Reverse Engineering x86 Processor Microcode
This work addresses the proprietary and poorly understood microcode in CPUs, revealing security vulnerabilities that could affect all users of these processors, though it is incremental in building on existing reverse-engineering efforts.
The researchers reverse-engineered the microcode semantics and update mechanism of AMD's K8 and K10 CPUs, enabling the development of custom microcode updates, including microprograms for CPU-assisted instrumentation and microcoded Trojans that allow remote code execution and cryptographic attacks.
Microcode is an abstraction layer on top of the physical components of a CPU and present in most general-purpose CPUs today. In addition to facilitate complex and vast instruction sets, it also provides an update mechanism that allows CPUs to be patched in-place without requiring any special hardware. While it is well-known that CPUs are regularly updated with this mechanism, very little is known about its inner workings given that microcode and the update mechanism are proprietary and have not been throughly analyzed yet. In this paper, we reverse engineer the microcode semantics and inner workings of its update mechanism of conventional COTS CPUs on the example of AMD's K8 and K10 microarchitectures. Furthermore, we demonstrate how to develop custom microcode updates. We describe the microcode semantics and additionally present a set of microprograms that demonstrate the possibilities offered by this technology. To this end, our microprograms range from CPU-assisted instrumentation to microcoded Trojans that can even be reached from within a web browser and enable remote code execution and cryptographic implementation attacks.