Re: How T-Mobil's network was compromised

[Anthony Zboralski <bcs2005 () bellua com>]

> > Whatever happened to the people chasing down the time delays in 
> > Pentium-I
> > CPU's when executing onducmented (backdoor?) instructions to get to 
> > ring 0?
> > Didn't one of them die? :)

You mean the people who reversed  undocumented Pentium instructions.
Actually they are documented in Appendix H but you need to sign a 15 
years NDA with
Intel to get access to it. They removed the appendix from the original 
docs in a rush and
left tons of references to A-H in the body of the manual.

Interesting though you mention that, I was telling  David Maynor about 
this ring 0 hack a
few weeks ago and I was wondering why so few people were looking into 
this.
I tried to get one of these guys, Robert Collins (who works now at 
Transmeta) to talk
at the  BCS2005 but couldn't reach him.

His articles were originally published in Dr Dobbs magazine in 1997 and 
he never
published the follow-up articles, in which he promised he would give 
more details about
possible other ways to break ring 0.

Robert Collins goes:
"Using SMM to Create a CPL-0 v86 Task
 Two of the strangest things I've done with SMM involved changing the 
descriptor access rights. In one case, I changed the access rights of 
the GDT descriptor cache to Not Present. The subsequent descriptor 
table lookup caused a triple fault. This proved that the GDT access 
rights were used by the Pentium processor, even though they don't exist 
as part of the LGDT instruction data structure (see my March 1997 
column for more details.) But the other "strangest" thing I've done 
(and the most illegal, too) allowed me to enter a v86 task at CPL-0 and 
execute privileged instructions."

> News to me. Links please?

That's from:
http://www.rcollins.org/ddj/May97/May97.html
older articles:
http://www.rcollins.org/ddj/Mar97/Mar97.html
http://www.rcollins.org/ddj/Jan97/Jan97.html

There are many other cool articles on his site on ICE hardware and 
debugging.

Intel went after him for a while for defacing the Intel Inside logo on 
his web site. There must
be a better reason, he gagged himself.

> consider this the obligatory reference to "reflections on trusting 
> trust"...
http://www.acm.org/classics/sep95/

I really like Ken Thomson's  paper except for the conclusion. Comparing 
hacking/intrusion to vandalism
is libel :) Vandals were barbarians who invaded, raped and sacked Rome 
in June 455.

Talking about Intel... Anyone has played with the /dev/microcode 
interface? Anything interesting
we can do with it? Minus was working on that before he got brainwashed, 
joined a Sect (no kidding) and
left the community.

A brief history of microcoded CPUS:
http://www.monkey.org/openbsd/archive/misc/0312/msg01031.html

On the same topic:
.. NEC had hired a team to reverse engineer the microcode programs 
found on Intel
 microprocessor chips to study the functions the microcode performed 
and to ...
http://jolt.law.harvard.edu/articles/pdf/v03/03HarvJLTech209.pdf (NEC 
hired a team to reverse Intel
microcode)

Regards,

gaius

--
Bellua Cyber Security Asia 2005 - http://www.bellua.net
21-22 March - The Workshops - 23-24 March - The Conference
bcs2005 () bellua com - Phone: +62 21 391 8330 HP: +62 818 699 084

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave