DOCSLIB.ORG

UNIVERSITY of CALIFORNIA, SAN DIEGO JIT Spraying Threats on ARM and Defense by Diversification a Dissertation Submitted in Parti

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
UNIVERSITY of CALIFORNIA, SAN DIEGO JIT Spraying Threats on ARM and Defense by Diversification a Dissertation Submitted in Parti UNIVERSITY OF CALIFORNIA, SAN DIEGO JIT Spraying Threats on ARM and Defense by Diversification A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science by Wing-Soon Wilson Lian Committee in charge: Professor Stefan Savage, Co-Chair Professor Hovav Shacham, Co-Chair Professor Ranjit Jhala Professor Gert Lanckriet Professor Geoffrey M. Voelker 2016 Copyright Wing-Soon Wilson Lian, 2016 All rights reserved. The Dissertation of Wing-Soon Wilson Lian is approved and is acceptable in quality and form for publication on microfilm and electronically: Co-Chair Co-Chair University of California, San Diego 2016 iii TABLE OF CONTENTS Signature Page . iii Table of Contents . iv List of Figures . vii List of Tables . ix Acknowledgements . x Vita................................................................. xii Abstract of the Dissertation . xiii Introduction . 1 Chapter 1 Background . 6 Chapter 2 Assumptions and Threat model . 11 Chapter 3 ARM Architecture . 13 3.1 Instruction sets . 13 3.2 Core registers . 15 3.3 Endianness . 17 3.4 Conditional execution . 17 Chapter 4 JIT Spraying Payloads on ARM. 19 4.1 Introduction . 19 4.2 Controlling JIT compiler output. 21 4.2.1 Attacker-controlled bits . 21 4.2.2 Immediate bits . 22 4.2.3 Register fields . 24 4.2.4 Arithmetic woes . 26 4.3 Same-instruction set self-sustaining payloads on ARM . 27 4.4 Cross-instruction set self-sustaining payloads . 30 4.4.1 Thumb-to-ARM self-sustaining payloads . 30 4.4.2 ARM-to-Thumb self-sustaining payloads . 38 4.5 Gadget chaining payloads . 44 Chapter 5 Thumb gadget chaining against JavaScriptCore . 51 5.1 The JavaScriptCore JavaScript Engine . 51 5.1.1 Low Level Interpreter . 52 iv 5.1.2 Baseline JIT . 52 5.1.3 Data Flow Graph (DFG) JIT . 53 5.1.4 Fourth Tier LLVM (FTL) JIT . 53 5.1.5 JavaScript value representation . 53 5.1.6 JavaScript call stack and calling convention . 54 5.2 Proof of concept gadget chaining attack . 55 5.2.1 Gadget generation . 57 5.2.2 Pinpointing gadgets in memory . 58 5.2.3 Preparing registers and branching to gadgets from JavaScript . 62 5.2.4 Returning from gadgets without crashing . 62 5.2.5 Analysis of the proof of concept attack . 64 Chapter 6 ARM Gadget Chaining against V8 . 67 6.1 The V8 JavaScript Engine . 67 6.2 Proof of concept gadget chaining attack . 68 6.2.1 Gadget layout and creation . 70 6.2.2 Artificial control flow vulnerability . 71 6.2.3 Failure-tolerant invocation. 72 6.2.4 Analysis . 76 Chapter 7 ARM-to-Thumb Self-sustaining JIT Spraying against SpiderMonkey 77 7.1 SpiderMonkey JavaScript Engine . 77 7.1.1 Bytecode Interpreter. 77 7.1.2 Baseline JIT . 78 7.1.3 IonMonkey JIT . 79 7.2 Proof of concept Turing-complete self-sustaining payload . 79 7.2.1 Implementing an SBNZ One Instruction Computer . 79 7.2.2 Encoding challenges . 80 7.2.3 Encoding a NOP sled . 86 7.2.4 System calls . 87 7.2.5 Design shortcomings . 88 Chapter 8 Defensive Just-In-Time Code Emission on ARM . 90 8.1 Introduction . 90 8.2 Survey of Proposed JIT Spraying Mitigations . 91 8.2.1 Capability confinement . 91 8.2.2 Memory protection . 98 8.2.3 Diversification mechanisms . 106 8.2.4 Concrete diversification proposals . 111 8.3 State of Mitigation Deployment . 121 8.3.1 JavaScriptCore . 121 8.3.2 V8 . 125 v 8.3.3 SpiderMonkey . 127 8.3.4 Chakra . 128 8.4 Understanding the costs and benefits of diversification mitigations . 130 8.4.1 Implementations . 131 8.4.2 Evaluation . 146 Chapter 9 Conclusion . 157 Bibliography . 160 vi LIST OF FIGURES Figure 1.1. Illustration of a NOP sled encoded in the bytes implementing the statement x = 0x3c909090 ^0x3c909090 ^0x3c909090; . 9 Figure 4.1. Example of two possible Thumb-mode decodings of a sequence of halfwords. 29 Figure 4.2. Example decoding of four consecutive bytes of little endian instruc- tion memory into two Thumb halfwords and an ARM instruction with both a condition flag and an ALU destination register. 32 Figure 4.3. Illustrations of the three classes of halfwords from which un- intended ARM instructions can draw their most significant half. 33 Figure 4.4. Diagram of the second halfword encoding found in many Thumb ALU instructions with an immediate operand. 34 Figure 4.5. Diagram illustrating the use of 16-bit Thumb branch instructions as the most significant half of unintended ARM instructions.. 37 Figure 4.6. Illustration of ARM-to-Thumb payloads. 40 Figure 4.7. Illustration of how the immediate-operand bitwise AND instruction from the ARM instruction set (top row) can be decoded as two 16-bit Thumb-2 instructions (bottom row). 41 Figure 4.8. Illustration of using a virtual PC (in this case R6) to more efficiently utilize the space skipped over by branches.. 43 Figure 4.9. Diagram of the invocation of the read gadget with arrows showing control flow. 47 Figure 5.1. Illustration mapping the bits of an IEEE 754 double precision floating-point number to the tag and payload portions of a 32-bit JSC JS value. ..
Load more

Recommended publications
  • Heap Feng Shui in Javascript
    Heap Feng Shui in JavaScript Alexander Sotirov <[email protected]> Introduction The exploitation of heap corruption vulnerabilities on the Windows platform has become increasingly more difficult since the introduction of XP SP2. Heap protection features such as safe unlinking and heap cookies have been successful in stopping most generic heap exploitation techniques. Methods for bypassing the heap protection exist, but they require a great degree of control over the allocation patterns of the vulnerable application. This paper introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. We present a JavaScript library with functions for setting up the heap in a controlled state before triggering a heap corruption bug. This allows us to exploit very difficult heap corruption vulnerabilities with great reliability and precision. We will focus on Internet Explorer exploitation, but the general techniques presented here are potentially applicable to any other browser or scripting environment. Previous work The most widely used browser heap exploitation technique is the heap spraying method developed by SkyLined for his Internet Explorer IFRAME exploit. This technique uses JavaScript to create multiple strings containing a NOP slide and shellcode. The JavaScript runtime stores the data for each string in a new block on the heap. Heap allocations usually start at the beginning of the address space and go up. After allocating 200MB of memory for the strings, any address between 50MB and 200MB is very likely to point at the NOP slide. Overwriting a return address or a function pointer with an address in this range will lead to a jump to the NOP slide and shellcode execution.
    [Show full text]
  • A Defense Against Heap-Spraying Code Injection Attacks
    Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan Benjamin Livshits and Benjamin Zorn Cornell University Microsoft Research Ithaca, NY Redmond, WA November 19, 2008 Microsoft Research Technical Report MSR-TR-2008-176 nnoozzllee 1 Abstract Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage their ability to allocate arbitrary objects in the heap of a type-safe language, such as JavaScript, literally filling the heap with objects that contain danger- ous exploit code. In recent years, spraying has been used in many real security exploits, especially in web browsers. In this paper, we describe Nozzle, a runtime monitoring infrastructure that detects attempts by attackers to spray the heap. Nozzle uses lightweight emulation techniques to detect the presence of objects that contain executable code. To reduce false positives, we developed a notion of global “heap health”. We measure the effectiveness of Nozzle by demonstrating that it successfully detects 12 published and 2,000 synthetically generated heap-spraying exploits. We also show that even with a detection threshold set six times lower than is required to detect published ma- licious attacks, Nozzle reports no false positives when run over 150 popular Internet sites. Using sampling and concurrent scanning to re- duce overhead, we show that the performance overhead of Nozzle is less than 7% on average. While Nozzle currently targets heap-based spraying attacks, its techniques can be applied to a more general class of attacks in which an attacker attempts to fill the address space with dangerous code objects.
    [Show full text]
  • Superh RISC Engine SH-1/SH-2
    SuperH RISC Engine SH-1/SH-2 Programming Manual September 3, 1996 Hitachi America Ltd. Notice When using this document, keep the following in mind: 1. This document may, wholly or partially, be subject to change without notice. 2. All rights are reserved: No one is permitted to reproduce or duplicate, in any form, the whole or part of this document without Hitachi’s permission. 3. Hitachi will not be held responsible for any damage to the user that may result from accidents or any other reasons during operation of the user’s unit according to this document. 4. Circuitry and other examples described herein are meant merely to indicate the characteristics and performance of Hitachi’s semiconductor products. Hitachi assumes no responsibility for any intellectual property claims or other problems that may result from applications based on the examples described herein. 5. No license is granted by implication or otherwise under any patents or other rights of any third party or Hitachi, Ltd. 6. MEDICAL APPLICATIONS: Hitachi’s products are not authorized for use in MEDICAL APPLICATIONS without the written consent of the appropriate officer of Hitachi’s sales company. Such use includes, but is not limited to, use in life support systems. Buyers of Hitachi’s products are requested to notify the relevant Hitachi sales offices when planning to use the products in MEDICAL APPLICATIONS. Introduction The SuperH RISC engine family incorporates a RISC (Reduced Instruction Set Computer) type CPU. A basic instruction can be executed in one clock cycle, realizing high performance operation. A built-in multiplier can execute multiplication and addition as quickly as DSP.
    [Show full text]
  • Jitdefender: a Defense Against JIT Spraying Attacks
    JITDefender: A Defense against JIT Spraying Attacks Ping Chen, Yi Fang, Bing Mao, and Li Xie State Key Laboratory for Novel Software Technology, Nanjing University Department of Computer Science and Technology, Nanjing University, Nanjing 210093 {chenping,fangyi,maobing,xieli}@nju.edu.cn Abstract. JIT spraying is a new code-reuse technique to attack virtual machines based on JIT (Just-in-time) compilation. It has proven to be capable of circum- venting the defenses such as data execution prevention (DEP) and address space layout randomization(ASLR), which are effective for preventing the traditional code injection attacks. In this paper, we describe JITDefender, an enhancement of standard JIT-based VMs, which can prevent the attacker from executing arbi- trary JIT compiled code on the VM. Thereby JITDefender can block JIT spraying attacks. We prove the effectiveness of JITDefender by demonstrating that it can successfully prevent existing JIT spraying exploits. JITDefender reports no false positives when run over benign actionscript/javascript programs. In addition, we show that the performance overhead of JITDefender is low. 1 Introduction In recent years, attackers have resorted to code-reuse techniques instead of injecting their own malicious code. Typical techniques are Return-oriented Programming (ROP) [21], BCR [12] and Inspector [11]. Different code-reuse attacks launch the attack based on different codebases, including the application, shared libraries or even the kernel. However, all the techniques need to find useful instruction sequence in the codebase, and the task is tedious and costly in practice. Recently, a new code-reuse attack named JIT (Just-In-Time) spraying was proposed by Blazakis [10].
    [Show full text]
  • Thumb® 16-Bit Instruction Set Quick Reference Card
    Thumb® 16-bit Instruction Set Quick Reference Card This card lists all Thumb instructions available on Thumb-capable processors earlier than ARM®v6T2. In addition, it lists all Thumb-2 16-bit instructions. The instructions shown on this card are all 16-bit in Thumb-2, except where noted otherwise. All registers are Lo (R0-R7) except where specified. Hi registers are R8-R15. Key to Tables § See Table ARM architecture versions. <loreglist+LR> A comma-separated list of Lo registers. plus the LR, enclosed in braces, { and }. <loreglist> A comma-separated list of Lo registers, enclosed in braces, { and }. <loreglist+PC> A comma-separated list of Lo registers. plus the PC, enclosed in braces, { and }. Operation § Assembler Updates Action Notes Move Immediate MOVS Rd, #<imm> N Z Rd := imm imm range 0-255. Lo to Lo MOVS Rd, Rm N Z Rd := Rm Synonym of LSLS Rd, Rm, #0 Hi to Lo, Lo to Hi, Hi to Hi MOV Rd, Rm Rd := Rm Not Lo to Lo. Any to Any 6 MOV Rd, Rm Rd := Rm Any register to any register. Add Immediate 3 ADDS Rd, Rn, #<imm> N Z C V Rd := Rn + imm imm range 0-7. All registers Lo ADDS Rd, Rn, Rm N Z C V Rd := Rn + Rm Hi to Lo, Lo to Hi, Hi to Hi ADD Rd, Rd, Rm Rd := Rd + Rm Not Lo to Lo. Any to Any T2 ADD Rd, Rd, Rm Rd := Rd + Rm Any register to any register. Immediate 8 ADDS Rd, Rd, #<imm> N Z C V Rd := Rd + imm imm range 0-255.
    [Show full text]
  • Readingsample
    Embedded Robotics Mobile Robot Design and Applications with Embedded Systems Bearbeitet von Thomas Bräunl Neuausgabe 2008. Taschenbuch. xiv, 546 S. Paperback ISBN 978 3 540 70533 8 Format (B x L): 17 x 24,4 cm Gewicht: 1940 g Weitere Fachgebiete > Technik > Elektronik > Robotik Zu Inhaltsverzeichnis schnell und portofrei erhältlich bei Die Online-Fachbuchhandlung beck-shop.de ist spezialisiert auf Fachbücher, insbesondere Recht, Steuern und Wirtschaft. Im Sortiment finden Sie alle Medien (Bücher, Zeitschriften, CDs, eBooks, etc.) aller Verlage. Ergänzt wird das Programm durch Services wie Neuerscheinungsdienst oder Zusammenstellungen von Büchern zu Sonderpreisen. Der Shop führt mehr als 8 Millionen Produkte. CENTRAL PROCESSING UNIT . he CPU (central processing unit) is the heart of every embedded system and every personal computer. It comprises the ALU (arithmetic logic unit), responsible for the number crunching, and the CU (control unit), responsible for instruction sequencing and branching. Modern microprocessors and microcontrollers provide on a single chip the CPU and a varying degree of additional components, such as counters, timing coprocessors, watchdogs, SRAM (static RAM), and Flash-ROM (electrically erasable ROM). Hardware can be described on several different levels, from low-level tran- sistor-level to high-level hardware description languages (HDLs). The so- called register-transfer level is somewhat in-between, describing CPU compo- nents and their interaction on a relatively high level. We will use this level in this chapter to introduce gradually more complex components, which we will then use to construct a complete CPU. With the simulation system Retro [Chansavat Bräunl 1999], [Bräunl 2000], we will be able to actually program, run, and test our CPUs.
    [Show full text]
  • Reverse Engineering X86 Processor Microcode
    Reverse Engineering x86 Processor Microcode Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar, and Thorsten Holz, Ruhr-University Bochum https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/koppe This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX Reverse Engineering x86 Processor Microcode Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar, and Thorsten Holz Ruhr-Universitat¨ Bochum Abstract hardware modifications [48]. Dedicated hardware units to counter bugs are imperfect [36, 49] and involve non- Microcode is an abstraction layer on top of the phys- negligible hardware costs [8]. The infamous Pentium fdiv ical components of a CPU and present in most general- bug [62] illustrated a clear economic need for field up- purpose CPUs today. In addition to facilitate complex and dates after deployment in order to turn off defective parts vast instruction sets, it also provides an update mechanism and patch erroneous behavior. Note that the implementa- that allows CPUs to be patched in-place without requiring tion of a modern processor involves millions of lines of any special hardware. While it is well-known that CPUs HDL code [55] and verification of functional correctness are regularly updated with this mechanism, very little is for such processors is still an unsolved problem [4, 29]. known about its inner workings given that microcode and the update mechanism are proprietary and have not been Since the 1970s, x86 processor manufacturers have throughly analyzed yet.
    [Show full text]
  • Pipeliningpipelining
    ChapterChapter 99 PipeliningPipelining Jin-Fu Li Department of Electrical Engineering National Central University Jungli, Taiwan Outline ¾ Basic Concepts ¾ Data Hazards ¾ Instruction Hazards Advanced Reliable Systems (ARES) Lab. Jin-Fu Li, EE, NCU 2 Content Coverage Main Memory System Address Data/Instruction Central Processing Unit (CPU) Operational Registers Arithmetic Instruction and Cache Logic Unit Sets memory Program Counter Control Unit Input/Output System Advanced Reliable Systems (ARES) Lab. Jin-Fu Li, EE, NCU 3 Basic Concepts ¾ Pipelining is a particularly effective way of organizing concurrent activity in a computer system ¾ Let Fi and Ei refer to the fetch and execute steps for instruction Ii ¾ Execution of a program consists of a sequence of fetch and execute steps, as shown below I1 I2 I3 I4 I5 F1 E1 F2 E2 F3 E3 F4 E4 F5 Advanced Reliable Systems (ARES) Lab. Jin-Fu Li, EE, NCU 4 Hardware Organization ¾ Consider a computer that has two separate hardware units, one for fetching instructions and another for executing them, as shown below Interstage Buffer Instruction fetch Execution unit unit Advanced Reliable Systems (ARES) Lab. Jin-Fu Li, EE, NCU 5 Basic Idea of Instruction Pipelining 12 3 4 5 Time I1 F1 E1 I2 F2 E2 I3 F3 E3 I4 F4 E4 F E Advanced Reliable Systems (ARES) Lab. Jin-Fu Li, EE, NCU 6 A 4-Stage Pipeline 12 3 4 567 Time I1 F1 D1 E1 W1 I2 F2 D2 E2 W2 I3 F3 D3 E3 W3 I4 F4 D4 E4 W4 D: Decode F: Fetch Instruction E: Execute W: Write instruction & fetch operation results operands B1 B2 B3 Advanced Reliable Systems (ARES) Lab.
    [Show full text]
  • The RISC-V Compressed Instruction Set Manual
    The RISC-V Compressed Instruction Set Manual Version 1.7 Warning! This draft specification will change before being accepted as standard, so implementations made to this draft specification will likely not conform to the future standard. Andrew Waterman, Yunsup Lee, David Patterson, Krste Asanovi´c CS Division, EECS Department, University of California, Berkeley fwaterman|yunsup|pattrsn|[email protected] May 28, 2015 This document is also available as Technical Report UCB/EECS-2015-157. 2 RISC-V Compressed ISA V1.7 1.1 Introduction This excerpt from the RISC-V User-Level ISA Specification describes the current draft proposal for the RISC-V standard compressed instruction set extension, named \C", which reduces static and dynamic code size by adding short 16-bit instruction encodings for common integer operations. The C extension can be added to any of the base ISAs (RV32I, RV64I, RV128I), and we use the generic term \RVC" to cover any of these. Typically, over half of the RISC-V instructions in a program can be replaced with RVC instructions, resulting in greater than a 25% code-size reduction. Section 1.7 describes a possible extended set of instructions for RVC, for which we would like your opinion. Please send your comments to the isa-dev mailing list at [email protected]. 1.2 Overview RVC uses a simple compression scheme that offers shorter 16-bit versions of common 32-bit RISC-V instructions when: • the immediate or address offset is small, or • one of the registers is the zero register (x0) or the ABI stack pointer (x2), or • the destination register and the first source register are identical, or • the registers used are the 8 most popular ones.
    [Show full text]
  • Fighting the War in Memory
    Fighting the War in Memory Software Vulnerabilities and Defenses Today Antonio Hüseyin Barresi 2014 2 MorrisMorris WormWorm 3 Long ago – late 1980s • On November 2, 1988 the Morris Worm was released • Mainstream media attention • Conviction under the Computer Fraud and Abuse Act • First well-known program exploiting a buffer overflow http://en.wikipedia.org/wiki/Morris_worm 4 25 years later Memory errors and memory corruption vulnerabilities are still an issue! 5 This talk is about • Why these bugs are still a concern • How exploits work • Modern defenses 6 MotivationMotivation 7 Today, 2014 • Memory errors are still a problem • “Unsafe“ languages like C/C++ very popular • Prediction: C/C++ will be with us for a long time • Yes, there are alternatives... sometimes • Criminals found ways of monetization • Software systems are gaining complexity http://www.langpop.com/ http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html 8 Terminology Exploit “An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to...“ Zero-Day Attack “A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, ...“ http://en.wikipedia.org/wiki/Exploit_(computer_security) http://en.wikipedia.org/wiki/Zero-day_attack 9 Attacks Victim Attacker Runs a malicious web server serving HTML documents that trigger a memory error within the web browser Runs a vulnerable web browser or PDF reader Sends a malicious PDF attachement by email Exploits memory error within vulnerable victim software GET /index.html HTTP/1.1 Host: www.vulnsite.com Keep-Alive: 300 Connection: keep-alive $>./exploit 192.168.1.28 Cookie: CID=r2t5uvjq43 5r4q7ib3vtdjq120f83jf8 ..
    [Show full text]
  • Powerpc User Instruction Set Architecture Book I Version 2.01
    PowerPC User Instruction Set Architecture Book I Version 2.01 September 2003 Manager: Joe Wetzel/Poughkeepsie/IBM Technical Content: Ed Silha/Austin/IBM Cathy May/Watson/IBM Brad Frey/Austin/IBM The following paragraph does not apply to the United Kingdom or any country or state where such provisions are inconsistent with local law. The specifications in this manual are subject to change without notice. This manual is provided “AS IS”. Interna- tional Business Machines Corp. makes no warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. International Business Machines Corp. does not warrant that the contents of this publication or the accompanying source code examples, whether individually or as one or more groups, will meet your requirements or that the publication or the accompanying source code examples are error-free. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. Address comments to IBM Corporation, Internal Zip 9630, 11400 Burnett Road, Austin, Texas 78758-3493. IBM may use or distribute whatever information you supply in any way it believes appropriate without incurring any obligation to you. The following terms are trademarks of the International Business Machines Corporation in the United States and/or other countries: IBM PowerPC RISC/System 6000 POWER POWER2 POWER4 POWER4+ IBM System/370 Notice to U.S. Government Users—Documentation Related to Restricted Rights—Use, duplication or disclosure is subject to restrictions set fourth in GSA ADP Schedule Contract with IBM Corporation.
    [Show full text]
  • UM0434 E200z3 Powerpc Core Reference Manual
    UM0434 e200z3 PowerPC core Reference manual Introduction The primary objective of this user’s manual is to describe the functionality of the e200z3 embedded microprocessor core for software and hardware developers. This book is intended as a companion to the EREF: A Programmer's Reference Manual for Freescale Book E Processors (hereafter referred to as EREF). Book E is a PowerPC™ architecture definition for embedded processors that ensures binary compatibility with the user-instruction set architecture (UISA) portion of the PowerPC architecture as it was jointly developed by Apple, IBM, and Motorola (referred to as the AIM architecture). This document distinguishes among the three levels of the architectural and implementation definition, as follows: ● The Book E architecture—Book E defines a set of user-level instructions and registers that are drawn from the user instruction set architecture (UISA) portion of the AIM definition PowerPC architecture. Book E also includes numerous supervisor-level registers and instructions as they were defined in the AIM version of the PowerPC architecture for the virtual environment architecture (VEA) and the operating environment architecture (OEA). Because the operating system resources (such as the MMU and interrupts) defined by Book E differ greatly from those defined by the AIM architecture, Book E introduces many new registers and instructions. ● Freescale Book E implementation standards (EIS)—In many cases, the Book E architecture definition provides a general framework, leaving specific details up to the implementation. To ensure consistency among its Book E implementations, Freescale has defined implementation standards that provide an additional layer of architecture between Book E and the actual devices.
    [Show full text]