The document presents a thought experiment by Christopher Domas on the implications of simplifying machine instructions to primarily 'mov' commands within the x86 architecture. It explores the potential benefits of this method, such as simplifying the instruction format and reducing costs related to complex functional units. The discussion includes practical implementations of basic programming concepts like conditional statements and loops using only 'mov' instructions.

1. {
reductio
[ad absurdum]
domas / @xoreaxeaxeax / Shakacon 2017

2.  Christopher Domas
 Cyber Security Researcher @
Battelle Memorial Institute
./bio

3.  Observation:
 Different paths can produce the same result.
 Thought experiment:
 Can the inverse be true?
 Can one path produce different results?
./intro

4.  Observation:
 Groups of (machine) instructions can often be reduced
x = x * 2
x = x + x
vs.
x = x * 4
 Thought experiment:
 How much could one program be reduced?
./intro

5.  (bear with me)
Let’s backtrack a bit…

6. 4004e9: mov dword [rbp-8], 0
4004f2: push 600004
4004f8: call printf
4004fa: pop eax
4004fc: add dword [rbp-8], 1
400500: cmp dword [rbp-8], 100
400507: jle 4004f2
Assembly…

7.  mov is Turing-complete
 Stephen Dolan
 www.cl.cam.ac.uk/~sd601/papers/mov.pdf
mov

8. mov destination, source
mov

9.  Any code we write …
 … can be written as a set of movs instead
 … and nothing else
 Really?
Turing Complete?

10. 4004e9: mov dword [rbp-8], 0
4004f2: push 600004
4004f8: call printf
4004fa: pop eax
4004fc: add dword [rbp-8], 1
400500: cmp dword [rbp-8], 100
400507: jle 4004f2

11. 80515bc: mov eax,ds:0x835d81a
80515c1: mov ebx,DWORD PTR [eax+0x835d6fc]
80515c7: mov edx,DWORD PTR ds:0x835d7da
80515cd: mov eax,0x0
80515d2: mov al,BYTE PTR [ebx+edx*1]
80515d5: mov al,BYTE PTR [eax+0x835dc7e]
80515db: mov BYTE PTR [ebx+edx*1],al
80515de: mov eax,ds:0x835d81a
80515e3: mov ebx,DWORD PTR [eax+0x835d6fc]
80515e9: mov edx,DWORD PTR ds:0x835d7da
80515ef: mov eax,0x0
80515f4: mov al,BYTE PTR [ebx+edx*1]

12. Removing all but the mov instruction from
future iterations of the x86 architecture
would have many advantages: the
instruction format would be greatly
simplified, the expensive decode unit
would become much cheaper, and silicon
currently used for complex functional
units could be repurposed as even more
cache. As long as someone else
implements the compiler.
- Stephen Dolan

14.  Where to begin…?
Key Ideas

15.  mov can check equality
Key Ideas

16.  mov [x], 0
 mov [y], 1
 mov R, [x]
x==y

17.  x=3, y=3
 mov [x], 0
 mov [y], 1
 mov R, [x]
x==y

18.  x=2, y=3
 mov [x], 0
 mov [y], 1
 mov R, [x]
x==y

19.  Requires a single jmp instruction to
loop back to the beginning
 Incidental
 We fixed this later
Key Ideas

20.  start:
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 mov …
 jmp start

21.  Build on Dolan’s ideas
 Adapt primitive TM operations for higher level logic
 Work on actual data, not abstract symbols
 Add new operations
 If/else
 Arithmetic
 Logic
 Jumps
 Loops
 Etc…
 Bring it closer to something we can use
Idea…

22. Implementing if

23.  IF X == Y THEN
 X = 100
Implementing if

24.  The catch:
 We have no branches
 All paths execute, no matter what
 Solution:
 Force a path to operate on “dummy” data,
if we don’t want its results
Implementing if

25.  IF X == Y THEN
 X = 100
Implementing if
Selector
Data
Scratch

26.  IF X == Y THEN
 X = 100
Implementing if
Data
Scratch
⇐
⇐
Selector

27.  IF X == Y THEN
 X = 100
Implementing if
Data
Scratch
Selector

28.  IF X == Y THEN
 X = 100
Implementing if
Data
Scratch
⇐
⇐
Selector

29.  IF X == Y THEN
 X = 100
Implementing if
Data
Scratch
Selector

30. ; X == Y
mov eax, [X]
mov [eax], 0
mov eax, [Y]
mov [eax], 4
mov eax, [X]
; X = 100
mov eax, [SELECT_X + eax]
mov [eax], 100
Implementing if

31. Simple extensions give us
if/else
if/elseif/else
Inequality checks
Implementing if

32. %macro eq 3
mov eax, 0
mov al, [%2]
mov byte [e+eax], 0
mov byte [e+%3], 4
mov al, [e+eax]
mov [%1], al
%endmacro

33. %macro neq 3
mov eax, 0
mov al, [%2]
mov byte [e+eax], 4
mov byte [e+%3], 0
mov al, [e+eax]
mov [%1], al
%endmacro

34. ; create selector
%macro c_s 1
%1: dd 0
d_%1: dd 0
s_%1: dd d_%1, %1
%endmacro

35.  Extend the if/else idea
Loops and branches

36.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov …
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start

37.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov …
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov … ← Implement a branch from here…
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start

38.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov … ← Implement a branch from here…
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start

39.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov … ←
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
Store target
Switch to dummy data
0x100c
OFF

40.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov … ← Check if branch target
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
0x100c
OFF

41.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov … ← Check if branch target
 0x102c mov …
 0x1030 jmp start
0x100c
OFF

42.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov … ← Check if branch target
 0x1030 jmp start
0x100c
OFF

43.  start:
 0x1000 mov … ← Check if target
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
0x100c
OFF

44.  start:
 0x1000 mov …
 0x1004 mov … ← Check if target
 0x1008 mov …
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
0x100c
OFF

45.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov … ← Check if target
 0x100c mov … ← … to here
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
0x100c
OFF

46.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ←
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
0x100c
OFFTarget match
Switch to real data

47.  start:
 0x1000 mov …
 0x1004 mov …
 0x1008 mov …
 0x100c mov … ←
 0x1010 mov …
 0x1014 mov …
 0x1018 mov …
 0x101c mov …
 0x1020 mov …
 0x1024 mov …
 0x1028 mov …
 0x102c mov …
 0x1030 jmp start
0x100c
ONTarget match
Switch to real data

48.  Look up tables!
 One byte versions are easy.
Arithmetic

49. unsigned char inc[]={
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32,
33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64,
65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80,
81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96,
97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112,
113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,
129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,
145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,
161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,
177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,
193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,
209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,
225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,
241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0
};

50. incb:
%assign y 1
%rep 256
db y&0xff
%assign y y+1
%endrep

51. ; increment eax with mov
mov eax, [inc + eax]
Arithmetic

52. %macro add32 4
mov eax, 0
mov ebx, 0
mov ecx, 0
mov edx, 0
mov dword [%4], 0
add8 %1+0, %2+0, %3+0, %4
add8 %1+1, %2+1, %3+1, %4
add8 %1+2, %2+2, %3+2, %4
add8 %1+3, %2+3, %3+3, %4
%endmacro

53. mov eax,0x0
mov ebx,0x0
mov ecx,0x0
mov edx,0x0
mov dword [dword 0x8049576],0x0
mov al,[0x804956a]
mov bl,[dword 0x804956e]
mov cl,[dword 0x8049576]
mov dl,[eax+ecx+0x8049168]
mov al,[ebx+edx+0x8049168]
mov [0x8049572],al
mov al,[ebx+edx+0x8049369]
mov [0x8049576],al
mov al,[0x804956b]
mov bl,[dword 0x804956f]
mov cl,[dword 0x8049576]
mov dl,[eax+ecx+0x8049168]
mov al,[ebx+edx+0x8049168]
mov [0x8049573],al
mov al,[ebx+edx+0x8049369]
mov [0x8049576],al
mov al,[0x804956c]
mov bl,[dword 0x8049570]
mov cl,[dword 0x8049576]
mov dl,[eax+ecx+0x8049168]
mov al,[ebx+edx+0x8049168]
mov [0x8049574],al
mov al,[ebx+edx+0x8049369]
mov [0x8049576],al
mov al,[0x804956d]
mov bl,[dword 0x8049571]
mov cl,[dword 0x8049576]
mov dl,[eax+ecx+0x8049168]
mov al,[ebx+edx+0x8049168]
mov [0x8049575],al
mov al,[ebx+edx+0x8049369]
mov [0x8049576],al
mov eax,[0x8049572]

54. mov dword [q], 0
mov dword [r], 0
%assign bb 31
%rep 32
bit c, n, bb
shl32 r, c
mov dword [c], 0
gte32 t, r, d, c
mov eax, [t]
mov edx, [sel_r+4*eax]
mov [psr], edx
mov edx, [sel_q+4*eax]
mov [psq], edx
mov eax, [psr]
mov eax, [eax]
mov [dummy_r], eax
sub32 dummy_r, dummy_r, d, c
mov eax, [psr]
mov edx, [dummy_r]
mov [eax], edx
mov eax, [psq]
mov eax, [eax]
mov [dummy_q], eax
set32 dummy_q, bb
mov eax, [psq]
mov edx, [dummy_q]
mov [eax], edx
%assign bb bb-1
%endrep
mov eax, [q]

56.  lcc
 esi/edi
 Calling convention
 Emulated stack
 32 bit ALU
 Simplified dummy selectors
 102 IL instructions
 Not bad!
The M/o/Vfuscator

57.  mov-only C Compiler
 https://github.com/xoreaxeaxeax
 First single instruction C compiler!
The M/o/Vfuscator

58.  prime
 Cube
 M/o/Vfuscator
The M/o/Vfuscator

64.  How much can we simplify a program?
 We’ve gotten rid of…
 Functions
 Loops
 Branches
 Arithmetic
 … it’s an okay start.
Reduction

65.  We have all the same instructions
 mov
 But they’re not all the ”same”
 mov eax, edx
 mov [100], bl
 mov di, 0x1337
 mov eax, [edx + 2 * ecx + 0x1094801]
Reduction

66.  Eliminate register to register transfers
 mov eax, edx
becomes
 mov [0x1000], edx
 mov eax, [0x1000]
x86 addressing

67.  Eliminate constant to register transfers
 mov eax, 12345
becomes
 _temp: .dword 12345
 mov eax, [_temp]
x86 addressing

68.  All instructions now either
read or write to memory.
x86 addressing

69.  Eliminate 8 and 16 bit addressing
 mov al, [100]
becomes
 mov [200], eax
 mov eax, [100 - 3]
 mov [200 - 3], eax
 mov eax, [200]
x86 addressing
200 100

70.  Simplify memory addressing
 mov eax, [0x1234 + ecx + 8 * edx]
 Use the M/o/Vfuscator ALU!
 Calculate ecx + 8 * edx
 Accumulate results in ecx
 Result:
 (dozens of mov ALU instructions)
 mov eax, [0x1234 + ecx]
x86 addressing

71.  No more register to register transfers.
 No more constant to register transfers.
 No more 8 or 16 bit instructions.
 All memory accesses are of the form
[reg + constant]
 mov instructions are now all
mov reg, [reg + constant]
or
mov [reg + constant], reg
Almost there.

72.  We still use 8 registers!
 Decrease to 2 by storing extras to
scratchpad memory
 All mov instructions now
mov esi/edi, [esi/edi + constant]
or
mov [esi/edi + constant], esi/edi
Registers

73.  Writes: mov [esi/edi + constant], esi/edi
 Reads: mov esi/edi, [esi/edi + constant]
 Alternate reads and writes
 1 read, followed by 1 write,
followed by 1 read, followed by 1 write…
 Insert dummy (unused) accesses
Alternating memory

74. mov esi,[edi+0x816d0e8]
mov [edi+0x816d104],esi
mov esi,[edi+0x816d0c8]
mov [edi+0x816d0e8],esi
mov esi,[edi+0x816d0e0]
mov [edi+0x816d0ec],esi
mov esi,[edi+0x816d0eb]
mov [edi+0x816d0e8],esi
mov esi,[edi+0x816d0e0]
mov [edi+0x816d0e9],esi
mov esi,[edi+0x816d0e8]
mov [edi+0x816d10c],esi
mov esi,[edi+0x816d0c8]
mov [edi+0x816d0e8],esi
mov esi,[edi+0x816d0e0]
mov [edi+0x816d0e9],esi
mov esi,[edi+0x816d0e8]
mov [edi+0x816d0e8],esi
mov esi,[edi+0x816d0e0]
mov [edi+0x816d0e9],esi
mov esi,[edi+0x816d0e8]
mov [edi+0x816d0f8],esi
mov esi,[edi+0x816d0c8]
mov [edi+0x816d0e8],esi
The result…

75.  Can we take it further?

76. Psuedo-registers
 Instead of registers,
use memory to hold the register contents
 esi becomes [0x890100]
 edi becomes [0x890200]
 Let’s call these memory locations
“psuedo-registers”

77. A ‘synthetic’ mov
 With psuedo-registers, our movs look like
mov [0x890100],[[0x890200]+0x816d0e8]
 At this point, we’re just moving values
to/from different locations in memory
 … but this is no longer a valid x86 instruction

78. A ‘synthetic’ mov
 Let’s invent a new instruction, “MOVE”
 MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]
 Our broken x86 instruction
mov [0x890100],[[0x890200]+0x816d0e8]
 Becomes
 MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]

79. A ‘synthetic’ mov
 Translate the old mov instructions
into the more generic MOVE instruction
 mov esi,[edi+0x816d0e8]
becomes
MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
 mov [edi+0x816d0e8], esi
becomes
MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]

80. A ‘synthetic’ mov
 Why is this useful?
 All instructions now have exactly the same form.

81. Extracting the essence
MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
{ 0x890100, 0, 0x890200, 0x816d0e8 }
 Extract all of the MOVE operands into a table.

82.  We’ve distilled our entire C program
into a table describing
a long list of simple data transfers
 Let’s write a program to
perform the actions described in the table
So now what?

83. Load the table into esi…
 table:
 0x890100, 0, 0x890200, 0x816d0e8
 ...
 mov esi, table

84. Execute a memory
read…
 table:
 0x890100, 0, 0x890200, 0x816d0e8
 ...
 mov ebx, [esi] ; load addr of psuedo-reg 1
 mov ebx, [ebx] ; load psuedo-reg 1
 add ebx, [esi+4] ; add offset
 mov ebx, [ebx] ; perform memory read

85. Execute a memory
write…
 table:
 0x890100, 0, 0x890200, 0x816d0e8
 ...
 mov edx, [esi+8] ; load addr of psuedo-reg 2
 mov edx, [edx] ; load psuedo-reg 2
 add edx, [esi+12]; add offset
 mov [edx], ebx ; perform memory write

86. Rinse, repeat.
 table:
 0x890100, 0, 0x890200, 0x816d0e8
 0x990010 ; pointer to next table entry
 mov esi, [esi+16] ; move to next entry
 jmp loop ; repeat the whole process

87. mov esi, table
loop:
mov ebx, [esi]
mov ebx, [ebx]
add ebx, [esi+4]
mov ebx, [ebx]
mov edx, [esi+8]
mov edx, [edx]
add edx, [esi+12]
mov [edx], ebx
mov esi, [esi+16]
jmp loop
table:
0x890100, 0, 0x890200, 0x816d0e8
...
With the reductio toolchain,
a C program compiles to ->

88.  Thought experiment:
 How far can we reduce a program?
So…?

89.  Every program ever written
can be reduced to exactly this ->
So…?
mov esi, table
loop:
mov ebx, [esi]
mov ebx, [ebx]
add ebx, [esi+4]
mov ebx, [ebx]
mov edx, [esi+8]
mov edx, [edx]
add edx, [esi+12]
mov [edx], ebx
mov esi, [esi+16]
jmp loop

90.  Thought experiment:
 Can one sequence of instructions
produce entirely different results?
So…?

91.  This instruction stream
simultaneously implements
everything.
So…?
mov esi, table
loop:
mov ebx, [esi]
mov ebx, [ebx]
add ebx, [esi+4]
mov ebx, [ebx]
mov edx, [esi+8]
mov edx, [edx]
add edx, [esi+12]
mov [edx], ebx
mov esi, [esi+16]
jmp loop

92. AES Minesweeper

93.  (Can’t show compiling )
./demo

94.  The instruction sequence
executed by the processor
is the same for every program.
mov esi, table
loop:
mov ebx, [esi]
mov ebx, [ebx]
add ebx, [esi+4]
mov ebx, [ebx]
mov edx, [esi+8]
mov edx, [edx]
add edx, [esi+12]
mov [edx], ebx
mov esi, [esi+16]
jmp loop

95.  1.
 If every program is the same,
malware detection gets a whole lot harder.
(demo)
 Doing the same thing
 (In practice)
Implications

96.  2.
 Exploitation
 “AVROP” (Mark Barnes, MWR Labs)
 https://github.com/mwrlabs/avrop
 AVR microcontroller (Raspberry Pi)
 Harvard architecture: limited to ROP
 Small memory: very few gadgets
 Fortunately, all we need is mov.
Implications

97.  The AVROP machine
Implications

98.  3.
 It’s cool!
 A philosophical conclusion…
 If the code makes no difference,
what does it mean ‘to program’?
Implications

100. github.com/xoreaxeaxeax
 reductio
 M/o/Vfuscator
 REpsych
 x86 0-day PoC
 Etc.
Feedback? Ideas?
domas
 @xoreaxeaxeax
 xoreaxeaxeax@gmail.com