This article discusses the unusual use of the protected mode features of the x86 architecture - to perform computations without executing instructions, that is, due to the internal mechanisms of the processor: hardware task switching , ingenious memory management, and non-trivial logic of calling an interrupt handler . As you know , any somewhat complex system has Turing completeness , so it is not surprising to find it in unexpected places in the naturally evolved x86. I invite under the cut those interested in such low-level perversions.
This publication is based on an article titled "The Page-Fault Weird Machine: Lessons in Instruction-less Computation" . It warms the soul that one of its co-authors, Sergey Bratus , is a longtime graduate of Phystech . I first learned about this work from Gwern Barwen's article "Surprisingly Turing-Complete" , which contains many amazing examples of Turing-complete systems. By the way, part of it has been translated into Habrรฉ , although only three sentences are allocated to the phenomenon described in this article.
2013 , x86-64, long mode, . x86 .
, , , " ", . , : -, , , โ ( QEMU, ). -, , . , , red pill, , . red pills , "", , , . red pill , , , "" . , , . , . : Neutrino(2016 .), Conficker(2008 .), Rebhip(2011 .), IRC : Phatbot(2008 .), Rbot, SDbot/Reptile, Mechbot, SpyBot ( ). -, . "" unikernel.
"" , , - ? , x86.
IA-32 , . call gates , , . , , โ , ; . x86-64 .
, ( , , ), โ 32-bit Linux ( ) double fault, , . Double fault , - ; , . , , double fault , , , , Linux , double fault , kernel panic "" . double fault - , triple fault, .
x86 , task-state segment(TSS). , , . EIP
(instruction pointer) โ , ESP
(stack pointer) โ , CR3
โ ( , page directory), EAX
ECX
, .
, , . , , GDT(Global Descriptor Table) โ IDT(Interrupt Descriptor Table) โ . , , : memory segment descriptor โ (, ), TSS descriptor โ task-state segment, interrupt-gate descriptor โ , , โ far call. , โ , โ .
-
, , , -? , , page fault double fault, 4- . , , ( , x86 ) ESP
4. , ESP
, ? , 32 , double fault-.
. , , EIP
, , 0xFFFFFFFF
. page fault, . , page fault :
if (esp == 0) {
goto double_fault_handler;
} else {
esp -= 4;
goto page_fault_handler;
}
- , โฆ - . , "" . ( IDT GDT) TSS, CR3
, , , , (, TSS, ). IDTR GDTR ( TSS, ) IDT GDT, , "" โ โ โ CR3
โ IDT GDT, . IDT TSS, .
movdbz-
, "" :
, "". IDT GDT, .
TSS, , . , TSS
EIP
,ESP
,CR3
.
"" TSS , ( ),
ESP > 0
,ESP
4,ESP
.
CR3
2 ,ESP
TSS, GDT (. Task Register) .
3 , ,
EIP
, , page fault; double fault.
, : rsrc
โ ESP
, TSS; rdest
โ ESP
, TSS, GDT CR3
TSS. label_zero
โ , double fault, label_nonzero
โ page fault. ESP
, 4, , .
if (rsrc == 0) {
rdest = rsrc;
goto label_zero;
} else {
rdest = rsrc - 1;
goto label_nonzero;
}
โ , movdbz
, move-branch-if-zero-or-decrement (-----). , subtract-and-branch-if-negative (-----), movdbz
( ), - . , , โ - Brainfuck movdbz
-.
, movdbz
:
movdbz rdest, rsrc, label_nonzero, label_zero
real-mode A20 high memory, , . , Intel , , , . , ESP
( #SS
โ stack-segment fault), . ESP
, 4 "" , 0 1023, 0 4095 ( 4 ). , , .
,
: 4 "destination TSS" ESP
, CR3
. , , ESP
, TSS, -- , . CR3
, , CR3
IDT
, , โ "". TSS โ , ; , movdbz
. "" TSS ECX
EDX
( TSS ). , TSS ESP
, CR3
TSS c rdest
, .
Busy bit
busy bit, TSS GDT , . , , 5 . , , . , , . , , , , , 8 10, .
: GDT , TSS! GDT 16 , 8 โ , , TSS, EAX
ECX
. , TSS EAX
ECX
TSS ( , TSS) busy bit-. , TSS 4 busy bit TSS GDT . IDT GDT โ , 8 16 .
, " "? -, , , โ red pill, . -, x86, . -, , , , " " , . โ " ", "" , . , , .
( ):
-
Implementation by Krister Walfridsson: Github repository , general description , some implementation details
Original article "The Page-Fault Weird Machine: Lessons in Instruction-less Computation" , companion Github repository with author's implementation
Of course Intelยฎ 64 and IA-32 Architectures Software Developer Manuals