CISPA
Browse
cispa_all_3911.pdf (219.45 kB)

CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode

Download (219.45 kB)
conference contribution
posted on 2023-11-29, 18:25 authored by Pietro Borrello, Catherine Easdon, Martin Schwarzl, Roland Czerny, Michael SchwarzMichael Schwarz
Microcode provides an abstraction layer over the instruction set to decompose complex instructions into simpler micro-operations that can be more easily implemented in hardware. It is an essential optimization to simplify the design of x86 processors. However, introducing an additional layer of software beneath the instruction set poses security and reliability concerns. The microcode details are confidential to the manufacturers, preventing independent auditing or customization of the microcode. Moreover, microcode patches are signed and encrypted to prevent unauthorized patching and reverse engineering. However, recent research has recovered decrypted microcode and reverse-engineered read/write debug mechanisms on Intel Goldmont (Atom), making analysis and customization of microcode possible on a modern Intel microarchitecture. In this work, we present the first framework for static and dynamic analysis of Intel microcode. Building upon prior research, we reverse-engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems. Leveraging our framework, we reverse-engineer the confidential Intel microcode update algorithm and perform the first security analysis of its design and implementation. In three further case studies, we illustrate the potential security and performance benefits of microcode customization. We provide the first x86 Pointer Authentication Code (PAC) microcode implementation and its security evaluation, design and implement fast software breakpoints that are more than 1000x faster than standard breakpoints, and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization.

History

Preferred Citation

Pietro Borrello, Catherine Easdon, Martin Schwarzl, Roland Czerny and Michael Schwarz. CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode. In: Workshop on Offensive Technologies (WOOT). 2023.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Workshop on Offensive Technologies (WOOT)

Legacy Posted Date

2023-03-10

Open Access Type

  • Green

BibTeX

@inproceedings{cispa_all_3911, title = "CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode", author = "Borrello, Pietro and Easdon, Catherine and Schwarzl, Martin and Czerny, Roland and Schwarz, Michael", booktitle="{Workshop on Offensive Technologies (WOOT)}", year="2023", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC