Some interesting facts about reverse-engineering of x86 microcode, from a research by Ruhr University Bochum
Microcode is an abstraction layer on top of the physical components of a CPU and is present in most CPUs.
It facilitate complex instruction sets, but it also provides an update mechanism that allows CPUs to be patched in-place without requiring any special hardware.
Currently very little is known about microcode inner workings given that this abstraction layer and the update mechanism are proprietary and have not been throughly analyzed yet.
A group from the Ruhr University Bochum (Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar and Thorsten Holz) has started hacking on the microcode in the AMD K8 and K10 processors, discovering some interesting facts.
Take a look to this speech, from the 34th Chaos Communication Congress:
In this talk we will first start with a (short) crash course in CPU architecture and where microcode is used in practice. We will then cover our reverse engineering methods and how we were able to discover the semantics of x86 microcode. We then demonstrate, also with live demos, this knowledge with multiple microcode programs that implement both defensive measures as well as provide an attacker with hard to detect backdoors. Lastly we will discuss security problems and possible solutions to protect against them. We also provide example microcode programs for your own CPUs (use at your own risk) and a kernel patch to apply them on a Linux system. Also we will have some systems with us so you can try your hand at writing some microcode yourself.
And also watch this speech from USENIX Security ’17:
Currently the “microcode explorations” are still in progress, and there are still a lot the command set left to discover.
So, it could will be developed a nearly completely undetectable trojans that runs in the microcode, between the compiled code and the CPU.
For more technical informations, please refer to the research’s GitHub repository:
This repository contains a collection of x86 CPU microcode samples in binary and rtl form. The samples are compiled from scratch and specifically work with AMD’s K10 processor family.