The Alternate Instruction Set (AIS) is a unique secondary instruction set architecture found in the VIA C3 series of x86-32 CPUs made by VIA Technologies. The hidden processor mode is accessed by executing the x86 instruction JMPAI
(0F 3F
). [1] If AIS mode has been enabled, the processor will perform a JMP EAX [2] and begin executing AIS instructions at the address of the EAX register. Using AIS allows native access to the Centaur Technology-designed RISC core inside the processor. [3]
AIS number | x86 name |
---|---|
R0 | EAX |
R1 | ECX |
R2 | EDX |
R3 | EBX |
R4 | ESP |
R5 | EBP |
R6 | ESI |
R7 | EDI |
R8‒R15 | … |
The manufacturer describes the Alternate Instruction Set as "an extended set of integer, MMX, floating-point, and 3DNow! instructions along with additional registers and some more powerful instruction forms". [2] Every AIS instruction is prefixed with the 3-byte sequence 0x8D8400
followed by the 32-bit instruction; this prefix form for the AIS instructions makes them appear to be x86 Load Effective Address (LEA
) instructions. In 2018 researcher Christopher Domas reported that the prefix 0x620405
(x86 BOUND
) also worked.
A proposal made in 2002 to add AIS support to the Netwide Assembler (NASM) was partially declined in 2005, on the basis that NASM was an x86 assembler, and AIS is a separate instruction set. [4] An assembler is available from Domas's 2018 research. [5]
In 2007 a patent named some microcode instructions as load
and store
to/from main RAM, and loadPRAM
and storePRAM
to/from private-RAM inside the processor. [6] The Centaur Technologies verification team, in a 2014 paper about the VIA Nano, included some short lists of micro-instructions including ADDIG
, JLINK
, JMP_ALL
, MVIG
, NLOOPE
, STORE_PRAM
, plus micro-operations XADD
and XSUB
. Micro-operations were shown to have a format that includes the fields opcode
, exec unit
, src width
, src1
, src2
, dest width
, dest
, write flags?
and end routine?
. [7]
A 2002 programming reference for the Alternate Instruction set [8] and an accompanying appnote [1] were added to the Bitsavers archive in May 2021.
From x86 mode, the availability of the Alternate Instruction Set can be detected by executing a CPUID with the EAX register set to 0xc0000001
and then examining the EDX register. If EDX bit 0 is set to 1, then AIS is supported. If EDX bit 1 is also set to 1, then AIS is enabled. [9] If AIS is supported by the CPU, then its status can be checked and altered through the Model-specific registers, by checking and setting the Feature Control Register (FCR, register 0x1107). If bit 0 ("ALTINST
") is set to 1, then AIS is enabled. [9]
The Microsoft Windows NT kernel KiGetFeatureBits()
initialisation function proactively disables Alternate Instruction mode on boot up. [10] If the x86 JMPAI
jump instruction is executed when AIS mode is disabled, then the processor will generate an Invalid Instruction exception. [11] Setting the AIS-enabled bit requires privileged access, and should be set using a read-modify-write sequence. [11]
In 2018 Christopher Domas discovered that some Samuel 2 processors came with the Alternate Instruction Set enabled by default and that by executing AIS instructions from user space, it was possible to gain privilege escalation from Ring 3 to Ring 0. [5] Domas had partially reverse engineered the AIS instruction set using automated fuzzing against a cluster of seven thin clients. [12] Domas used the terms "deeply embedded core" (DEC) plus "deeply embedded instruction set" (DEIS) for the RISC instruction set, "launch instruction" for JMPAI
, "bridge instruction" for the x86 prefix wrapper, "global configuration register" for the Feature Control Register (FCR), and gave the exploit the physics inspired name "Rosenbridge". [5]
Als … kann man Nehemiahs RISC-artigen Core auch native programmieren (AIS: Alternate Instruction Set). Auch hier wird sich zeigen, ob findige Programmierer das für den einen oder anderen Treiber nutzen können, um hier mehr Performance herauszukitzeln.
KiGetFeatureBits() … // Disable bit 0 which controls the Cyrix ALTINST feature.