Sandsifter program finds bugs, secret instructions and other oddities in computer processors

Originally published at:



Speaking of cool “hacker” interfaces on real security software, I argue that, in principle, some programs which use timing-based side-channel attacks against secret keys could be programmed to do the Hollywood-style piecemeal reveal of the password/access code. The only problem is whether statistical data can be collected and analyzed quickly enough to make it feasible.

I mean, it’s impractical, but I think it could work.


The real hacker interface:





The summary says Sandsifter throws “random” machine code at a processor, which suggests fuzz testing. The quote says it generates machine code “systematically,” which suggests it’s exploring the entire instruction space. I’m too lazy to read the article to find out which it actually is.


From the github page it can do both, and it has a additional modes where it tries to more intelligently explore the instruction space.


Back when i was the last guy learning analog control systems, we called something like this “interrogating” a system. Given enough inputs, you can reliably reconstruct what’s inside the black box. There’s probably a parallel theorem for digital systems, but they need to get off my lawn


I’ll bet there’s all sorts of neat stuff in there. Modern x86 instruction sets are insane. Not only are there umpty modes, but the instructions are baroque. Worse, there are the advisory instructions, for example suggesting that a branch is likely to or not to be taken. There’s no way to search this kind of space by hand. I assume this code starts throwing stuff down based on the various generalized instruction syntaxes (syntices?) and watches what happens.

My guess is that the secret instructions aren’t usually just complete codes. They’d likely to be discovered when random data is executed. I’m guessing its in the various mode combinations where 00, 01 and 10 are accounted for, but 11 is left as an exercise for the processor.

Hmph, x86 specific, but there’s that BlackHat talk and paper. What is there for videocards?
GLandsifter seems intuitive enough an extension. Find all the feels in your videocard.
ISAdmawall doesn’t roll the same.
goes on about AVX512 instructions in Xeon-ish bits (or just post Knight’s Landing.)
Where to go asking for surplus Xeon Phi things (not that I installed solar power for that yet…maybe better energy harvesters for the street noise energy.)

It’s cool that there is a tool to do this.

I’m not surprised about the hidden instructions. Most APIs have some undocumented interfaces, usually used for debugging or testing, but where the manufacturer doesn’t want to support them for customer use.

I’m also not surprised about the bugs found. There is an old saying that all non-trivial software has bugs, and any software without bugs is trivial. The same would likely apply to hardware.

The challenge is to make sure that none of these bugs and hidden instructions do something damaging, or introduce security risks, or cause other problems. Hopefully manufacturers will use this or tools like it to find those issues and fix them before they escape into the wild.

We can only hope that ones in this spirit aren’t common(because our odds of detecting them aren’t so hot…); but I’ve always had a fondness for this little proof of concept. Designed to be very small, simple, mostly analog; capacitively coupled to a signal line that doesn’t get toggled fast enough for the energy input to overcome the self discharge rate; but any of a number of completely valid and low privilege operations can toggle the line fast enough to power it up and toggle something security critical.

You can get malice that’s smaller and more elegant; but typically only from organisms with a billion years of protein toxin optimization experience.

Christopher Domas is a pretty engaging speaker and quite a few of his presentations are available on YouTube (search for his name).

He mentions SandSifter in at least a few talks. This one focuses on SandSifter in particular.

This topic was automatically closed after 5 days. New replies are no longer allowed.