Home / Technology / Finding a CPU Blueprint Malicious program in the Xbox 360

Finding a CPU Blueprint Malicious program in the Xbox 360

The brand new price of Meltdown and Spectre jogged my memory of the time I came across a hooked up believe trojan horse within the Xbox 360 CPU – a newly added instruction whose mere life was dangerous.

Aid in 2005 I was the Xbox 360 CPU man. I lived and breathed that chip. I aloof possess a 30-cm CPU wafer on my wall, and a Four-foot poster of the CPU’s layout. I spent so nice time figuring out how that CPU’s pipelines worked that once I was requested to inspect some not possible crashes I was in a state of affairs to intuit how a believe trojan horse want to be their area off. However first, some background…

Annotated Xbox 360 die

The Xbox 360 CPU is a three-core PowerPC chip made via IBM. The 3 cores take a seat down in 3 separate quadrants with the fourth quadrant containing a 1-MB L2 cache – it’s reputedly you’ll be able to possibly without doubt possibly survey the an entire lot of drugs, within the symbol at sleek and on my CPU wafer. Each and every core has a 32-KB instruction cache and a 32-KB wisdom cache.

Minutiae: Core 0 was closer to the L2 cache and had measurably decrease L2 latencies.

The Xbox 360 CPU had over the top latencies for the entire lot, with memory latencies being in particular adverse. And, the 1-MB L2 cache (all that can possibly possibly without doubt possibly have compatibility) was dazzling small for a three-core CPU. So, protecting area within the L2 cache in assert to lower cache misses was essential.

CPU caches give a make stronger to potency because of spatial and temporal locality. Spatial locality means that every time you’ve historical one byte of recordsdata then you definitely’ll potentially exhaust diversified inside of sight bytes of recordsdata virtually within the provide day. Temporal locality means that every time you’ve historical some memory then you’ll reputedly exhaust it yet again within the reach long term.

However once shortly temporal locality doesn’t in reality occur. When you find yourself processing a real array of recordsdata as quickly as-per-frame then it will moreover very well be trivially provable that this may all be long gone from the L2 cache via the extent you’ll want it yet again. You still make a decision on that wisdom within the L1 cache in order that it’s reputedly you’ll be able to possibly without doubt possibly abet from spatial locality, however having it difficult precious area within the L2 cache proper means this may evict diversified wisdom, possibly slowing down the an entire lot of 2 cores.

At the general that is unavoidable. The memory coherency mechanism of our PowerPC CPU required that all wisdom within the L1 caches also be within the L2 cache. The MESI protocol historical for memory coherency calls for that once one core writes to a cache line that any diversified cores with a replica of the a equivalent cache line need to discard it – and the L2 cache was accountable for keeping up track of which L1 caches were caching which addresses.

About 40 cores on my wafer, L2 caches seenHowever, the CPU was for a online game console and potency trumped all so a brand spanking new instruction was added – xdcbt. The formed PowerPC dcbt instruction was a standard prefetch instruction. The xdcbt instruction was an extended prefetch instruction that fetched immediately from memory to the L1 d-cache, skipping L2. This supposed that memory coherency was now not confident, however good day, we’re online game programmers, everyone knows what we’re doing, this is able to possibly without doubt moreover very well be dazzling.


I wrote a widely-ancient Xbox 360 memory replica regimen that optionally historical xdcbt. Prefetching the availability wisdom was essential for potency and normally it will exhaust dcbt however dawdle within the PREFETCH_EX flag and it will prefetch with xdcbt. This was now not neatly-notion-out.

A game developer who was using this feature reported unusual crashes – heap corruption crashes, on the other hand the heap structures within the memory dumps gave the impression formed. After looking at the crash dumps for awhile I spotted what a mistake I had made.

Memory this is prefetched with xdcbt is poisonous. Whether it is miles written via one different core faster than being flushed from L1 then two cores possess diversified perspectives of memory and there would possibly possibly be by no means a ensure their perspectives will ever converge. The Xbox 360 cache traces were 128 bytes and my replica regimen’s prefetching went sleek to the keep of the availability memory, which means that xdcbt was applied to a few cache traces whose latter portions were a part of adjacent wisdom structures. At the general this was heap metadata – at least that’s the construct we noticed the crashes. The incoherent core noticed feeble wisdom (in spite of wary exhaust of locks), and crashed, on the other hand the crash unload wrote out the real contents of RAM in order that we couldn’t survey what took location.

So, necessarily the best edifying means to make exhaust of xdcbt was to be very wary now not to prefetch even a unmarried byte previous the keep of the buffer. I mounted my memory replica regimen to retain a ways from prefetching too a ways, however while looking forward to the restore the game developer stopped passing the PREFETCH_EX flag and the crashes went away.

The precise trojan horse

To this degree so formed, sleek? Cocky game builders play with fireplace, hover too as regards to the sun, marry their mothers, and a game console just about misses Christmas.

However, we stuck it in time, we purchased away with it, and we were all area to send the video games and the console and lag residing jubilant.

After which the a equivalent game began crashing yet again.

The symptoms were a equivalent. Rather then that the game was now not using the xdcbt instruction. I would possibly possibly possibly without doubt possibly step by means of the code and survey that. We had a excessive recount.

I historical the out of date debugging process of looking at my cloak cloak with a blank thoughts, let the CPU pipelines endure my unconscious, and I without caution discovered the trouble. A handy guide a rough electronic message to IBM showed my suspicion a couple of refined interior CPU element that I had via no means perception of faster than. And it’s the a equivalent wrongdoer in the assistance of Meltdown and Spectre.

The Xbox 360 CPU is an in-assert CPU. It’s dazzling simple in reality, depending on its over the top frequency (now not as over the top as was hoping in spite of 10 FO4) for potency. However it does possess a department predictor – its very extended pipelines fabricate that essential. Proper right here’s a publicly shared CPU pipeline blueprint I made (my cycle-moral model is NDA best, however looky right here) that finds the overall pipelines:


That you’d be ready to additionally survey the department predictor, and it’s reputedly you’ll be able to possibly without doubt possibly survey that the pipelines are very extended (in depth at the blueprint) – lots extended sufficient for mispredicted directions to obtain as so much as race, even with in-assert processing.

So, the department predictor makes a prediction and the predicted directions are fetched, decoded, and carried out – however now not retired until the prediction is recognized to be ethical. Sound acquainted? The belief I had – it was new to me at the time – was what it supposed to speculatively reach a prefetch. The latencies were extended, so it was essential to obtain the prefetch transaction at the bus as virtually within the provide day as possible, and once a prefetch were initiated there was no means to execute it. So a speculatively-executed xdcbt was an so much like a precise xdcbt! (a speculatively-executed load instruction was proper a prefetch, FWIW).

And that was the trouble – the department predictor would once shortly area off xdcbt directions to be speculatively carried out and that was proper as adverse as in reality executing them. Undoubtedly certainly one of my coworkers (thank you Tracy!) recommended a suave check out to inspect this – exchange each and every xdcbt within the game with a breakpoint. This finished two problems:

  1. The breakpoints were not hit, thus proving that the game was now not executing xdcbt directions.
  2. The crashes went away.

I knew that will be the ultimate consequence and but it was aloof extraordinary. These kinds of years later, or even after studying about Meltdown, it’s aloof nerdy cool to imprint cast evidence that directions that were not carried out were causing crashes.

The department predictor realization made it explicit that this instruction was too dangerous to own anywhere within the code segment of any game – controlling when an instruction would possibly possibly possibly without doubt be speculatively carried out is just too refined. The department predictor for oblique branches would possibly possibly possibly without doubt possibly, theoretically, expect any deal with, so there was no “edifying location” to build an xdcbt instruction. And, if speculatively carried out it will fortuitously forestall an extended prefetch of no matter memory the specified registers took location to randomly possess. It was possible to reduce the danger, however now not construct away with it, and it proper wasn’t value it. Whilst Xbox 360 structure discussions proceed to precise the instruction I doubt that any video games ever shipped with it.

I mentioned this once for the period of a task interview – “painting the hardest trojan horse you’ve needed to read about” – and the interviewer’s reaction was “yeah, we hit one thing a equivalent at the Alpha processor”. The extra problems exchange…

Due to Michael for some modifying.

Study More

Check Also



 Microsoftはロンドンで現地時間1月24日から開催される展示会「Bett」に先駆け、2018年の教育機関向け製品を発表した。ノートPC「Lenovo 100e」(189ドル〜)と、「Minecraft: Education Edition」に化学を学べるツールが加わるアップデート、米国時間5月31日まで有効な「HoloLens」(まだ開発者向けキットのみ)のアカデミックライセンスによる10%割引などが目玉だ。 学校向けの低価格ノートPC「Lenovo 100e」  耐久性があるIntelの「Celeron Apollo Lake」プロセッサを搭載する新しいLenovo 100eは、わずか189ドル(約2万1000円)。学校による大量購入向きの価格だが、教育分野で大きく推進されている複合現実(MR)に十分対応できるほどの性能ではない。一方、低価格の「Chromebook」もMRには対応できない。  279ドル(約3万1000円)の新しい「Lenovo 300e」もMRには対応できないが、少なくともタッチペンと3Dをサポートし、ディスプレイ部分が360度回転してタブレットになるコンバーチブル型だ。  Microsoftは、新興経済国における大手パートナーJPが販売する、同等の機能を持ったノートPC2機種も発表した。  その他の発表として、BBC Worldwideが3月に、学校や博物館を対象としてHoloLens/MRバージョンの「Oceans: Our Blue Planet」を世界的に公開する予定で、こちらも素晴らしいものになりそうだ。そしてもちろん、「Office 365 for Education」にも教育関連のアップデートが予定されている。 「Minecraft: Education Edition」に化学が学べるツールが加わる。 この記事は海外CBS Interactive発の記事を朝日インタラクティブが日本向けに編集したものです。

Leave a Reply

Your email address will not be published. Required fields are marked *