Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hidden Debug Mode Found In AMD Processors

Posted by timothy on from the sooper-seekrit dept.

An anonymous reader writes "A hidden (and hardware password protected, by means of required special values in processor registers) debug mode has been found in AMD processors, and documented by a reverse engineer called Czernobyl on the RCE Forums community today. It enables powerful hardware debugging features long longed for by reverse engineers, such as hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints. And the best part is, it's sitting right there in your processor already, just read the details and off you go with the debugging ninja powers!"

154 comments

  1. Why... by Anonymous Coward · · Score: 1, Interesting

    don't they reveal this to the users?

    1. Re:Why... by cindyann · · Score: 0, Redundant

      They did.

      It's all documented there in the silicon.

      It's not their fault you didn't read it.

      Or that you don't have the tools necessary to read it.

      Or that you're not intelligent enough to read it.

      But once they document it in, e.g. human readable form, then they might be afraid that they'd have to support it in this and all future generations of their chips. Perhaps they don't want to be constrained to always supporting those particular features going forward.

    2. Re:Why... by Waffle+Iron · · Score: 0, Redundant

      don't they reveal this to the users?

      Probably because then they'd have to fully document the features and test them thoroughly on each new chip, which would likely cost them quite a bit more than developing the features in the first place.

      They would also be saddled with supporting backwards compatibility in future chips, since it becomes hard to remove publicly-accessible features in a CPU once they've been added.

  2. Yeah but ... by Thing+I+am · · Score: 1

    can you harden the processors from the Slashdot effect?

    --
    That sucking sound you hear is my bandwidth.
  3. Just a matter of time... by TrisexualPuppy · · Score: 5, Interesting

    One of my pals at NVIDIA was talking about this in a generic sense. Evidently, all of the big design houses have reverse engineering departments where they scrape down to the silicon and get things running. They never make any public info, but it's crazy what kind of logic blocks they find on silicon.

    These exist on "all processors" as ways to test the processors and increase yield cheaply. The moment that the engineering samples go out, competitors get their hands on them, and it's only days or weeks before they figure out what's really going on. Kind of cat-and-mouse.

    1. Re:Just a matter of time... by TrisexualPuppy · · Score: 5, Informative

      By the way, here's a guy who does this in his spare time. He may not have the $10+ million budget that the big boys have, but it should give you a little context as to what really happens in industry.

      (As the original article was instantly slashdotted, I can only guess that the AMD exploit was found through software avenues.)

    2. Re:Just a matter of time... by mikael · · Score: 1

      The Silicon Zoo website which shows what kind of artwork the layout engineers like to add to any unused area of silicon die..

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    3. Re:Just a matter of time... by GWBasic · · Score: 2, Insightful

      They never make any public info, but it's crazy what kind of logic blocks they find on silicon.

      Sometimes scraping can tell simpler things, like an accurate estimate about how much profit a company is making on a chip, and thus how much money the company will have to invest in its next generation of chips.

      --
      No, I will not work for your startup
  4. Oops, slashdotted! by ThreeGigs · · Score: 4, Funny

    Apparently the debugging process doesn't help to combat the effects of a thorough slashdotting.

    1. Re:Oops, slashdotted! by Danathar · · Score: 2, Interesting

      yea, why stories continue to be posted with direct links instead of using things like coral cache is beyond me. If you KNOW the site you are going to link to can't handle a slashdot load then DON'T LINK DIRECTLY TO IT.

      Of course this does not include sadistic evil people who enjoy watching websites crash and burn (probably a sizable but not large percentage portion of the slashdot community)

    2. Re:Oops, slashdotted! by Anonymous Coward · · Score: 0

      And mcafee went nuts on that site...

      http://www.siteadvisor.com/sites/woodmann.com?pip=false&premium=false&suite=false&aff_id=0&locale=en_us&os_ver=5.1.3.0

    3. Re:Oops, slashdotted! by autocracy · · Score: 1

      No kidding? Running debug mode doesn't speed things up?

      I'm so patenting this secret to making Java speedy... then I'll own Oracle!

      --
      SIG: HUP
    4. Re:Oops, slashdotted! by fiendy · · Score: 1

      Ah yes, I've seen this before...the typical way this is done is to hide the article behind at least three blog posts, thereby decreasing the chance that anyone will actually RTFA.
      I believe that's how it usually goes right?

    5. Re:Oops, slashdotted! by dinker · · Score: 0

      Woodmann is a dark little corner of the interwebs, I don`t think they`ll like the bright light of Slashdot shining down on them.

    6. Re:Oops, slashdotted! by Anonymous Coward · · Score: 0

      This has been addressed rouhgly 5 trillion times and is in the FAQ. If you don't agree with the answers, feel free to disagree. But saying that it "is beyond me" just makes you look stupid.

    7. Re:Oops, slashdotted! by Anonymous Coward · · Score: 0

      It's fairly rare to have sites fail due to the slashdot effect these days. Hosting has gotten so cheap that it no longer makes sense to try to host off your home server anymore.

      5 years ago, you might have had a point... but these days? This isn't really an issue anymore.

    8. Re:Oops, slashdotted! by Anonymous Coward · · Score: 0

      Anyone using the G-WAN server will happily cope with the Slashdot effect.

      G-WAN/Windows did not even feel the Slashdot covering -and G-WAN/Linux is massively faster than G-WAN/Windows.

  5. Hidden? by Janek+Kozicki · · Score: 0, Troll

    I always supported AMD for being cheap and open, directly approaching people. Now I'd like to know why this nice feature was hidden? Is it dangerous by enabling more powerful rootkits? I'm not going to believe that M$ wanted this hidden, or that they knew about it. So, why hidden? It helps developers a lot.

    --
    #
    #\ @ ? Colonize Mars
    #
    1. Re:Hidden? by neokushan · · Score: 4, Insightful

      I can think of many reasons why it might be hidden. For example, it may be hidden because the cost of supporting it would outweigh the benefits of admitting the "feature" is there. I don't just mean in terms of documenting it and releasing that info for developers, I mean in termins of testing it for security reasons. Plus, let us say that a theoretical bug is found that creates a hole someone can exploit - is it patchable? It's a whole can of worms AMD may be right to avoid opening.

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    2. Re:Hidden? by icebraining · · Score: 2, Insightful

      And how do you know some top black hats don't already know about this for years and have already exploits for it? It's a classic example of security through obscurity.

      If it's not safe (and if it's baldly tested, it is), I'd expect AMD to disable it on a physical level, not leave it there "hidden" for someone with poor intentions to find out.

      --
      Dilbert RSS feed
    3. Re:Hidden? by Anonymous Coward · · Score: 0

      Tested by Kojak?

    4. Re:Hidden? by Chelloveck · · Score: 0

      My question is, is this actually hidden? Stuff like this is usually in the data sheets. So, does anyone have access to the actual processor data sheets? I didn't find them on AMD's site, just stubs containing the first few pages.

      --
      Chelloveck
      I give up on debugging. From now on, SIGSEGV is a feature.
    5. Re:Hidden? by Anonymous Coward · · Score: 0

      I like AMD as well and try to support them. I do not expect them to document *EVERY* possible feature of their cpu that is not advertised as a feature. They likely have other things that are more important to them at the moment, and this is likely fairly low on the list of priorities.

    6. Re:Hidden? by Guy+Harris · · Score: 1

      I can think of many reasons why it might be hidden. For example, it may be hidden because the cost of supporting it would outweigh the benefits of admitting the "feature" is there. I don't just mean in terms of documenting it and releasing that info for developers, I mean in termins of testing it for security reasons.

      ...and, if it's documented as an architectural feature rather than a feature of a particular processor or line of processors, guaranteeing that it works the same in future processors, even if they have a different microarchitecture. (And even if you explicitly document it as a feature of a particular processor, if you don't implement it the same way in your next generation of processors, somebody will probably have ignored the "this is a feature specific to the Phenom 666" note in the documentation and written Whizzo-Debug using the feature, assuming that any unknown AMD processor will support it, and will whine piteously if the Phenom 3000 fails to implement it in the exact same fashion.)

    7. Re:Hidden? by arivanov · · Score: 2, Informative

      That is not always the case.

      For example they did not properly document and release the docs on the hardware RNG in their first chipsets when it came out. As a result it ended up supported only on Linux on a "friend-of-mine" basis and MSFT (on whatever basis). The other OS developers did not know about it for a while (more than half a year). I remember personally telling Theo De Raadt on BUGTRAQ at the time to stop talking rubbish that AMD does not have a hardware RNG and he was genuinely shocked. However the fact is a fact - it was not open.

      This is just an example, i can think of quite a few others.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
  6. Coral Cache link by Danathar · · Score: 0

    http://www.woodmann.com.nyud.net/collaborative/knowledge/index.php/Super-secret_debug_capabilities_of_AMD_processors_!

    may not work until SOMEBODY uses the coral cache and is able to see the site (and thus cache it for the first time)

    1. Re:Coral Cache link by Trevelyan · · Score: 2, Informative

      Won't work at all, because you lost the '!' on the end..

      Try this

    2. Re:Coral Cache link by burisch_research · · Score: 1

      SlashDot's link hygiene system doesn't recognize exclamation marks at the end of a URL as being part of the URL - notice that " [nyud.net]" has been inserted by /..

      --
      char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
  7. Security? by JSBiff · · Score: 4, Interesting

    I wondered the same thing - if these debug features are useful to developers debugging their own software, why not market this as a feature? The only thing that occurred to me, is that, maybe there is some sort of security problem with this debug functionality? Does anyone know - could these debug features be used to do something like break Operating System security models, leading to privilege escalation issues, or for other nefarious purposes?

    1. Re:Security? by Anonymous Coward · · Score: 4, Interesting

      It is possible that the debug features are for their internal use and they don't quite work as intended. They may be useful as such, but if there are implementation bugs that require cumbersome work-arounds on the software side, it may be that they are waiting for a non-buggy implementation before publically documenting the features.

      It is also possible that they don't want to put the resources to documenting and supporting the debug features. After all, AMD is a small company compared to Intel and not that profitable. They even had some layoffs during the worst recession - what if they had to lay off the guys responsible for the debug mode?

    2. Re:Security? by slashqwerty · · Score: 3, Insightful

      Does anyone know - could these debug features be used to do something like break Operating System security models, leading to privilege escalation issues, or for other nefarious purposes?

      If there is some way to enable privileged instructions without using a privileged instruction it would completely circumvent operating system security.

      Perhaps the slashdotted site answers this but I have to wonder why not just have a separate opcode to turn the debugging on?

    3. Re:Security? by fuzzyfuzzyfungus · · Score: 5, Insightful

      Any CPU debug mode worthy of the name should be able to violate OS security six ways from Sunday, and silently at that, without any difficulty. By the same token, though, any CPU debug mode worthy of shipping in commercial silicon really ough to be possible for the firmware and/or kernel to lock for the duration of operation. If userspace can kick it off, a brave and exciting new world of AMD-specific malware is about to begin...

    4. Re:Security? by Anonymous Coward · · Score: 1, Interesting

      Yeah, security of DRM or TPM is probably easier to compromise (instead of taking several months to break a new DRM system it would take days since reverse engineering can be done much faster)... Which also is an obvious reason they would want to hide this feature to avoid pressure from certain groups.

    5. Re:Security? by Jurily · · Score: 1

      Does anyone know - could these debug features be used to do something like break Operating System security models, leading to privilege escalation issues, or for other nefarious purposes?

      Exactly my thoughts as well. Perhaps if these features were documented, and compilers and kernels were written with these features in mind, they would be insanely helpful. This way, however, it's just a back door wide open.

    6. Re:Security? by TrisexualPuppy · · Score: 4, Insightful

      It's probably that AMD doesn't want to claim that they ever marketed the feature as such. If they did, it would put Intel up to create and release a debugging interface for their silicon. Then both would be forced into competing to produce a better debugging interface. This drives production costs up for a component that may be used by less than 1/100 of a percent of the users when they should have been putting their efforts elsewhere.

    7. Re:Security? by Joe+U · · Score: 1

      Wasn't this the whole reason for microcode updates? To turn off or fix broken features.

      Also, if it's triggered in userspace, the OS can block it.

    8. Re:Security? by Anonymous Coward · · Score: 2, Insightful

      Also, if it's triggered in userspace, the OS can block it.

      Not if your OS is rooted. Or root-kitted. Or both.

    9. Re:Security? by Anonymous Coward · · Score: 2, Informative

      if it's triggered in userspace, the OS can block it.

      Not necessarily. Memory access can be blocked because the MMU controls what and where an application can write, transferring control to known code (the OS) on violations. Interrupts can be blocked because invoking them gives control to the OS. Priviliged instructions can be blocked because non-ring0 execution gives control to the OS.

      The OS can't choose to block for example the "xor" instructions in any reasonable way. It's possible by basically single-stepping through instructions at 100x the overhead, but it's not feasible.

    10. Re:Security? by camperdave · · Score: 4, Insightful

      it would put Intel up to create and release a debugging interface for their silicon.

      Maybe Intel already has a debugging interface on their silicon. This AMD interface has remained hidden for who knows how many years, why couldn't the same thing happen with Intel? After all, it's not as if just anyone can reverse engineer a CPU.

      --
      When our name is on the back of your car, we're behind you all the way!
    11. Re:Security? by jimicus · · Score: 2, Informative

      IIRC, microcode updates are typically packaged as part of BIOS updates.

      Tell me, how many PCs - as a percentage of those sold - get their BIOS regularly updated?

    12. Re:Security? by TheRaven64 · · Score: 5, Informative

      Intel has provided debug registers for ages. You can have up to four hardware watchpoints in pretty much any Intel - and AMD - chip. TFA is Slashdotted at the moment, but 'hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints' can both be implemented on any chip since the 386.

      --
      I am TheRaven on Soylent News
    13. Re:Security? by TheRaven64 · · Score: 5, Informative

      Okay, the site's still down but I found a cache:

      In fact, this is a fairly small incremental improvement over the existing hardware debugging support in x86 chips. It provides some extra control codes allowing the address in DR0 (one of the four registers i386 provides for hardware watchpoints) to do some slightly more clever things. For example, a watchpoint can be triggered on a partial match, rather than an exact match, to the address - this is really nice because it lets you put a watchpoint on the whole of any data structure that fits within a page. With the i386 watchpoints, you can only watch a single word with each register (4 words in total), while this means you can watch anything smaller than a page (and you can watch things bigger than a page by marking the page as no access, trapping the access, then unprotecting, single-stepping through the load / store, and continuing the process, which is how you implement watchpoints when you run out of debug registers).

      --
      I am TheRaven on Soylent News
    14. Re:Security? by makomk · · Score: 3, Informative

      Perhaps the slashdotted site answers this but I have to wonder why not just have a separate opcode to turn the debugging on?

      Because there's already a whole bunch of privileged MSRs that normal user code mustn't have access to - many of which are undocumented and processor-specific - so adding a few more is no big deal. Adding new opcodes, on the other hand, requires more work and risks them clashing with Intel's opcode choices at a later date.

    15. Re:Security? by xtal · · Score: 1


      Does anyone know - could these debug features be used to do something like break Operating System security models, leading to privilege escalation issues, or for other nefarious purposes?

      Depending on how it is implemented, yes. Usually these operating modes require specific timing or hardware ports that are wired in silicon.

      If they've got software overrides, possible timing chase conditions to trick timing, then yes, oh snap indeed.

      --
      ..don't panic
    16. Re:Security? by Joe+U · · Score: 2, Insightful

      Also, if it's triggered in userspace, the OS can block it.

      Not if your OS is rooted. Or root-kitted. Or both.

      That's already game over. If you own the OS, why would flipping the processor into a new mode help?
        You already own the security system.

    17. Re:Security? by Shark · · Score: 1

      I guess this research is going to come in handy for some people if you're right. I'm hoping you're wrong though, the number of ways such an exploit could go wrong makes my head spin.

      --
      Mind the frickin' laser...
    18. Re:Security? by tibit · · Score: 2, Informative

      AFAIK they are packaged with every major linux distro out there, and I can't but presume that Windows ships with microcode patches as well.

      --
      A successful API design takes a mixture of software design and pedagogy.
    19. Re:Security? by TheLink · · Score: 4, Interesting

      Say you own the OS but it is in a virtual machine.

      If flipping the processor into a new mode allows you to get out of the virtual machine and pwn the Host too, then yes it makes a difference.

      --
    20. Re:Security? by joeyblades · · Score: 1

      Any CPU debug mode worthy of the name should be able to violate OS security six ways from Sunday...

      Any security model worthy of the name would be agnostic to whether the CPU was in user mode or debug mode. While there is always the risk of a bug or a security hole, I can assure you that anything that goes into the chip goes in under the scrutiny of the security model. I know of many instances where some debug or test feature was not implemented because there was some potential threat to the security model.

    21. Re:Security? by Anonymous Coward · · Score: 0

      It is also possible that they don't want to put the resources to documenting and supporting the debug features.

      That's it. The customers aren't paying for the debug features, so AMD thinks they shouldn't get the features, even if they are there already.

      The high-end UPS that my company uses has pricing for different capacities. If you upgrade to a higher capacity, they don't send you a new UPS, they send you a chip or something that un-cripples it. I'm not sure if I agree with the business model or not.

    22. Re:Security? by anotheryak · · Score: 3, Interesting

      Exactly, it's probably a bit of a kludge, and making it into a stable, documented, supported feature is going to be expensive with a lot of support and a small user base.

      I have modes like this in some of my own products, and sometimes I'm leery of even having some other people on my own team have access to the debug modes, because of the potential for disaster and a WHOLE lot of handholding from me.

      It's not worth the time it would take for me to set it up for broader use, and if I did, they would break things and then come running to me.

    23. Re:Security? by wbo · · Score: 3, Insightful

      AFAIK they are packaged with every major linux distro out there, and I can't but presume that Windows ships with microcode patches as well.

      Microcode updates for Windows machines are distributed through Microsoft Update and are downloaded and installed automatically if automatic updates is enabled (and it is enabled by default). No BIOS update required.

      An example of such an update can be found by looking at Microsoft KB936357

    24. Re:Security? by Anonymous Coward · · Score: 2, Informative

      I used to work for a processor emulator tools company called Applied Microsystems Corp, Redmond WA. now defunct.
      Up thru processors type 68040 emulations tools could be mounted external to the processor chip and performed the functions mentioned ( hardware breakpoints, memory maps, all register shadowing, soft and hard breakpoints, etc, all the things that you need to perform basic computer system development. As the complexity of the systems increased beyong those early 8/16/32 bit cpu, all those hardware functions became embedded into the processor itself and are accesed by usually an I2c serial link. Emulation tools went from hardware and software complex and external to the system to hardware simple internal and software complex and external. The bottom dropped out of the eumlator tools market ( from 50k$ to 5K$ ) and that whole industry went away and got smaller and fewer in number. But the hardware tools remain inside the cpu's now, accessible by hardware licensed developers in NDA contracts. But for a few years even a few technicians had an understanding of the fine details of cpu internals. Now all that is buried again.

    25. Re:Security? by Anonymous Coward · · Score: 0

      Reverse engineer a simple CPU? That's so elementary. Now, if you were debugging REALITY.SYS, you would have something to brag about!

    26. Re:Security? by LordNimon · · Score: 4, Insightful

      It is possible that the debug features are for their internal use and they don't quite work as intended.

      Ding ding ding ding ... we have a winner!

      I work for a processor design company. If this feature is kept secret, it's because the company does not want to put in the resources to make sure it works completely on every chip. It probably uses lots of hacks and violates the architecture in some obscure way. AMD does not want customers depending on this feature and then insisting that it works for future design wins.

      --
      And the men who hold high places must be the ones who start
      To mold a new reality... closer to the heart
    27. Re:Security? by Anonymous Coward · · Score: 2, Interesting

      If an OS running on real hardware can block this call coming from user-mode then a hypervisor can block it coming from a VM. And if it can't be blocked you're p0wned either way. A virtual machine makes no difference.

    28. Re:Security? by currently_awake · · Score: 1

      NSA key? Generally speaking, if a company spends money on something it expects a return. Putting those "debug" features into silicon costs money so why don't they advertise them? I only see three likely reasons: security (can't be secured), doesn't work (oops!), government backdoor.

    29. Re:Security? by Anonymous Coward · · Score: 0

      Not that I'm that knowledgeable about virtualization software, but I can't imagine that they would run priviledged code in the virtual machine as priviledged code on the host CPU, so it doesn't matter anyways.

    30. Re:Security? by Joe+U · · Score: 1

      Say you own the OS but it is in a virtual machine.

      If flipping the processor into a new mode allows you to get out of the virtual machine and pwn the Host too, then yes it makes a difference.

      Again, the VM host or hypervisor can easily block this exploit.

    31. Re:Security? by dch24 · · Score: 5, Informative
      Here's the site's text, since it's still down.

      Listed in categories X86 Internals Articles
      Most recent version 0.1
      Most recent release date November 11, 2010
      Description Super-secret debug capabilities of Atlon XP and better AMD processors

      Here unveiled by Czernobyl aka Czerno - Mail This

      PAGE IN CONSTRUCTION
      You can help Yes, YOU - Please DO correct grammar and other English language mistakes - Please add formatting, bold, italics... as needed for better accessibility - Please contact me over any errors inaccuracies complement to the technical contents - If you own a 64-bit AMD processor, please DO check and report any differences. Contents are intended to be released at a later time under liberal copyright copyleft options. Please do NOT make the contents available elsewhere BEFORE it is READY to be unleashed I retain the 'moral' ownership rights.

      TODO mucho...

      Summary AMD processors Athlon XP and better have included firmware-based debugging features that expand greatly over standard, architecturally defined capabilities of X86. For some reason though, AMD has been tightly secretive about these features hint of their existence was gained by glancing at CBID's page URL below . Herein will be uncovered what was found through direct experimentation, in the hope it may be useful to software developers, possibly included in future debuggers or debugger plug-ins. I'll use the term expanded for the capabilities covered here, since the term debug extensions was already taken. The item is WORK IN PROGRESS, but USABLE hence released AS IS Author can be contacted email, or PM, or public thread on the reversing board Note All addresses values are hexadecimal unless noted otherwise.

      The following four new machine specific registers MSR are involved in the expanded debug facilities. All those MSRs are password protected against casual access read write access RDMSR WRMSR to the registers is granted only if EDI holds the correct password value, viz. EDI 9C5A203A. Otherwise, a GPF exception occurs.

      All these registers default reset values are zero.

      • Control C001_1024 width 8 bits Data_Match
      • C001_1025 width 32 AMD64 64 Data_Mask
      • C001_1026 - ditto - Address_Mask
      • C001_1027 width 12 bits

      Let's start by looking at the Control MSR DbgCtrlMSR2, C001_1024 since it is the key to the new features. The low 8 bits can be set reset - only bit 0 and bit 1 will be examined here. The other bits had no effect in my preliminary, limited experimentation and will be left at zero. Readers are invited to further investigate report A - When Control 0 default , the AMD processor's debug firmware operates as defined by X86 architectural specs. In order to switch on the expanded debug capabilities, we must set Control MSR's bit 1. IOW, set Control 2 or 3, more on this later .

      B - When Control 2 binary 10 , the operation of any breakpoint defined in DR0 is modified as will be described. DR1 to DR3 breakpoints aren't affected at all . DR0-based breakpoint is now controlled by the new registers Addres_Mask, Data_Match and Data_Mask, in addition to DR7. General notions about the Mask MSRs both in Data_Mask and Address_Mask, a 1 bit means don't care .

      Formally, when a comparison of two values addresses needs to occur under mask, the Mask is ANDed to both and then the compare is done. A match occurs if the masked values are equal. A mask value of zero thus is equivalent to no mask. A mask of all ones makes match occur on just one value considering compare length . Note for Address_Masks, those only make sense that are binary zeroes followed by zero or more binary ones. Not sure if that is enforced by the AMD firmware Now let's examine expanded DR0-breakpoint operation Instruction breakpoints DR7 type 0 break occurs at any address which matches the BP address in DR0 under Address_Mask. Recall Address_Mask is significant to 12 bits only. Thus the widest possibl

    32. Re:Security? by ajlitt · · Score: 2, Informative

      Except the UPS company makes that feature available for money. If AMD isn't releasing this info to anyone, then it isn't golden screwdrivering.

    33. Re:Security? by TheLink · · Score: 1

      The scenario I'm talking about is that you've managed to get "root" privileges in the virtual machine (presumably via some other exploit), and the only thing between you and pwning the Host is:

      a) A VM config issue ( can talk to the host)
      b) A bug in the VM software
      c) A bug in the CPU or other hardware.

      Whether this "Debug Mode" is equivalent to c) is what I'm talking about.

      --
    34. Re:Security? by Guy+Harris · · Score: 1

      I only see three likely reasons: security (can't be secured), doesn't work (oops!), government backdoor.

      I see at least one more: intended for internal testing, not guaranteed to work the same on all processors, AMD's not interested in guaranteeing that it works the same on all processors, and AMD's not interested in dealing with users whining that it doesn't work the same on all processors.

    35. Re:Security? by Peeteriz · · Score: 1

      Such debug features circumvent any lower-level security completely.
      Even if the debug features can only be enabled from hardware (avoiding the obvious malware risk), then existence of such features is fundamentally incompatible with existence of such issues as secure drivers (like HDMI encryption or copy checks on DVD's, securom style), DRM even by use of hardware dongles, etc.

    36. Re:Security? by dvdme · · Score: 1

      That is a very interesting point. I recall that when I did some work programming directly to a processor in Assembly, while using the debug mode I was able to break the execution and change any register to another value and then resume it. I know that this was just a school project and the processor I used isn't as complex as an AMD processor is but if the same principle applies, then your comment makes a very good point.

    37. Re:Security? by Mac-O-War · · Score: 1

      They could, if it wasn't kept a secret.

    38. Re:Security? by mysidia · · Score: 3, Informative

      Not that I'm that knowledgeable about virtualization software, but I can't imagine that they would run priviledged code in the virtual machine as priviledged code on the host CPU, so it doesn't matter anyways.

      In a VM running under hardware-based virtualization (AMD-V / VT-x) , privileged code in the guest generally does run at privilege level 0, also referred to as (privileged), kernel mode, or ultimate privilege. This is required to implement a protected mode operating system; a modern guest OS needs to be able to implement its kernel mode, user mode, and have the hardware implement restrictions on its user processes, typically by reducing its user processes to RING 3, or RING1 / 2, which are permission levels the OS can configure to specify the allowed privileges. However, code in the VM is running as a guest OS.

      It means the guest OS must run with ultimate privilege. To address this, CPU manufacturers created a new privilege level called "ring -1". When the virtualization feature is active in hardware, the virtual machine monitor runs at ring -1, and runs guest OS code at ring 0.

      As Intel puts it: VT-x and VT-i allow guest software to run at its intended privilege level. Guest software is constrained, not by privilege level, but because for VT-x it runs in VMX non-root operation

      In a software-emulated VM, instructions are translated and rewritten by the hypervisors anyways, and the hypervisor itself generally runs in Ring 3 user mode not kernel mode in that case, It is up to the hypervisor to protect itself.

    39. Re:Security? by mikael · · Score: 1

      Anything to do with paging and interrupts could be a security vulnerability - some kernel processing has to go on in order to update process states. Being able to interrupt the process at the point just after getting kernel ring permission and before interrupts are disabled would be a dream, but probably just a theoretical one. Usually, it would be an atomic process, you couldn't do one without the other, but with these instructions, who knows...

      Our OS theory courses covered early OS's which had a messed-up login process - something like a custom system would start off in admin mode to read the password file, change to the selected UID for "safety", then decide whether the password was correct and start a shell in that UID or return to admin to wait for another login. Somehow, users could attach a debug process at the right moment (maybe when the system was running really slow), set a breakpoint at the password test, fudge the comparison result, and set the UID to whatever they wanted. Instantly, a superuser login....

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    40. Re:Security? by Anonymous Coward · · Score: 0

      Say you own the OS but it is in a virtual machine.

      If flipping the processor into a new mode allows you to get out of the virtual machine and pwn the Host too, then yes it makes a difference.

      Again, the VM host or hypervisor can easily block this exploit.

      IF the guys who wrote the hypervisor have it documented to watch out for it! OH! It's UNdocumented. Well, then.

    41. Re:Security? by Joe+U · · Score: 1

      You're assuming AMD doesn't talk directly to MS, VMWare, etc...

    42. Re:Security? by Noughmad · · Score: 1

      It's probably that AMD doesn't want to claim that they ever marketed the feature as such. If they did, it would put Intel up to create and release a debugging interface for their silicon. Then both would be forced into competing to produce a better debugging interface. This drives production costs up for a component that may be used by less than 1/100 of a percent of the users when they should have been putting their efforts elsewhere.

      It could be just that, or...

      It enables powerful hardware debugging features long longed for by reverse engineers

      I think it's more likely that software companies would not like it.

      --
      PlusFive Slashdot reader for Android. Can post comments.
    43. Re:Security? by Anonymous Coward · · Score: 0

      Already being done. There should be some AMD specific malware for exiting a VM or easy root kit installation next week. This was not a hidden feature, it is a security gap they forgot to close.

    44. Re:Security? by Anonymous Coward · · Score: 0

      Virtual machines don't work that way.

    45. Re:Security? by vinsci · · Score: 1

      Reverse engineer a simple CPU? That's so elementary.

      Indeed it is. And why not emulate it at the bare metal level in JavaScript, while you're at it?

      --

      Trusted Computing FAQ | Free Dawit Isaak!
    46. Re:Security? by countertrolling · · Score: 1

      Oh no!

      --
      For justice, we must go to Don Corleone
    47. Re:Security? by yuhong · · Score: 1

      And notice how MOV DRx and RD/WRMSR are privileged instructions already.

    48. Re:Security? by drinkypoo · · Score: 1

      Adding new opcodes, on the other hand, requires more work and risks them clashing with Intel's opcode choices at a later date.

      You mean like when they invented the 64 bit instruction set that intel is using today?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    49. Re:Security? by Keybounce · · Score: 1

      In a VM running under hardware-based virtualization (AMD-V / VT-x) ,
      privileged code in the guest generally does run at privilege level 0, also referred to as (privileged), kernel mode, or ultimate privilege. This is required to implement a protected mode operating system; a modern guest OS needs to be able to implement its kernel mode, user mode, and have the hardware implement restrictions on its user processes, typically by reducing its user processes to RING 3, or RING1 / 2, which are permission levels the OS can configure to specify the allowed privileges. However, code in the VM is running as a guest OS.

      Say what?

      I admit to being many years out of the "state of the art" of virtualization, but the last time I checked, all VM's ran the guest at the lowest security level, and trapped all invalid instructions. These were then emulated by the VM hosts -- so, for instance, the guest would think it was running in privileged hardware mode, when it was really running in non-privileged mode, and the host software would play "lets pretend", and check what the virtual permission was (virtual unprivileged, in which case the trap would be propagated to the guest OS to terminate the mal-behaved guest process, or virtual privileged, in which case the VM software would fake the result.)

      As a side effect, for example, while you could implement a TPM chip in software, it would have a different internal private key, and so would look like a different motherboard / different machine to the software. This was considered a good thing -- running the same software in multiple VM's would show as multiple different computers instead of multiple instances of the same computer.

      But this does mean that a guest OS can implement its own privileges without needing raw access to the hardware privilege mechanism.

    50. Re:Security? by mysidia · · Score: 1

      I admit to being many years out of the "state of the art" of virtualization, but the last time I checked, all VM's ran the guest at the lowest security level, and trapped all invalid instructions. These were then emulated by the VM hosts -- so, for instance, the guest would think it was running in privileged hardware mode

      There are some hypervisors that will do that, but it's inefficient, and would be a strategy for obsolete software-based emulation.

      Modern general purpose hypervisors such as vSphere are generally deployed utilizing CPU-assisted virtualization, intel VT-x and AMD-V.

      The CPU takes care of the virtualization. There are some security considerations the VMM has to take care of, such as access to I/O devices.

      But the guest OSes run without privilege. Virtualized by the hardware, not emulated by software trapping any instructions or syscalls.

  8. The ultimate security disaster? by pyalot · · Score: 4, Insightful

    Since TFA is down by now, and I can't get the exact details... does this mean that any program running and setting the right bits in the right registers can get "processor root" access to everything the processor does, irrespective of any security constraint the OS may place on that process? Oh dear

    --
    Experiments and other stuff
    1. Re:The ultimate security disaster? by HelloKitty2 · · Score: 1

      Haha, that would have been hillarious. All that security and someone compromising it with a simple 6letter pass :D

    2. Re:The ultimate security disaster? by Anonymous Coward · · Score: 0

      Are you surprised? Do you believe that security services aren't provided with the combinations for access?

      The argument that OSS is as secure as the many eyes which (usually don't) audit its source code is useless unless the system is fully open and locally built down to the level of understanding the physics.

    3. Re:The ultimate security disaster? by pyalot · · Score: 2, Interesting

      It's not that I'm surprised. But you need to recall that AMD chips a goodly chunk of data/hosting-center cores, which run many clients on the same machine... AMD will need a very good indemnification clause to wind their way out of that dammage responsibility.

      --
      Experiments and other stuff
    4. Re:The ultimate security disaster? by Eil · · Score: 5, Informative

      Not a security hole. This debug mode is not some kind of eleet hax0r backdoor. It's for debugging the processor and microcode.

      It's the OS responsibility to ensure that normal applications can't simply do whatever they like directly to the hardware, including the CPU.

    5. Re:The ultimate security disaster? by Smallpond · · Score: 2, Insightful

      Since TFA is down by now, and I can't get the exact details... does this mean that any program running and setting the right bits in the right registers can get "processor root" access to everything the processor does, irrespective of any security constraint the OS may place on that process?

      Oh dear

      Any program that can read and write to any processor register already has complete access to everything on your computer. The reason this is secret is not to protect your data, its to protect AMD's secrets.

    6. Re:The ultimate security disaster? by pyalot · · Score: 1, Interesting

      Just hypothethically, given the information we have from the summary, what's the worst case scenario?

      - The debugmode is worthy of its name, i.e. can bypass any ring and OS restriction
      - It cannot be turned on or off in the bios or with a pin, since it is undocumented
      - It is on by default
      - The bit combination to set resides in usual working registers and can be triggered by usual computation by native code or in any bytecode interpreter (javascript, java etc.) of your choice when carefully targeting the bytecode interpreter

      --
      Experiments and other stuff
    7. Re:The ultimate security disaster? by Seth+Kriticos · · Score: 1

      No, TFA said (before it went down) that some registers have to be filled with defined values through hardware means to enter debug mode. In short, you won't stumble into it. And neither will any harmful software.

    8. Re:The ultimate security disaster? by Jurily · · Score: 1

      It's the OS responsibility to ensure that normal applications can't simply do whatever they like directly to the hardware, including the CPU.

      Unless of course the CPU is in a mode the OS doesn't know about.

    9. Re:The ultimate security disaster? by maxwell+demon · · Score: 2, Insightful

      Ultimately it's the CPU which implements the security at the instruction and memory level. The OS only tells the CPU what code should run under which security context.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    10. Re:The ultimate security disaster? by Anonymous Coward · · Score: 1, Informative

      It's the OS responsibility to ensure that normal applications can't simply do whatever they like directly to the hardware, including the CPU.

      Actually most of those controls, such as an ordinary user-space program just overwriting arbitrary places in physical memory or running on the CPU for as long as it wishes and not allowing anything else to preempt it, are enforced by hardware. That's the only way they can possibly work.

    11. Re:The ultimate security disaster? by sxeraverx · · Score: 1

      It's the OS responsibility to ensure that normal applications can't simply do whatever they like directly to the hardware, including the CPU.

      Even though it's the OS's responsibility to ensure normal applications can't simply do whatever they want, the CPU needs to provide the necessary functionality. If the CPU allows writing to some register and provides no method of protecting that write, and that write causes anything that normally would not be allowed, then the OS can do bugger all about it.

    12. Re:The ultimate security disaster? by Anonymous Coward · · Score: 0

      - The debugmode is worthy of its name, i.e. can bypass any ring and OS restriction

      There's absolutely no reason for such a feature.

      - The bit combination to set resides in usual working registers and can be triggered by usual computation by native code or in any bytecode interpreter (javascript, java etc.) of your choice when carefully targeting the bytecode interpreter

      An x86 CPU has far more registers than just the usual 8 general-purpose registers.

      The real worst case scenario from the information in the summary is there is absolutely no risk whatsoever.

    13. Re:The ultimate security disaster? by Eil · · Score: 1

      That's true, but irrelevant. The debug mode doesn't do an end-run around the machine's entire hardware and software security stack as so many posters were implying. By the time you have a chunk of executable code on your machine trying to set specific registers to specific values, all of the security measures in place up to that point have failed. Malicious code is malicious code and it does not need special access to some obscure CPU feature in order to do damage.

    14. Re:The ultimate security disaster? by Anonymous Coward · · Score: 0

      Since TFA is down by now, and I can't get the exact details... does this mean that any program running and setting the right bits in the right registers can get "processor root" access to everything the processor does, irrespective of any security constraint the OS may place on that process?

      Oh dear

      Any program that can read and write to any processor register already has complete access to everything on your computer. The reason this is secret is not to protect your data, its to protect AMD's secrets.

      Certain registers can only be modified by the kernel. If a userland process tries to modify them, it triggers a hardware interrupt, which tells the kernel to do something about it.

  9. Czernobyl == Polish Hacker? by Mastadex · · Score: 1

    To state the obvious: Chernobyl, or Czernobyl as is referred to in the polish language, is a very well known nuclear disaster site. Those crafty Polish are starting to make a name for themselves in the computer industry.

    --
    A morning without coffee is like something without something else.
    1. Re:Czernobyl == Polish Hacker? by Anonymous Coward · · Score: 0

      Starting?

      Ever heard of the bomba?

      The poles were reverse engineering stuff before pretty much everybody else.

    2. Re:Czernobyl == Polish Hacker? by Anonymous Coward · · Score: 0

      Nobody suggested otherwise.

    3. Re:Czernobyl == Polish Hacker? by devjoe · · Score: 0, Offtopic

      Chernobyl is in the Ukraine, not Poland.

      Whoosh! Sure, the city is, but in this story we are talking about a hacker who lives in Poland who named himself after the infamous Ukraine nuclear disaster site.

    4. Re:Czernobyl == Polish Hacker? by Anonymous Coward · · Score: 0, Offtopic

      But spelling the name with a z (Czernobyl) is Polish.

    5. Re:Czernobyl == Polish Hacker? by Marcx77 · · Score: 0, Offtopic

      Well, it's not as if spelling it with an 'h' is Ukrainian....

    6. Re:Czernobyl == Polish Hacker? by Anonymous Coward · · Score: 0

      No, Polish spelling is Czarnobyl

    7. Re:Czernobyl == Polish Hacker? by Anonymous Coward · · Score: 0

      Starting? Learn2history.

      http://en.wikipedia.org/wiki/Jacek_Karpinski
      http://en.wikipedia.org/wiki/K-202

      One of my professors knew the guy in person.

      (yeah I'm polish.)

  10. hidden data-aware conditional breakpoints by digitaldc · · Score: 4, Funny

    Hidden for a reason? Do they not want Nvidia to see this?

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  11. So it's a software JTAG by leptechie · · Score: 5, Interesting

    I'm actually surprised to find out that everyone's surprised. I've been hacking routers and now work for a telco surrounded by disassembled set-top boxes, and both have serial and JTAG interfaces abundant. Many require soldering, so in that respect it's "hidden" from customers. Maybe: - It's often more expensive to engineer these things out of the test systems to ready for production - and just maybe it's still actually useful especially as you peer deeper into the GHz to get more performance from an existing design.

    1. Re:So it's a software JTAG by doogledog · · Score: 1

      I'm just guessing, as the site is still inaccessible, but it sounds like this is a set of debug functionality beyond what you'd get with the normal debug registers or with a JTAG interface. AFAIK modern desktop/server processors still have JTAG interfaces (not just SoC, embedded type processors). Sure JTAG interfaces are often 'hidden' as you say... maybe there's a footprint there but you have to solder on some flying leads or a connector.. but without knowing about these new registers you still wouldn't be able to use these debug features over JTAG.

    2. Re:So it's a software JTAG by Anonymous Coward · · Score: 1, Interesting

      It's not the same thing. Virtually every microcontroller has JTAG support and nobody would be surprised to find a JTAG interface in an embedded device. It would be very well documented in the datasheets. It's no big deal to find an unpopulated serial or JTAG header in a production device. These aren't manufacturer secrets -- they are well-known debugging interfaces provided for the benefit of the device developer.

      AMD's proprietary debugging features are a different story -- features not intended for the end-user to have access to and which can have a serious impact on privacy and security. This has nothing to do with extracting performance and everything to do with reverse engineering software.

      Frankly it sounds like you've been "around" these sorts of things but not had much first-hand experience working with them. Imagining a device has a hardware debugger and actually finding an undocumented one are two very different things.

    3. Re:So it's a software JTAG by Anonymous Coward · · Score: 0

      Why is this flamebait? He (or she) is right!

    4. Re:So it's a software JTAG by Anonymous Coward · · Score: 0

      CPU's JTAG interface on modern desktop AMD systems is connected to southbridge and used for Advanced Clock Calibration feature.

  12. Some extra info, whilst the site is 'dotted... by Anonymous Coward · · Score: 1, Informative

    http://webcache.googleusercontent.com/search?q=cache:EzsEFcoAZDAJ:www.woodmann.com/forum/archive/index.php/t-13891.html+amd+hardware+debugging+features&cd=5&hl=en&ct=clnk&gl=uk

  13. Grab your martini-wodka and get to work by b4dc0d3r · · Score: 0, Offtopic

    +Fravia is dead, long live +Fravia.

    Get an "highball" glass (cylindrical "milk" glass: holds about
    200-285 ml.)
    - Two ice cubes
    - Dry Martini from Martini Rossi (1/3 glass)
    - Wodka Moskowskaia (only russian Wodka will do) (1/3 glass)
    - Schweppes Indian Tonic (1/3) glass
    - Lemon zest (from Malta???)
    - Green Olive (from Tuskany ???)
    Sip slowly, look at the data, meditate, crack anything in sight.

    1. Re:Grab your martini-wodka and get to work by Anonymous Coward · · Score: 0

      After adding the first 4 ingredients, I experienced a buffer overflow. Did I just get hacked?

    2. Re:Grab your martini-wodka and get to work by inode_buddha · · Score: 1, Offtopic

      +0rc was one of the better ones, also. Very outdated nowdays but I still have a bunch of his tutorials around here somewhere...

      --
      C|N>K
    3. Re:Grab your martini-wodka and get to work by lxs · · Score: 0, Offtopic

      Offtopic? That's what you get when mentioning sites that closed when your average mod was a mere glint in the milkman's eye.

  14. Extensions for gcc/gdb by NtwoO · · Score: 1

    So this could be enabled in the kernel and/or gcc/gdb in the near future? That would be convenient for debugging. Unfortunately the link is still blocked, so the details on enabling this is still hidden.

    --
    ! /* */
  15. long longed for by by Anonymous Coward · · Score: 0

    It's worth noting that this feature has been
    long longed for by people longer than very long instruction words and long long integers in C.

     

  16. Re:So it's a bit like a software JTAG, but not... by leptechie · · Score: 1

    I'm not suggesting this is a JTAG interface, perhaps my title is misleading. I'm suggesting it's "hidden" in the same way these hardware debug interfaces (both standardised like JTAG or other more obscure interfaces) appear "hidden" to people who don't do hardware/firmware mods. As I mentioned in the first line, I'm surprised everyone's surprised, these are immensely complex parts that sometimes need a root-of-roots, this sounds like just the thing AMD or any other manufacturer would have designed in.

  17. I bet by VincenzoRomano · · Score: 0, Redundant

    Someone will find something similar in Intel chips as well.

    --
    Maybe Computers will never be as intelligent as Humans.
    For sure they won't ever become so stupid. [VR-1988]
  18. google cache of the article by avgapon · · Score: 3, Informative

    http://webcache.googleusercontent.com/search?q=cache:EzsEFcoAZDAJ:www.woodmann.com/forum/archive/index.php/t-13891.html+Czernobyl+AMD&cd=1&hl=en&ct=clnk

    1. Re:google cache of the article by eulernet · · Score: 2, Interesting

      And the documentation about the new opcode is probably this one:

      http://cbid.softnology.biz/html/undocmsrs.html

  19. hardware watch conditional watch by avgapon · · Score: 0, Redundant

    It seems that the discovered functionality is about extending standard hardware watch feature with ability to match actual data being accessed, not only address.

  20. Just an extension of existing debug facilities by Menacer · · Score: 5, Informative

    Based solely on the Google cache of the forum post describing this (linked above), there's no need to go into hysterics. For hardware and systems geeks, this is very cool. It's an extension of the existing x86 debug registers (DR0-7) that allows you to set a debug watchpoint that only fires when specific data is loaded in.

    There are a lot of researchers and tool builders that would love to have this because it would allow them to take a watchpoint fault whenever they only when they have a specific value from a specific location. For instance, let's say that every so often you get a null pointer exception at a specific address. However, if you current go into gdb and set 'watch 0x{address}', you're going to take a breakpoint every single time that pointer is accessed.. Wouldn't it be great to do something like 'watch 0x{address} NULL' and only stop your debugger whenever 0 gets written into that address?

    That's what the forum posts imply, at least. "Guys, I've reversed this in part... breakpoints defined in DR0 can be made to fire only on data match (under optional mask), plus masking of any or all of 12 low address bits ! Works also for I/O break points, provided CR4_DE is set, of course !"

    I would wager that this is not a large security concern. Access to DR7 is restricted to ring 0, and therefore enabling debug breakpoints must be done by the operating system. While extremely interesting (I wish I could read more!), Czernobyl appears to be describing a modification to debug breakpoints that are already enabled.

    1. Re:Just an extension of existing debug facilities by Joce640k · · Score: 1

      Surely a good debugger can already do that...ie. When it hits a breakpoint it checks what value is being written and continues if it's not right.

      The fact that this is 'hardware' doesn't seem like much of a win to me.

      --
      No sig today...
    2. Re:Just an extension of existing debug facilities by Menacer · · Score: 5, Informative

      Oh, and the summary's description, "hardware data-aware conditional breakpoints, and direct hardware 'page guard'-style breakpoints", matches up with the line I copied & pasted from the forum post. I previously described the "hardware data-aware conditional breakpoints"where you can make hardware take a fault if an address of a memory operation is matched && the value of the memory operation matches. Looking through my notes, embedded Power ISA (Book III-E) processors also let you set value-dependent watchpoints using the Data Address Compare (DAC) Registers. I'm not sure about other ISAs.

      The second party of the summary's statement refers to to 'page guard'-style breakpoints. This is referenced by Czernobyl's "masking of any or all of 12 low address bits". Again, this is a very interesting extension of the x86 debug registesr, which only allow debug watchpoints of size 1, 2, 4, or 8 bytes (and the latter only in certain microarchitectures & modes) However, by masking out the low 1--12 bits of the address into don't-cares, it's possible to set watchpoints anywhere from 1-4096 bytes, limited to powers-of-two and size-alignment. This is cool from an x86 standpoint, but ARM, MIPS, and Itanium (off the top of my head) already do this.

      Suffice it to say, the stuff that Czernobyl found is very cool in relation to x86, especially if these facilities were officially released to the public at any point in the future. However, it's very unlikely to cause any kind of AMD-only viruses or other scary security concerns. These features exist on other ISAs without any kind of world-shattering problems. :)

    3. Re:Just an extension of existing debug facilities by Menacer · · Score: 5, Informative

      Sure, but it's much faster to do it in hardware. This is the whole reason data watchpoints exist (See, for instance, the paper "Some Requirements for Architectural Support of Software Debugging" by Mark Scoctt Johnson from ASPLOS-I), as you could technically have your debugger put address & data checks around every memory access, but that leads to completely unacceptable overheads. It's faster to let the hardware check the addresses in parallel with regular execution and take a fault only if you touch the watchpoint.

      Similarly, if the hardware will check the value before taking a debug interrupt to the kernel and subsequently signaling/scheduling of the debugger, it will be much, much faster than performing all that and then have the debugger check the address & throw this particular interrupt away before continuing execution. That constant interrupt cycle can cause 10,000x or more slowdowns if you're constantly accessing a value & taking bad watchpoints on it.

    4. Re:Just an extension of existing debug facilities by deKernel · · Score: 3, Insightful

      If you are an application developers, I would agree with you. Any decent debugger should allow you to set a conditional breakpoint, but I am not sure if you can say that for kernel debuggers which are very different animals typically.

    5. Re:Just an extension of existing debug facilities by Anonymous Coward · · Score: 0

      Depends what you're working on. If the match fires hundreds/thousands of times per second, having it checked all the way back in software can be very costly and slow.

    6. Re:Just an extension of existing debug facilities by noidentity · · Score: 1

      However, if you current go into gdb and set 'watch 0x{address}', you're going to take a breakpoint every single time that pointer is accessed.. Wouldn't it be great to do something like 'watch 0x{address} NULL' and only stop your debugger whenever 0 gets written into that address?

      If you can set a hardware breakpoint, then you can do the conditional in software, only slower. So this sounds like hardware acceleration, which is very useful, as it can make something go from way too slow to no speed hit at all.

    7. Re:Just an extension of existing debug facilities by Capablanca · · Score: 0

      but who watches the watchpoints?? :-)

    8. Re:Just an extension of existing debug facilities by jamesh · · Score: 1

      One of the best things about the windows operating systems is the kernel debugger! It can do all of that and more.

    9. Re:Just an extension of existing debug facilities by Anonymous Coward · · Score: 0

      I'm the reverser who made the research available, little did I imagine the quick and dirty CRCEKL article would be slashdotted and take their server down for a day!

      A slightly better copy of my article is available at : www.czerno.tk

      Menacer above is right, this is just a cool set of extensions to existing debugging facilities (so-called hardware breakpoints), and a cool one - not a backdoor of sorts and not the end of the world.

      Why does AMD keep them secret ? Maybe it just doesn't want to bear support costs as some suggested, maybe it is making some profit by including it in solutions it or its selected partners can sell.

      --
      Czernobyl

  21. The site got SlashDotted!!! by savvysteve · · Score: 0, Redundant

    It appears the site is now down so the details of the story aren't readily available. This has some major implications for those concerned about security as mentioned by many of the above. AMD is going to have to address this because they need to close that off or it could spell major trouble for AMD as a company and a vast majority of users.

  22. Re:So it's a bit like a software JTAG, but not... by doogledog · · Score: 1

    I'd say password protected and undocumented is far more hidden than a unpopulated footprint marked 'jtag' (I know I know, not all hardware debug i/faces are always that obvious either :-)
    But yeah, no one should be particularly surprised... these are ridiculously complex chips and would be impossible to develop and debug (the chip that is, not software for it) without extra hidden circuitry.

  23. "long longed for" by Anonymous Coward · · Score: 0

    "...long longed for by reverse engineers..."?

    Shouldn't it be the features were long longed for by reverse engineering engineers? :)

    Yeah, the extra "long" is redundant and I don't know if I've ever heard the term "reverse engineers" used to describe people who do reverse engineering. That sounds more like a person who does the opposite of engineering.

  24. They did years ago in 2008's "TopCoder"... apk by Anonymous Coward · · Score: 0

    Results from the "TOPCODER" competition:

    "...these competitions were dominated at their start in 2001 by Americans, but that's no longer the case -- not by a long shot. In fact, of the four Americans who won the top seats out of 4,500 contestants... By contrast, there were eight from Russia, and four each from Norway and China. The biggest delegation -- 11 -- came from Poland.... Much of Poland's abundant interest in coding contests can be traced to Tomasz Czajka, who as a multiple TopCoder champion has won more than $100,000 in prize money since the competition began. That has made him something of a national hero back home, and other students have been eager to follow suit."

    From -> http://online.wsj.com/public/article/SB114721319725548216-EPUotRD8d3aZ4HFijEN8r_DOdJQ_20070509.html?mod=blogs

    (So, they've already "been there, & done that", and pretty handily)

    APK

    P.S.=> Polish here myself, by the by... apk

  25. Hardware easter eggs by antifoidulus · · Score: 0, Offtopic

    Turns out they implemented an entire flight simulator in hardware :P

    --
    Monstar L
  26. NSA? by NapalmV · · Score: 0, Flamebait

    debug
    >NSA
    NSA mode is ON
    NSA>load spyware
    Spyware loaded
    NSA>exit
    Affirmative
    >

  27. Goodbye DRM!?!?!?! by Hempy · · Score: 1

    Methinks this could be very useful in defeating many types of DRM. I'm thinking in particular DRM implementations similar to CSS, AACS, BD+, etc. Could this spell the end of DRM for once and for all? One can hope! Any experts care to elaborate (I'm no software developer nor a CPU engineer)?

    --
    Never argue with idiots, they just drag you down to their level then beat you with experience.
  28. I suspect by ThatsNotPudding · · Score: 1

    it still meets the open sesame requirements of the NSA.

  29. Hardware espionage by Naatach · · Score: 1

    Could this be the Chinese hardware back door everyone is worried about?

    --
    There may be no "I" in team, but there's also no "F" in way.
    1. Re:Hardware espionage by Jeprey · · Score: 1

      You'd have to be able to access the network the IC is operating on (if it is even connected to anything). So, not really if normal military security measures already common are taken. Backdoors imply communications channels existing because a backdoor is useless without one.

      There are other more nefarious things "they" could do. I could tell you but I've have to kill you.

  30. 0x9c5a203a really a password ? by Anonymous Coward · · Score: 0

    look like putting 0x9c5a203a in edi on AMD cpu is know from years. Just google for it.

    For example it is already used in linux kernel for workaround

  31. Hand in your geek card. by Anonymous Coward · · Score: 0

    Ever heard of "Design for Testability" (DFT)? I am surprised that no one on Slashdot is even aware of this.

  32. Urm.."long longed for by reverse engineers" by Anonymous Coward · · Score: 0

    The department of redundancy department would like a word with the article submitter!

  33. thank you by ChipMonk · · Score: 1

    I have no mod points ATM, and even if I did, well, you're already modded up as high as possible. So, I'll simply say, thank you.

  34. This is not new by yuhong · · Score: 1

    Remember Robert Collins and how he reverse engineered the ICE mode of old Intel processors?

  35. Only new to the clueless! by Jeprey · · Score: 1

    Integrated circuits have had "stealth" debug/test modes since forever. Every single one made since the 1970s on with any complexity above that of a RAM has had these modes.

    When I worked for Intel I used these extensively to get "inside access" to the raw memory array for production line testing of EPROMs.

    The same types of modes are how the 486DX, 486SX and 486FX (FPU) all originated from the same, exact, single-design die. Basically you go into the test mode and blow a fuse that shut down the failing half of a DX to result in an SX or FX part. All the same exact die in all cases.

    The article author is way late to the party!

    1. Re:Only new to the clueless! by yuhong · · Score: 1

      A 486FX? Wasn't that a 487SX?

    2. Re:Only new to the clueless! by Jeprey · · Score: 1

      There's a marketing name and then there was the internal name commonly used. Same die! Really.

  36. uh what? by drinkypoo · · Score: 1

    Since they execute your code directly on the host processor, they most certainly do work that way.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"