Custom Processing Unit: Tracing and Patching Intel Atom Microcode

Presented at Black Hat USA 2022, Aug. 11, 2022, 2:30 p.m. (30 minutes).

The ability to debug or simply observe the microarchitecture of closed-source CPUs has always been an exclusive privilege of the product vendors. For Intel CPUs, even the details of the high-level workings of CPU microcode were only available by digging into patents and not publicly documented.<br><br>In this talk, we present the first systematic study of Intel Atom Microcode and a software-only framework that can observe, trace, and even patch microcode execution, shedding unprecedented light into the internal workings of Intel CPUs.<br><br>We develop a Ghidra decompiler for Atom Microcode and reverse-engineer how the CPU internally uses its control register bus to manage its resources. Resorting to previously disclosed undocumented instructions, we then create a framework that can gain complete control over CPU microcode by replicating such interactions.<br><br>Our framework can assemble and patch micro-instructions, hook CPU events, and trace microcode execution. To showcase its power, we trace and reverse-engineer the routines involved in the obscure Intel CPU microcode update process.<br> <br>For the first time, we disclose the details of the decryption algorithms for microcode updates and the binary format of the decrypted update: an amazing discovery is that a microcode update is, in fact, a custom language interpreted by the CPU. We will make our framework available as open source.

Presenters:

  • Pietro Borrello - PhD Student, Sapienza University of Rome
    Pietro Borrello is a PhD Student at the Sapienza University of Rome, working on System Security. His focus is applying Fuzzing and Program Analysis techniques to find and mitigate architectural and microarchitectural vulnerabilities. He is a passionate CTF player focusing on exploitation and reverse-engineering with both TRX and mhackeroni teams, which he co-founded. He is also the co-founder and current lead of the DEFCON Group in Rome.
  • Martin Schwarzl - PhD Student, Graz University of Technology
    Martin Schwarzl is a Phd student in the CoreSec group at Graz University of Technology. His main research interests are system security with a focus on side channels and microarchitectural security. He is also interested in exploitation, reverse-engineering and CTFs.

Links:

Similar Presentations: