reverse engineering x86 processor microcode...x86isaiscomplex hexmnemonics c3 ret 48 b8 88 77 66 55...
TRANSCRIPT
![Page 1: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/1.jpg)
Reverse Engineering x86 Processor MicrocodeVancouver, Canada, August 18, 2017
Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison,Robert Gawlik, Christof Paar, Thorsten Holz
Horst Görtz Institute for IT-Security, Ruhr-Universität Bochum
![Page 2: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/2.jpg)
x86 CPUs are prone to errors
2/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 3: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/3.jpg)
x86 CPUs are prone to errors
2/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 4: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/4.jpg)
x86 CPUs are prone to errors
2/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 5: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/5.jpg)
x86 CPUs are prone to errors
2/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 6: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/6.jpg)
x86 ISA is complex
Hex MnemonicsC3 ret
3/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 7: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/7.jpg)
x86 ISA is complex
Hex MnemonicsC3 ret
48 b8 88 77 66 55 movabs rax ,0 x112233445566778844 33 22 11
3/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 8: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/8.jpg)
x86 ISA is complex
Hex MnemonicsC3 ret
48 b8 88 77 66 55 movabs rax ,0 x112233445566778844 33 22 11
64 ff 03 DWORD PTR fs:[ ebx]
3/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 9: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/9.jpg)
x86 ISA is complex
Hex MnemonicsC3 ret
48 b8 88 77 66 55 movabs rax ,0 x112233445566778844 33 22 11
64 ff 03 DWORD PTR fs:[ ebx]
64 67 66 f0 ff 07 lock inc WORD PTR fs:[bx]
3/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 10: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/10.jpg)
x86 ISA is complex
Hex MnemonicsC3 ret
48 b8 88 77 66 55 movabs rax ,0 x112233445566778844 33 22 11
64 ff 03 DWORD PTR fs:[ ebx]
64 67 66 f0 ff 07 lock inc WORD PTR fs:[bx]
2e c4 e2 71 96 84 vfmaddsub132ps xmm0 , xmm1 ,be 34 23 12 01 xmmword ptr cs:
[esi + edi * 4 + 0 x11223344 ]
3/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 11: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/11.jpg)
Micro Ops
pop [ebx]
4/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 12: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/12.jpg)
Micro Ops
pop [ebx] load temp , [esp]store [ebx], tempadd esp , 4
4/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 13: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/13.jpg)
x86 Instruction Decoding
5/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 14: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/14.jpg)
x86 Instruction Decoding
6/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 15: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/15.jpg)
Microcode Engine (Vector Decoder)
7/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 16: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/16.jpg)
Microcode Engine (Vector Decoder)
7/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 17: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/17.jpg)
Microcode Engine (Vector Decoder)
7/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 18: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/18.jpg)
Microcode Engine (Vector Decoder)
7/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 19: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/19.jpg)
Microcode Engine (Vector Decoder)
7/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 20: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/20.jpg)
Research Questions
• How does the microcode update mechanism work?
• How can we analyze the microcode encoding and meaning?
• Can we load our own microprograms into the CPU?
• Are there security implications?
• AMD K8 and K10 processor families
8/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 21: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/21.jpg)
Research Questions
• How does the microcode update mechanism work?
• How can we analyze the microcode encoding and meaning?
• Can we load our own microprograms into the CPU?
• Are there security implications?
• AMD K8 and K10 processor families
8/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 22: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/22.jpg)
Research Questions
• How does the microcode update mechanism work?
• How can we analyze the microcode encoding and meaning?
• Can we load our own microprograms into the CPU?
• Are there security implications?
• AMD K8 and K10 processor families
8/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 23: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/23.jpg)
Research Questions
• How does the microcode update mechanism work?
• How can we analyze the microcode encoding and meaning?
• Can we load our own microprograms into the CPU?
• Are there security implications?
• AMD K8 and K10 processor families
8/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 24: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/24.jpg)
Research Questions
• How does the microcode update mechanism work?
• How can we analyze the microcode encoding and meaning?
• Can we load our own microprograms into the CPU?
• Are there security implications?
• AMD K8 and K10 processor families
8/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 25: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/25.jpg)
Related Work
9/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 26: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/26.jpg)
Related Work
9/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 27: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/27.jpg)
Related Work
9/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 28: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/28.jpg)
Related Work
9/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 29: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/29.jpg)
Related Work
9/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 30: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/30.jpg)
Microcode Update Mechanism
• Kernel mode
• Load microcode update into RAM
• Write virtual address to MSR 0xC0010020
• Microcode patches not persistent
10/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 31: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/31.jpg)
Microcode Update File Format
11/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 32: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/32.jpg)
Microcode Update File Format
11/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 33: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/33.jpg)
Reverse Engineering Setting
• Unknown instruction set analysis
• Black box model with oracle
• Feed inputs, filter and observe outputs
• Infer structure, encoding, meaning
12/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 34: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/34.jpg)
Framework
13/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 35: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/35.jpg)
Framework
13/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 36: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/36.jpg)
Framework
13/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 37: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/37.jpg)
Framework
13/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 38: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/38.jpg)
Processor Oracle
14/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 39: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/39.jpg)
Processor Oracle
14/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 40: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/40.jpg)
Processor Oracle
14/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 41: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/41.jpg)
Processor Oracle
14/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 42: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/42.jpg)
Analysis - Heatmaps
15/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 43: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/43.jpg)
Analysis - Brute Force
16/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 44: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/44.jpg)
Analysis - Brute Force
add eax , imm16
16/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 45: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/45.jpg)
Analysis - Automated Tests
17/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 46: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/46.jpg)
Analysis - Infer Logic of ROM Triads
18/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 47: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/47.jpg)
Analysis - Infer Logic of ROM Triads
18/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 48: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/48.jpg)
Analysis - Infer Logic of ROM Triads
18/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 49: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/49.jpg)
Analysis - Infer Logic of ROM Triads
18/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 50: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/50.jpg)
Analysis - Hardware
19/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 51: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/51.jpg)
Analysis - Hardware
19/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 52: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/52.jpg)
Analysis - Hardware
19/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 53: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/53.jpg)
Results - Micro Ops
• Heatmaps
• 29 Micro Ops◦ Logic, arithmetic, load, store
◦ Write x86 program counter
◦ Conditional microcode branch
• Sequence word◦ Next triad, sequence complete, unconditional branch
• Substitution engine
20/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 54: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/54.jpg)
Results - Micro Ops
• Heatmaps• 29 Micro Ops
◦ Logic, arithmetic, load, store
◦ Write x86 program counter
◦ Conditional microcode branch
• Sequence word◦ Next triad, sequence complete, unconditional branch
• Substitution engine
20/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 55: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/55.jpg)
Results - Micro Ops
• Heatmaps• 29 Micro Ops
◦ Logic, arithmetic, load, store
◦ Write x86 program counter
◦ Conditional microcode branch
• Sequence word◦ Next triad, sequence complete, unconditional branch
• Substitution engine
20/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 56: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/56.jpg)
Results - Micro Ops
• Heatmaps• 29 Micro Ops
◦ Logic, arithmetic, load, store
◦ Write x86 program counter
◦ Conditional microcode branch
• Sequence word◦ Next triad, sequence complete, unconditional branch
• Substitution engine
20/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 57: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/57.jpg)
Results - Augment x86 instructions
• Jump back to ROM◦ DIV
• Emulate instruction logic◦ IMUL, SHRD, CMPXCHG, ENTER
21/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 58: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/58.jpg)
Our Microprograms
• Instrumentation
• Remote microcode backdoors◦ Control flow hijack in browsers induced by microcode
◦ Triggered remotely with ASM.JS or WebAssembly
• Cryptographic microcode Trojans◦ Introduce timing side-channels in constant-time ECC implementation
◦ Inject faults to enable fault attacks
22/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 59: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/59.jpg)
Our Microprograms
• Instrumentation• Remote microcode backdoors
◦ Control flow hijack in browsers induced by microcode
◦ Triggered remotely with ASM.JS or WebAssembly
• Cryptographic microcode Trojans◦ Introduce timing side-channels in constant-time ECC implementation
◦ Inject faults to enable fault attacks
22/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 60: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/60.jpg)
Our Microprograms
• Instrumentation• Remote microcode backdoors
◦ Control flow hijack in browsers induced by microcode
◦ Triggered remotely with ASM.JS or WebAssembly
• Cryptographic microcode Trojans◦ Introduce timing side-channels in constant-time ECC implementation
◦ Inject faults to enable fault attacks
22/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 61: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/61.jpg)
Sample Microprogram (simplified)
sub.Z t1d , eaxjcc EZF , 0x2or t12d , eax , 0x8
23/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 62: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/62.jpg)
Sample Microprogram (simplified)
sub.Z t1d , eaxjcc EZF , 0x2or t12d , eax , 0x8
div2 t15q , t24q , 0xd5srl t13w , ax , 0x8div1.C t19d , t12d , t56d
23/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 63: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/63.jpg)
Sample Microprogram (simplified)
sub.Z t1d , eaxjcc EZF , 0x2or t12d , eax , 0x8
div2 t15q , t24q , 0xd5srl t13w , ax , 0x8div1.C t19d , t12d , t56d
mov t9d , t9d , regmd4add.EP t56d , edx , t56djcc True , -0x800
23/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 64: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/64.jpg)
Sample Microprogram (simplified)
sub.Z t1d , eaxjcc EZF , 0x2or t12d , eax , 0x8
div2 t15q , t24q , 0xd5srl t13w , ax , 0x8div1.C t19d , t12d , t56d
mov t9d , t9d , regmd4add.EP t56d , edx , t56djcc True , -0x800
mov eax , eaxadd t1d , pcd , 1writePC t1d
23/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 65: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/65.jpg)
Demo
DEMO
24/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017
![Page 66: Reverse Engineering x86 Processor Microcode...x86ISAiscomplex HexMnemonics C3 ret 48 b8 88 77 66 55 movabsrax,0x1122334455667788 44 33 22 11 64ff 03 DWORDPTR fs:[ebx] 646766f0ff 07lock](https://reader033.vdocuments.mx/reader033/viewer/2022050715/5f1ffd5aab24bc0d422f17be/html5/thumbnails/66.jpg)
Summary
• We built a framework for microcode reverse engineering
• We reverse engineered substantial parts of the encoding
• We implemented meaningful microprograms from scratch
https://github.com/RUB-SysSec/microcode/
25/25 Reverse Engineering x86 Processor Microcode Vancouver, Canada, August 18, 2017