CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode

Pietro Borrello, Catherine Easdon, Martin Schwarzl, Roland Czerny, Michael Schwarz

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

Microcode provides an abstraction layer over the instruction set to decompose complex instructions into simpler micro-operations that can be more easily implemented in hardware. It is an essential optimization to simplify the design of x86 processors. However, introducing an additional layer of software beneath the instruction set poses security and reliability concerns. The microcode details are confidential to the manufacturers, preventing independent auditing or customization of the microcode. Moreover, microcode patches are signed and encrypted to prevent unauthorized patching and reverse engineering. However, recent research has recovered decrypted microcode and reverse-engineered read/write debug mechanisms on Intel Goldmont (Atom), making analysis and customization of microcode possible on a modern Intel microarchitecture. In this work, we present the first framework for static and dynamic analysis of Intel microcode. Building upon prior research, we reverse-engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems. Leveraging our framework, we reverse-engineer the confidential Intel microcode update algorithm and perform the first security analysis of its design and implementation. In three further case studies, we illustrate the potential security and performance benefits of microcode customization. We provide the first x86 Pointer Authentication Code (PAC) microcode implementation and its security evaluation, design and implement fast software breakpoints that are more than 1000x faster than standard breakpoints, and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization.
Original languageEnglish
Title of host publicationIEEE Workshop on Offensive Technologies (WOOT 23)
Publication statusPublished - 1 May 2023
Event17th IEEE Workshop on Offensive Technologies: WOOT 2023 - Hyatt Regency & Online, San Francisco, United States
Duration: 25 May 2023 → …
https://wootconference.org/

Workshop

Workshop17th IEEE Workshop on Offensive Technologies
Abbreviated titleWOOT
Country/TerritoryUnited States
CitySan Francisco
Period25/05/23 → …
Internet address

Fingerprint

Dive into the research topics of 'CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode'. Together they form a unique fingerprint.

Cite this