cispa_all_3602.pdf (354.65 kB)

Finding and Exploiting CPU Features using MSR Templating

Download (354.65 kB)
conference contribution
posted on 2023-11-29, 18:20 authored by Andreas Kogler, Daniel WeberDaniel Weber, Martin Haubenwallner, Moritz Lipp, Daniel Gruss, Michael SchwarzMichael Schwarz
To ensure backward compatibility while adding new features to CPUs, CPU vendors enable a limited CPU configuration via so-called model-specific registers (MSRs). These MSRs have been introduced for various features, such as debugging, performance monitoring, or security. While many MSRs are documented, there is still a plethora of undocumented or sparsely documented MSRs in modern CPUs. Furthermore, with multiple hundred MSRs, each providing up to 64 configuration bits, it is tedious to find specific configuration options. In this paper, we show that MSRs and their configuration bits can be detected automatically on Intel and AMD CPUs. We introduce MSRevelio, a framework to automatically detect bits that influence the behavior of instructions and semi-automatically find bits controlled by BIOS settings. We show that previously overlooked bits can harden systems against microarchitectural attacks such as Medusa, CrossTalk, and software-prefetch attacks. Additionally, we show that an undocumented lock bit allows disabling AES-NI at runtime, forcing mbedTLS to fall back to an AES implementation vulnerable to cache attacks. Exploiting this fallback inside an SGX enclave, we fully recover the AES key used by the enclave. With our detection approach, we show that security features retrofitted with microcode updates can be easily detected, even before the public documentation of the underlying vulnerability. In our analysis of the Xen hypervisor, we show that Xen's handling of MSRs was flawed for a long time, allowing guests to access undocumented and unhandled MSRs and fingerprint specific Xen versions. Using automated correlation analysis between documented and undocumented MSRs, we discover a previously undocumented MSR correlating with the CPU's timestamp counter. This MSR is also accessible from Xen guests, and we demonstrate a Foreshadow attack when all other timers are unavailable or artificially deteriorated. Our results highlight that transparency is crucial for features interacting closely with CPU internals.


Preferred Citation

Andreas Kogler, Daniel Weber, Martin Haubenwallner, Moritz Lipp, Daniel Gruss and Michael Schwarz. Finding and Exploiting CPU Features using MSR Templating. In: IEEE Symposium on Security and Privacy (S&P). 2022.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3602, title = "Finding and Exploiting CPU Features using MSR Templating", author = "Kogler, Andreas and Weber, Daniel and Haubenwallner, Martin and Lipp, Moritz and Gruss, Daniel and Schwarz, Michael", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2022", }

Usage metrics


    No categories selected


    Ref. manager