Some interesting facts about reverse-engineering of x86 microcode, from a research by Ruhr University Bochum

Micro­code is an ab­strac­tion layer on top of the phy­si­cal com­po­n­ents of a CPU and is pre­sent in most CPUs.

It fa­ci­li­ta­te com­plex in­struc­tion sets, but it also pro­vi­des an up­date me­cha­nism that al­lows CPUs to be patched in-place wi­thout re­qui­ring any spe­cial hard­ware.

Currently very litt­le is known about microcode inner wor­kings given that this abstraction layer and the up­date me­cha­nism are pro­prie­ta­ry and have not been through­ly ana­ly­zed yet.

A group from the Ruhr University Bochum (Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar and Thorsten Holz) has started hacking on the microcode in the AMD K8 and K10 processors, discovering some interesting facts.

Take a look to this speech, from the 34th Chaos Communication Congress:

In this talk we will first start with a (short) crash course in CPU architecture and where microcode is used in practice. We will then cover our reverse engineering methods and how we were able to discover the semantics of x86 microcode. We then demonstrate, also with live demos, this knowledge with multiple microcode programs that implement both defensive measures as well as provide an attacker with hard to detect backdoors. Lastly we will discuss security problems and possible solutions to protect against them. We also provide example microcode programs for your own CPUs (use at your own risk) and a kernel patch to apply them on a Linux system. Also we will have some systems with us so you can try your hand at writing some microcode yourself.

And also watch this speech from USENIX Security ’17:

 

Currently the “microcode explorations” are still in progress, and there are still a lot the command set left to discover.

So, it could will be developed a nearly completely undetectable trojans that runs in the microcode, between the compiled code and the CPU.

For more technical informations, please refer to the research’s GitHub repository:

https://github.com/RUB-SysSec/Microcode

This repository contains a collection of x86 CPU microcode samples in binary and rtl form. The samples are compiled from scratch and specifically work with AMD’s K10 processor family.


References

Comments