Exploring Hidden x86 CPU Instructions and Their Security Implications

Hi, I’m Xuan Yuan. We all know that high‑level source code is compiled into machine instructions that the CPU can execute, and the set of supported instructions is defined by the CPU's ISA.

For a long time I wondered whether CPUs might have undocumented or hidden instructions that are not listed in the official manuals.

Recent security research, such as the Meltdown and Spectre vulnerabilities, has shown that CPUs cannot always be trusted, and hidden instructions could be a serious threat if exploited by malicious actors.

Earlier I had not investigated this question seriously until a Black Hat 2017 presentation titled us-17-Domas-Breaking-The-x86-ISA by @xoreaxeaxeax sparked my curiosity.

The report deeply analyzes hidden x86 instructions and, although originally in English, I will explain the key ideas in an easier language.

One might ask: are there really hidden instructions if the instruction set is fully documented? To illustrate, consider the single‑byte opcode space (0x00‑0xFF). Intel’s manual lists most bytes, e.g., 0x90 is nop , but some entries like 0xF1 are empty – what does the CPU do when it encounters such a byte?

The report’s main contribution is a method to discover these undocumented opcodes.

Instruction Set Search Space

Because x86 is a CISC architecture with variable‑length instructions, the search space is huge. Single‑byte, double‑byte, and longer instructions exist, with the longest reaching over ten bytes. Exhaustively enumerating all possible byte sequences quickly becomes infeasible.

Instruction Search Algorithm

The authors propose a depth‑first search that quickly skips irrelevant bytes. For example, the push instruction always starts with the opcode 0x68, while the following four bytes are just data and can be ignored during the search.

By recognizing such patterns, the algorithm dramatically reduces the number of byte sequences that need to be examined.

How to Determine Instruction Length

The key idea is to place the tail of a candidate byte sequence on a non‑executable memory page. When the CPU tries to decode the instruction, it will raise a page‑fault if it needs to fetch a byte from the non‑executable page, revealing that the instruction is longer than the bytes currently on the executable page.

By iteratively moving the boundary between executable and non‑executable pages and observing where the fault occurs, the exact length of the instruction can be inferred.

Mining Hidden Instructions

Using the described algorithm, the authors mined an Intel Core i7 and an AMD Athlon CPU. The results showed dozens of opcodes that are executable on the hardware but are absent from the official Intel/AMD manuals.

Some of these hidden instructions have been reverse‑engineered, while others remain undocumented, raising concerns about potential backdoors or undisclosed features.

The discovery underscores the importance of hardware‑level security and the need for transparent, auditable CPU designs, especially for domestic, secure, and self‑controlled computing platforms.

What do you think about these hidden instructions? Share your thoughts in the comments.