Wednesday 29 May 2013

Understanding Bit Flips

I will not take all the credit for writing this tutorial about how to debug and understand potential flipped bits in CPU registers. I would to say thanks to Vir Gnarus for helping to understand this very important method.

Okay, let's see with the tutorial, it took me a while to find the thread I used again, so be grateful ;)


CONTEXT: fffff880095630f0 -- (.cxr 0xfffff880095630f0)
rax=fffffa800f5177c8 rbx=fffffa800f5177c0
rcx=f7fffa800f5177c8
rdx=fffffa800d01ebf0 rsi=00000000014a2e00 rdi=fffffa800f616640
rip=fffff800030c7ccb rsp=fffff88009563ad0 rbp=00000000014a2e70
r8=0000000000000000 r9=0000000000000000 r10=fffffa800cb045d0
r11=00000000001f0003 r12=fffff88002fd5180 r13=fffffa800f5177c8
r14=fffffa800f4e09d8 r15=fffffa800f5177c8
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KiInsertQueue+0xab:
fffff800`030c7ccb 48894108 mov qword ptr [rcx+8],rax ds:002b:f7fffa80`0f5177d0=????????????????
As we can see from the above Context Switch, the register which the CPU was reading from has a 7 in the middle of it's memory address. This is the flipped bit.




3: kd> .formats f7fffa800f5177c8
Evaluate expression:
Hex: f7fffa80`0f5177c8
Decimal: -576466799360378936
Octal: 1737777650001724273710
Binary: 11110111 11111111 11111010 10000000 00001111 01010001 01110111 11001000
Chars: .....Qw.
Time: ***** Invalid FILETIME
Float: low 1.03276e-029 high -1.03837e+034
Double: -1.05588e+270
   

3: kd> .formats fffffa800f5177c8
Evaluate expression:
Hex: fffffa80`0f5177c8
Decimal: -6047056955448
Octal: 1777777650001724273710
Binary: 11111111 11111111 11111010 10000000 00001111 01010001 01110111 11001000
Chars: .....Qw.
Time: ***** Invalid FILETIME
Float: low 1.03276e-029 high -1.#QNAN
Double: -1.#QNAN
Using the .formats command, we can gain the binary representation of the memory address contained within the CPU registers, and then compare these two binary instructions to give us a confirmation of a flipped bit. As you can see, the address with the random 7, has a 0 instead of a 1 in the beginning of it's address, this indicates a flipped bit.

The crash resulted, because the corrupted memory addresses within the CPU registers were being accessed.  The usual causes for these bit flips can be a result of the CPU, PSU and motherboard. A large number of bits being changed, can be due to a the hard-drive or the RAM being at fault.








No comments:

Post a Comment