Xen and the art of privilege maintenance
June 13, 2012  

There’s a lovely post today on the Xen blog about a privilege escalation bug. It nicely illustrates the mythical nature of specifications.

The story goes like this. AMD competes with Intel in the market for x86 processors. The x86 architecture was created by Intel in the first place, so they control its specification. AMD decided to extend the x86 32-bit architecture to 64 bits, resulting in the x86-64 specification, controlled by AMD. To stay competitive, Intel needed to offer a 64-bit processor, so they extended their own x86 specification by incorporating AMD’s 64-bit extensions into their own specification. Almost.

It turns out that there is a slight difference in how Intel and AMD specify and implement the SYSRET instruction. Just as with the examples I’ve mentioned involving Postel’s Law, this slight difference in implementations can lead to a security breach.

The Xen post lays out the details nicely. The essence is that Xen’s code worked perfectly for AMD processors, but not Intel processors. They simply missed the fact that the AMD and Intel specifications differed, an oversight shared by FreeBSD, NetBSD, Microsoft Windows 7, and probably Mac OS X. The Linux developers also missed this, but they discovered the problem and corrected it in 2006. Apparently OpenBSD was not affected; it will be interesting to hear the story of how that came to be.

This sort of problem is inevitable. Artifacts like the x86 and x86-64 architectures are incredibly complex, and the state of the art for specifications is primitive. There are always going to be differences in implementations that can be exploited.