Dailydave mailing list archives
Re: How T-Mobil's network was compromised
From: Anthony Zboralski <bcs2005 () bellua com>
Date: Sat, 19 Feb 2005 19:14:39 +0700
Whatever happened to the people chasing down the time delays in Pentium-I CPU's when executing onducmented (backdoor?) instructions to get to ring 0?Didn't one of them die? :)
You mean the people who reversed undocumented Pentium instructions.Actually they are documented in Appendix H but you need to sign a 15 years NDA with Intel to get access to it. They removed the appendix from the original docs in a rush and
left tons of references to A-H in the body of the manual.Interesting though you mention that, I was telling David Maynor about this ring 0 hack a few weeks ago and I was wondering why so few people were looking into this. I tried to get one of these guys, Robert Collins (who works now at Transmeta) to talk
at the BCS2005 but couldn't reach him.His articles were originally published in Dr Dobbs magazine in 1997 and he never published the follow-up articles, in which he promised he would give more details about
possible other ways to break ring 0. Robert Collins goes: "Using SMM to Create a CPL-0 v86 TaskTwo of the strangest things I've done with SMM involved changing the descriptor access rights. In one case, I changed the access rights of the GDT descriptor cache to Not Present. The subsequent descriptor table lookup caused a triple fault. This proved that the GDT access rights were used by the Pentium processor, even though they don't exist as part of the LGDT instruction data structure (see my March 1997 column for more details.) But the other "strangest" thing I've done (and the most illegal, too) allowed me to enter a v86 task at CPL-0 and execute privileged instructions."
News to me. Links please?
That's from: http://www.rcollins.org/ddj/May97/May97.html older articles: http://www.rcollins.org/ddj/Mar97/Mar97.html http://www.rcollins.org/ddj/Jan97/Jan97.htmlThere are many other cool articles on his site on ICE hardware and debugging.
Intel went after him for a while for defacing the Intel Inside logo on his web site. There must
be a better reason, he gagged himself.
consider this the obligatory reference to "reflections on trusting trust"...
http://www.acm.org/classics/sep95/I really like Ken Thomson's paper except for the conclusion. Comparing hacking/intrusion to vandalism is libel :) Vandals were barbarians who invaded, raped and sacked Rome in June 455.
Talking about Intel... Anyone has played with the /dev/microcode interface? Anything interesting we can do with it? Minus was working on that before he got brainwashed, joined a Sect (no kidding) and
left the community. A brief history of microcoded CPUS: http://www.monkey.org/openbsd/archive/misc/0312/msg01031.html On the same topic:.. NEC had hired a team to reverse engineer the microcode programs found on Intel microprocessor chips to study the functions the microcode performed and to ... http://jolt.law.harvard.edu/articles/pdf/v03/03HarvJLTech209.pdf (NEC hired a team to reverse Intel
microcode) Regards, gaius -- Bellua Cyber Security Asia 2005 - http://www.bellua.net 21-22 March - The Workshops - 23-24 March - The Conference bcs2005 () bellua com - Phone: +62 21 391 8330 HP: +62 818 699 084 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- How T-Mobil's network was compromised gf gf (Feb 17)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)
- Re: How T-Mobil's network was compromised Richard Porter (Feb 17)
- Re: How T-Mobil's network was compromised Paul Wouters (Feb 17)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)
- Re: How T-Mobil's network was compromised Paul Wouters (Feb 18)
- Re: How T-Mobil's network was compromised - Honeypots & Case Studies gf gf (Feb 19)
- Re: Re: How T-Mobil's network was compromised - Honeypots & Case Studies Peter Busser (Feb 23)
- Re: How T-Mobil's network was compromised Richard Porter (Feb 17)
- Re: How T-Mobil's network was compromised Anthony Zboralski (Feb 19)
- Re: How T-Mobil's network was compromised halvar (Feb 19)
- Re: How T-Mobil's network was compromised Anthony Zboralski (Feb 19)
- Message not available
- Re: How T-Mobil's network was compromised Anthony Zboralski (Feb 19)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)
- Re: How T-Mobil's network was compromised Chris Kuethe (Feb 17)