首页
社区
课程
招聘
[原创]关于滴水的VT调试器
发表于: 2009-8-19 22:34 350562

[原创]关于滴水的VT调试器

2009-8-19 22:34
350562
收藏
免费 9
支持
分享
最新回复 (295)
雪    币: 245
活跃值: (32)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
226
很崇拜哥, 哥已经是一个传说。
2009-8-30 10:37
0
雪    币: 251
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
227
从说第一句谎话开始
就需要说更多的谎话来圆前面的谎话
2009-8-30 10:44
0
雪    币: 22
活跃值: (30)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
228
让咱们讨论点正题,其实wildox的300w广告中说到的特性够吸引人倒是没得说。只是既然不肯透露细节,那么大家讨论一下可行的技术途径如何?

chenlihui:.....,不需要破解microcode


但wildox他们如何做到任意内存断点数量这个技术?

如果微码能够破解,那么理论上可以改变CPU访存的微码动作,使得CPU访存前,让CPU直接跳转到特定的断点捕捉代码执行后再恢复CPU状态,因此,CPU要越快越好,因为,断点捕捉代码要产生性能损耗,访存越密集,损耗越大。从这点上看,与广告中说的CPU越快越好倒是有相似之处。我也实在想不明白还有什么技术能够做到。

chenlihui,海风月影可否指教一二?或者大家提提可行的猜想?
2009-8-30 13:13
0
雪    币: 22
活跃值: (30)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
229
其实,我关注过一段时间的微码方面的资料,一直没有突破。

我把我了解的技术资料列一列(都是源自网上的):

1.AMD微码部分资料 United States Patent   6,336,178, RISC86 instruction set, Favor  January 1, 2002

2.AMD微码补丁的资料:US Patent 6438664 - Microcode patch device and method for patching microcode using match registers and patch routines, US Patent Issued on August 20, 2002

3. Opteron Exposed: Reverse Engineering AMD K8 Microcode Updates        26 Jul. 2004

Summary
This document details the procedure for performing microcode updates on the AMD K8 processors. It also gives background information on the K8 microcode design and provides information on altering the microcode and loading the altered update for those who are interested in microcode hacking.

Source code is included for a simple Linux microcode update driver for those who want to update their K8's microcode without waiting for the motherboard vendor to add it to the BIOS. The latest microcode update blocks are included in the driver.

Credit:
The information has been provided by Anonymous.

Details
Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner
Background:
Modern x86 microprocessors from Intel and AMD contain a feature known as "microcode update", or as the vendors prefer to call it, "BIOS update". Essentially the processor can reconfigure parts of its own hardware to fix bugs ("errata") in the silicon that would normally require a recall.

This is done by loading a block of "patch data" created by the CPU vendor into the processor using special control registers. Microcode updates essentially override hardware features with sequences of the internal RISC-like micro-ops (uops) actually executed by the processor. They can also replace the implementations of microcoded instructions already handled by hard-wired sequences in an on-die microcode ROM.

AMD's U.S. Patent 6438664 ("Microcode patch device and method for patching microcode using match registers and patch routines") goes into substantial detail on this.

Typically microcode update blocks are stored in the BIOS flash ROM and loaded into the processor as the system boots. They can also be loaded by the operating system; for instance, Linux contains a microcode device driver for Intel chips.

AMD recently released a "BIOS fix" to motherboard makers to address Errata 109, in which REP MOVS instructions caused subsequent instructions to be skipped under specific pipeline conditions.

Previously it was not clear if and how AMD even supported microcode updates in the K8 family until this announcement. After analyzing a number of BIOS images, it appears that AMD has secretly used the microcode update facility on several occasions over the past few years, but obviously avoided publicly disclosing that it actually had bugs patchable in this manner.

Early K7 (Athlon) cores initially supported microcode updates as well, until ironically the microcode update mechanism itself was found to be broken and subsequently listed as an erratum.

The following sections describe the microcode update procedure, obtained by clean room reverse engineering various vendors' BIOS code. The actual microcode update blocks are embedded in the BIOS image; the most recent updates (created June 2004) have been included in the Linux driver source code attached to this description.

Microcode Update Procedure:
The update procedure expects the 64-bit virtual address of the update data, including the 64 byte header, to be in edx:eax:

edx = high 32 bits of 64-bit virtual address
eax = low 32 bits of 64-bit virtual address
ecx = 0xc0010020 (MSR to trigger update)

Execute wrmsr with these register values. If the address and update block data are valid, wrmsr completes successfully. Otherwise, a GP fault is taken.

The microcode does not appear to update MSR 0x8B with the new update signature as it does on Intel processors, despite the fact that some BIOS code that was analyzed does seem to check this field. It is possible the MSR is only updated under certain conditions, for instance when microcode is loaded before initializing the cache controller. Nonetheless, as we shall see below, the processor is clearly doing something internally when it claims to accept an update in this manner.

The update generally takes around 5500 clock cycles. This was tested on an Athlon 64 with CPUID 0x0F48. It was not tested on any other K8 cores, although the driver source code includes updates for CPUIDs 0x0F4A and 0x0F50.

Microcode Block Format:
The microcode block consists of a 64-byte header and an 896-byte data area. The processor consumes both the header and data area during an update. The header consists of various fields. The most important ones are:

- Offset 0: 32-bit word for update creation date (e.g. 0x20040602)
- Offset 12: 32-bit checksum: sum of all 32-bit words in the data area
- Offset 24: Low 8 bits of the cpuid (e.g. 0xf48 -> 0x48).
- Offset 28: 4 bytes: 0x01 0xaa 0xaa 0xaa (evidently a reference to (A)MD.)

The microcode blocks are typically padded out to 2048 bytes, just as the Intel format blocks are.

Microcode Format:
Surprisingly, the microcode itself is in no way encrypted as it is in Intel microcode updates; the raw data loaded into the microcode patch array is directly exposed. The repetitive structure of the data, bit patterns and fields characteristic of microcode indicate that apparently no encryption was performed.

U.S. Patent 6438664 describes the most probable structure of this data; the bit patterns in the update blocks show the outline of the uop triads and control fields known to exist in K8 microcode. Further analysis of the microcode format is in progress.

Even more surprising is the total lack of strong authentication that the update block has not been damaged or altered. The processor's sole means of validating an update is to take the sum of all 32-bit words in the 896 byte update block and compare it to the 32-bit checksum at offset 12; this verification is done by microcode already stored in the microcode ROM.

Modifying random bits within the update block was tested, regenerating a correct checksum, and loading the block into the processor. In many cases the processor accepts the block with no visible effects; other cases cause a spontaneous reboot.

Most alarming is the way in which certain bit modifications cause the processor to perform very bizarrely, for instance raising segfaults and performing incorrect computations on certain microcoded instructions.

The processor also apparently does not check the header to see if the loaded update matches its exact model and stepping; it is possible to load updates intended for an Opteron onto an Athlon 64 CPU, although this will crash the machine or cause bizarre behavior.

Depending on which data block bits are modified, loading an invalid update apparently causes an internal fault and the CPU spontaneously reboots.

Implications:
The ability to fundamentally alter instruction decoding and execution on AMD K8 processors is sure to interest hardware hackers everywhere.

Unfortunately, it is not clear if this has much practical use. The updates are structured to patch specific microcode lines, and there are a very limited number of patch slots available (around 64 if the patented technique was actually implemented as described). Adding useful new instructions to the ISA is therefore unlikely; at best we could enable a previously undefined opcode to execute a few lines of uops and return. The primary purpose of microcode patching is to modify or disable defective functionality, rather than add new features.

Interestingly, this does have serious implications for system security. If one is able to get root access on a machine even once, it is hypothetically possible to install a microcode update specifically to help compromise security from userspace at a later time. Such an update could be flashed into the BIOS to make it persistent across reboots.

For instance, by patching the appropriate microcode lines, it may be possible to catch an opcode that would normally be illegal, and instead handle it by tricking the TLB into thinking we're in kernel mode when in fact the attacker has only compromised a userspace process. From there, the attacker could control the entire machine, all without altering a single bit of "software".

Imagine the fiasco that would ensue if a system were compromised by altering the CPU itself. This would be the hardware equivalent of Ken Thompson's legendary self-replicating compiler (http://www.acm.org/classics/sep95). A few years ago, Intel had to answer to public scrutiny over the exploitability of their own microcode update feature; their solution was security through obscurity and layers of encryption and authentication (see http://www.eetimes.com/news/97/963news/hole.html). Evidently AMD was not as wise by assuming their microcode was uncrackable.

There may also be a hidden danger to altering K8 microcode without complete information. It is possible (though very unlikely) that the microcode could electrically reconfigure signal routing in a fashion similar to FPGAs, for instance to cut off defective logic and reroute signals to redundant arrays. This approach has been used in the past and the AMD patents even suggest it.

If this were the case, there is a very remote chance the CPU itself could be permanently damaged, for instance, by tri-stating pass
transistors into a high current draw state or adjusting the K8's voltage and frequency scaling controls out of spec. This is not meant to discourage potential hackers.

Nonetheless, it is suspected that with sufficient analysis or maybe a bit of inside information, one could do some interesting things with microcode hacking.

At the very least, the information here should be useful for adding AMD support to the Linux microcode update driver, which already supports Intel's update mechanism.
2009-8-30 13:26
0
雪    币: 21
活跃值: (44)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
230
楼上才是真正做技术的人啊。本来不想回的,没意义啊,没必要指出别人的错误啊。。。。。。吃力不讨好啊。啥也不说,发两个VMwre6.0的截图吧:同一个版本,同一台机器,同一个工具,好像既可以是YES,也可以是NO,随心所欲啊?这个怎么解释呢?是谁的BUG呢?不仅要知道用什么工具,还应该会用才行啊,千万不可随随便便就说别人有BUG,开国际玩笑什么的。。。。。。剩下两个VMware6.5的截图留给明白人发吧


上传的附件:
2009-8-30 17:16
0
雪    币: 203
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
231
好冷的笑话。。。
2009-8-30 17:40
0
雪    币: 1632
活跃值: (13)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
232
我已经彻底无语了 我不来了
2009-8-30 18:13
0
雪    币: 258
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
233
w同学有着做传销的极好天赋,死缠烂打,百折不挠。打不死的青铜圣斗士。
你做技术实在是太浪费了。你为什么不去做传销?还是你本身就是做传销的?为什么你心理素质那么好?
2009-8-30 19:16
0
雪    币: 635
活跃值: (101)
能力值: ( LV12,RANK:420 )
在线值:
发帖
回帖
粉丝
234
同样的招式对青铜圣斗士是无效的
2009-8-30 19:33
0
雪    币: 21
活跃值: (44)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
235
你想知道YES和NO的区别吗?你想知道为什么你测试的结果有问题吗?你想知道怎样测试吗?你想知道VMware6.0与6.5之间有什么区别吗,为什么会得出两个完全相反的测试结果呢?你真的不想知道自己错在什么地方吗?..............
2009-8-30 19:49
0
雪    币: 258
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
236
我替你说出下文:“你想知道 XXX吗?那就买一台我们的300万硬件调试器吧”
2009-8-30 19:53
0
雪    币: 21
活跃值: (44)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
237
你太有才了我可以悄悄的告诉你。。。。。。别怕,不收钱的你仔细查看一下测试时VMware的设置,点到为止哦,再不懂就看看帮助。。。。。。
2009-8-30 19:57
0
雪    币: 21
活跃值: (44)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
238
测完了,6.5的截图就由你来发吧。。。。。
2009-8-30 20:01
0
雪    币: 258
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
239
不需要。
2009-8-30 20:02
0
雪    币: 21
活跃值: (44)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
240
这个问题就此结束吧,开开玩笑,逗逗乐子,完了大家都干点正事吧。
2009-8-30 20:05
0
雪    币: 2067
活跃值: (82)
能力值: ( LV9,RANK:180 )
在线值:
发帖
回帖
粉丝
241
你要重新包装那十几k吗?
2009-8-30 20:17
0
雪    币: 7325
活跃值: (3803)
能力值: (RANK:1130 )
在线值:
发帖
回帖
粉丝
242
2009-8-31 15:19
0
雪    币: 2362
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
243
还测个毛啊
作者都在一蓑说了
demo只是耍我们的
用调试器的都是菜鸟
2009-8-31 16:23
0
雪    币: 340
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
244
这个难道是神贴,好久没闪pediy了,居然楼这么高了,不留名怎么行呢

调试器是买不起了,不过作者的实力真的不赖
2009-8-31 17:45
0
雪    币: 251
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
245
莫非300W是个更大的玩笑
2009-8-31 19:48
0
雪    币: 121
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
246
2009-8-31 20:49
0
雪    币: 615
活跃值: (1267)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
247
游戏币?

3,000,000
2009-8-31 21:57
0
雪    币: 207
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
248
鉴定完毕:300万纯属商业炒作
2009-9-1 01:22
0
雪    币: 239
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
249
关注此贴,看帖也是需要耐力的
2009-9-1 02:03
0
雪    币: 92
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
250
说实在的,我给看皮儿了……
2009-9-1 11:10
0
游客
登录 | 注册 方可回帖
返回
//