|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] How T-Mobil's network was compromised
From: Anthony Zboralski (bcs2005
bellua.com)
Date: Sat Feb 19 2005 - 06:14:39 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
>> Whatever happened to the people chasing down the time delays in
>> Pentium-I
>> CPU's when executing onducmented (backdoor?) instructions to get to
>> ring 0?
>> Didn't one of them die? :)
You mean the people who reversed undocumented Pentium instructions.
Actually they are documented in Appendix H but you need to sign a 15
years NDA with
Intel to get access to it. They removed the appendix from the original
docs in a rush and
left tons of references to A-H in the body of the manual.
Interesting though you mention that, I was telling David Maynor about
this ring 0 hack a
few weeks ago and I was wondering why so few people were looking into
this.
I tried to get one of these guys, Robert Collins (who works now at
Transmeta) to talk
at the BCS2005 but couldn't reach him.
His articles were originally published in Dr Dobbs magazine in 1997 and
he never
published the follow-up articles, in which he promised he would give
more details about
possible other ways to break ring 0.
Robert Collins goes:
"Using SMM to Create a CPL-0 v86 Task
Two of the strangest things I've done with SMM involved changing the
descriptor access rights. In one case, I changed the access rights of
the GDT descriptor cache to Not Present. The subsequent descriptor
table lookup caused a triple fault. This proved that the GDT access
rights were used by the Pentium processor, even though they don't exist
as part of the LGDT instruction data structure (see my March 1997
column for more details.) But the other "strangest" thing I've done
(and the most illegal, too) allowed me to enter a v86 task at CPL-0 and
execute privileged instructions."
> News to me. Links please?
That's from:
http://www.rcollins.org/ddj/May97/May97.html
older articles:
http://www.rcollins.org/ddj/Mar97/Mar97.html
http://www.rcollins.org/ddj/Jan97/Jan97.html
There are many other cool articles on his site on ICE hardware and
debugging.
Intel went after him for a while for defacing the Intel Inside logo on
his web site. There must
be a better reason, he gagged himself.
> consider this the obligatory reference to "reflections on trusting
> trust"...
http://www.acm.org/classics/sep95/
I really like Ken Thomson's paper except for the conclusion. Comparing
hacking/intrusion to vandalism
is libel :) Vandals were barbarians who invaded, raped and sacked Rome
in June 455.
Talking about Intel... Anyone has played with the /dev/microcode
interface? Anything interesting
we can do with it? Minus was working on that before he got brainwashed,
joined a Sect (no kidding) and
left the community.
A brief history of microcoded CPUS:
http://www.monkey.org/openbsd/archive/misc/0312/msg01031.html
On the same topic:
.. NEC had hired a team to reverse engineer the microcode programs
found on Intel
microprocessor chips to study the functions the microcode performed
and to ...
http://jolt.law.harvard.edu/articles/pdf/v03/03HarvJLTech209.pdf (NEC
hired a team to reverse Intel
microcode)
Regards,
gaius
--
Bellua Cyber Security Asia 2005 - http://www.bellua.net
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005bellua.com - Phone: +62 21 391 8330 HP: +62 818 699 084
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]