐฑ๋„์–ด๊ฐ€ ๊ตฌํ˜„๋˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•œ ์‹ค์งˆ์ ์ธ ์กฐ์‚ฌ ๋ฐ ์™ธ๋ถ€ ๊ด€์ฐฐ์ž๊ฐ€ ์œ„ํ˜‘์„ ๋ฐœ๊ฒฌํ•˜๋Š” ๋ฐฉ๋ฒ•์— ๋Œ€ํ•œ ์‚ฌ๊ณ  ์‹คํ—˜์ž…๋‹ˆ๋‹ค.
ํ•˜๋“œ์›จ์–ด ๋ฐฑ๋„์–ด์˜ ์—ฌํŒŒ๋กœ ๊ธฐ์กด ๋ณด์•ˆ ๋ชจ๋ธ์ด ๊ฑฐ์˜ ์™„์ „ํžˆ ๋ง๊ฐ€์กŒ์Šต๋‹ˆ๋‹ค. ์†Œํ”„ํŠธ์›จ์–ด ๋ณดํ˜ธ ๋ฉ”์ปค๋‹ˆ์ฆ˜์— ๋Œ€ํ•œ ์ˆ˜์‹ญ ๋…„์˜ ๋…ธ๋ ฅ์€ ์ด๋Ÿฌํ•œ ์œ„ํ˜‘์œผ๋กœ๋ถ€ํ„ฐ ๋ณดํ˜ธํ•˜๋Š” ๋ฐ ์•„๋ฌด๋Ÿฐ ๋„์›€์ด ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ์ด์— ์ €์ž๋Š”, ์ด๋Ÿฌํ•œ ์‚ฌ์‹ค์— ๋‹นํ™ฉํ•˜๊ณ  ์ถ”์ธกํ•˜๊ธฐ๋ณด๋‹ค๋Š” ํ”„๋กœ์„ธ์„œ๋ฅผ ๊ฒ€์‚ฌํ•˜๊ณ  ๊ฐ์‚ฌํ•˜๋Š” ๋„๊ตฌ๋ฅผ ๊ณ„์† ๊ฐœ๋ฐœํ•˜์—ฌ ์นฉ์˜ ์ตœ์ข… ์‚ฌ์šฉ์ž์—๊ฒŒ ์ œ์–ด๋ ฅ๊ณผ ํ†ต์ฐฐ๋ ฅ์„ ๋‹ค์‹œ๊ธˆ ์ œ๊ณตํ•˜๋Š” ๊ฒƒ์ด ๋ฐ”๋žŒ์งํ•œ ๋ฐฉํ–ฅ์ผ ๊ฒƒ์ด๋ผ๊ณ  ์ œ์•ˆํ•ฉ๋‹ˆ๋‹ค.
โ€ข
Christopher Domas์˜ Black Hat ๋ฐœํ‘œ ์ž๋ฃŒ ์ค‘ ๋ฐœ์ทŒ.

Glossary

bridge instruction 32-bit immediate value๋ฅผ ํฌํ•จํ•œ standard x86 instruction์œผ๋กœ, launch instruction์ด ์„ ํ–‰๋˜๋ฉด 32-bit immediate๋ฅผ deeply embedded core์˜ RISC pipeline์œผ๋กœ ๋ณด๋‚ธ๋‹ค. VIA C3 Nehemiah core์—์„œ bridge instruction์€ bound %eax,xxxxxxxx(,%eax,1)์ด๋ฉฐ ์—ฌ๊ธฐ์„œ xxxxxxxx๋Š” RISC core๋กœ ์ „์†ก๋˜๋Š” 32-bit value์ด๋‹ค.
deeply embedded core (DEC) ํ”„๋กœ์„ธ์„œ์˜ x86 core์™€ ํ•จ๊ป˜ ๋‚ด์žฅ๋œ RISC core. RISC core๋Š” x86 core์™€ ๊ธด๋ฐ€ํžˆ ํ†ตํ•ฉ๋˜์–ด execution pipeline ๋ฐ register file์˜ ์ค‘์š”ํ•œ ๋ถ€๋ถ„์„ ๊ณต์œ ํ•œ๋‹ค.
deeply embedded instruction set (DEIS) Deeply embedded core์—์„œ ์‚ฌ์šฉํ•˜๋Š” instruction set.
global configuration register God mode bit๋ฅผ ํฌํ•จํ•˜๋Š” x86 model specific register.
god mode bit ์„ค์ •๋œ ๊ฒฝ์šฐ launch instruction์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” x86 model specific register.
launch instruction God mode bit๋กœ ํ™œ์„ฑํ™”๋œ ์ƒˆ๋กœ์šด x86 instruction. Instruction 0f3f๊ฐ€ deeply embedded core๋ฅผ ํ™œ์„ฑํ™”ํ•œ๋‹ค.
rosenbridge x86 ํ”„๋กœ์„ธ์„œ์˜ ๋ฐฑ๋„์–ด.
sandsifter x86 ํ”„๋กœ์„ธ์„œ์˜ instruction set์„ ์ฒ ์ €ํžˆ ์Šค์บ”ํ•˜๋Š” ์†Œํ”„ํŠธ์›จ์–ด ๋„๊ตฌ๋กœ, ๋ฌธ์„œํ™”๋˜์ง€ ์•Š์€ instruction์„ ์ฐพ๋Š” ๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค.