HOME

TheInfoList



Click Here for Items Related To - Alternate Instruction Set
OR:
Alternate Instruction Set on:   [Wikipedia]   [Google]   [Amazon]

The Alternate Instruction Set (AIS) is a second 32-bit instruction set architecture found in some x86 CPUs made by
VIA Technologies VIA Technologies Inc. (), is a Taiwanese manufacturer of integrated circuits, mainly motherboard chipsets, CPUs, and memory. It was the world's largest independent manufacturer of motherboard chipsets. As a fabless semiconductor company, VIA ...
. On these
VIA C3 The VIA C3 is a family of x86 central processing units for personal computers designed by Centaur Technology and sold by VIA Technologies. The different CPU cores are built following the design methodology of Centaur Technology. In addition to ...
processors, the second hidden processor mode is accessed by executing the x86 instruction ALTINST (). If AIS mode has been enabled, the processor will perform a JMP EAX and begin executing AIS instructions at the address of the
EAX register x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel based on the Intel 8086 microprocessor and its Intel 8088, 8088 variant. The 808 ...
. Using AIS allows native access to the Centaur Technology-designed RISC core inside the processor.


Instruction format

The manufacturer describes the Alternate Instruction Set as "an extended set of integer, MMX, floating-point, and
3DNow! 3DNow! is a deprecated extension to the x86 instruction set developed by Advanced Micro Devices (AMD). It adds single instruction multiple data (SIMD) instructions to the base x86 instruction set, enabling it to perform vector processing of fl ...
instructions along with additional registers and some more powerful instruction forms". Every AIS instruction is prefixed with the 3-byte sequence 0x8D8400 followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86
Load Effective Address Addressing modes are an aspect of the instruction set architecture in most central processing unit (CPU) designs. The various addressing modes that are defined in a given instruction set architecture define how the machine language instructions i ...
(LEA) instructions. In 2018 researcher Christoper Domas reported that the prefix 0x620405 (x86 BOUND) also worked. A proposal made in 2002 to add AIS support to the
Netwide Assembler The Netwide Assembler (NASM) is an assembler and disassembler for the Intel x86 architecture. It can be used to write 16-bit, 32-bit (IA-32) and 64-bit (x86-64) programs. It is considered one of the most popular assemblers for Linux. It was or ...
(NASM) was partially declined in 2005, on the basis that NASM was an x86 assembler, and AIS is a separate instruction set. An assembler is available from Domas's 2018 research. In 2007 a patent named some microcode instructions as load and store to/from main RAM, and loadPRAM and storePRAM to/from private-RAM inside the processor. The Centaur Technologies verification team, in a 2014 paper about the
VIA Nano The VIA Nano (formerly code-named VIA Isaiah) is a 64-bit CPU for personal computers. The VIA Nano was released by VIA Technologies in 2008 after five years of development by its CPU division, Centaur Technology. This new Isaiah 64-bit architec ...
, included some short lists of micro-instructions including ADDIG, JLINK, JMP_ALL, MVIG, NLOOPE, STORE_PRAM, plus micro-operations XADD and XSUB. Micro-operations were shown to have a format that includes the fields opcode, exec unit, src width, src1, src2, dest width, dest, write flags? and end routine?.


Availability

From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a
CPUID In the x86 architecture, the CPUID instruction (identified by a CPUID opcode) is a processor supplementary instruction (its name derived from CPU IDentification) allowing software to discover details of the processor. It was introduced by Intel ...
with the EAX register set to 0xc0000001 and then examining the EDX register. If EDX is set to 1, then AIS is supported. If EDX is also set to 1, then AIS is enabled. If AIS is supported by the CPU, then its status can be checked and altered through the
Model-specific register A model-specific register (MSR) is any of various control registers in the x86 instruction set used for debugging, program execution tracing, computer performance monitoring, and toggling certain CPU features. History With the introduction of th ...
s, by checking and setting the Feature Control Register (FCR, register 0x1107). If ("ALTINST") is set to 1, then AIS is enabled. The Microsoft Windows NT kernel KiGetFeatureBits() initialisation function proactively disables Alternate Instruction mode on boot up. If the x86 ALTINST jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exception. Setting the AIS-enabled bit requires privileged access, and should be set using a read-modify-write sequence.


Privilege elevation

In 2018 Christopher Domas discovered that some Samuel 2 processors came with the Alternate Instruction Set enabled by default and that by executing AIS instructions from
user space A modern computer operating system usually segregates virtual memory into user space and kernel space. Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour. Kernel ...
, it was possible to gain
privilege escalation Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The re ...
from Ring 3 to Ring 0. Domas had partially reverse engineered the AIS instruction set using automated
fuzzing In programming and software development, fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions ...
against a cluster of seven
thin client In computer networking, a thin client is a simple (low-performance) computer that has been optimized for establishing a remote connection with a server-based computing environment. They are sometimes known as ''network computers'', or in th ...
s. Domas used the terms "deeply embedded core" (DEC) plus "deeply embedded instruction set" (DEIS) for the RISC instruction set, "launch instruction" for ALTINST, "bridge instruction" for the x86 prefix wrapper, "global configuration register" for the Feature Control Register (FCR), and documented the privilege escalation with the name " Rosenbridge".


See also

* NEC V20/V30, an x86-compatible CPU implementing a similar scheme to enter and exit into an alternate instruction set mode to support
Intel 8080 The Intel 8080 (''"eighty-eighty"'') is the second 8-bit microprocessor designed and manufactured by Intel. It first appeared in April 1974 and is an extended and enhanced variant of the earlier 8008 design, although without binary compatibil ...
instructions.


References


Further reading

* * * * Comments on the use of mode bits in CPUs, in the context of the creation of
Data General Data General Corporation was one of the first minicomputer firms of the late 1960s. Three of the four founders were former employees of Digital Equipment Corporation (DEC). Their first product, 1969's Data General Nova, was a 16-bit minicompute ...
's
Eagle Eagle is the common name for many large birds of prey of the family Accipitridae. Eagles belong to several groups of genera, some of which are closely related. Most of the 68 species of eagle are from Eurasia and Africa. Outside this area, j ...
computer. {{refend x86 instructions x86 operating modes VIA Technologies x86 microprocessors