Видео [OffensiveCon 2023] CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode

[weaver]

The ability to debug or simply observe the microarchitecture of closed-source CPUs has always been an exclusive privilege of the product vendors. For Intel CPUs, even the details of the high-level workings of CPU microcode were only available by digging into patents and not publicly documented.

In this talk, we present the first framework for static and dynamic analysis of Intel Atom microcode. Building upon prior research, we reverse engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems.

Leveraging our frameworks, we reverse engineer the confidential Intel microcode update algorithm and perform the first security analysis of its design and implementation. In three further case studies, we provide the first x86 Pointer Authentication Code (PAC) microcode implementation performing its security evaluation, design and implement fast software breakpoints (more than 1000x faster than standard breakpoints), and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization.

slides

https://pietroborrello.com/talk/custom-processing-unit-offensivecon/offensivecon_ucode.pdf

The first analysis framework for CPU microcode

GitHub - pietroborrello/CustomProcessingUnit: The first analysis framework for CPU microcode

The first analysis framework for CPU microcode. Contribute to pietroborrello/CustomProcessingUnit development by creating an account on GitHub.

github.com

Video
youtube.com/watch?v=5Pq1FmxS6H8&list=PLYvhPWR_XYJmh-qBNKUrlyjQYKBpCDZzB

 

[drpalpatine]

https://pietroborrello.com/publication/woot23/woot23.pdf

big revolution --> but not much attention
similar such as GDB launch inside 1986

 

[drpalpatine]

he is only for goldmont cores inside intel atom --> gemini, apollo --> because of such exploit --> CPU switch for a pc --> throw himself inside debug mode --> XuCode))))
if you want to build such top tool --> find bug to enter inside debug mode for your CPU --> you might need eat at PCB level maybe

you cannot study other cores + future goldmont cores --> sadly intel will patch old cpu with maybe microcode updates + fix inside next generation

we can now study security instructions (+especially SGX) + garbage intel throws inside our cpu with microcode patches

github.com/chip-red-pill/MicrocodeDecryptor
github.com/chip-red-pill/uCodeDisasm
github.com/chip-red-pill/crbus_scripts


but --> the demon management engine sits on external chipset + another ring down from CPU state --> you can see him into CPU --> but OS run inside management engine himself is decoding for many time --> there is bugs but 0 backdoor finding himself

interesting such is if IME backdoor is confirm --> this will take not pure intel himself --> + other major hardware companies (including nvidia with ai revolution --> for example they are start detect load LLM models inside 40 series --> send telemetry to NVIDIA servers) to the courts --> +++ --> and a cool point in history of government surveillance inside hardware backdooring

but problem himself --> IME itself might require for some useful important things for example such power gating + thermal regulation + scheduling + ... --> the CPU is woven like that himself from design --> you cannot simply eat+replace him from software+firmware --> replace him is more difficult than inside 2009 cpus


LockBitSupp is happy now? look like 100KB code dump --> i was not such paranoid inside hardware backdoors but now maybe(--> if he can reveal such more top secret info to public --> everyone will thank him and beat the drums

but we can work ourself --> microcode --> non persistence)) --> reboot --> CPU will sit back at manufacturing time version --> if you can find such cool way to a safe environment + update firmware --> load your own private mega patched microcode --> disable intel unsafe microcode --> you can eat such backdoors++ --> but not IME himself(

--> wait for more years + if you are not catch by authorities with such a bastard NSA backdoor slipping cobalt strike beacon inside the white house network or you are such journalist --> RISC-V))))

 

[omerta]

he is only for goldmont cores inside intel atom --> gemini, apollo --> because of such exploit --> CPU switch for a pc --> throw himself inside debug mode --> XuCode))))
if you want to build such top tool --> find bug to enter inside debug mode for your CPU --> you might need eat at PCB level maybe

you cannot study other cores + future goldmont cores --> sadly intel will patch old cpu with maybe microcode updates + fix inside next generation

we can now study security instructions (+especially SGX) + garbage intel throws inside our cpu with microcode patches

github.com/chip-red-pill/MicrocodeDecryptor
github.com/chip-red-pill/uCodeDisasm
github.com/chip-red-pill/crbus_scripts


but --> the demon management engine sits on external chipset + another ring down from CPU state --> you can see him into CPU --> but OS run inside management engine himself is decoding for many time --> there is bugs but 0 backdoor finding himself

interesting such is if IME backdoor is confirm --> this will take not pure intel himself --> + other major hardware companies (including nvidia with ai revolution --> for example they are start detect load LLM models inside 40 series --> send telemetry to NVIDIA servers) to the courts --> +++ --> and a cool point in history of government surveillance inside hardware backdooring

but problem himself --> IME itself might require for some useful important things for example such power gating + thermal regulation + scheduling + ... --> the CPU is woven like that himself from design --> you cannot simply eat+replace him from software+firmware --> replace him is more difficult than inside 2009 cpus


LockBitSupp is happy now? look like 100KB code dump --> i was not such paranoid inside hardware backdoors but now maybe(--> if he can reveal such more top secret info to public --> everyone will thank him and beat the drums

but we can work ourself --> microcode --> non persistence)) --> reboot --> CPU will sit back at manufacturing time version --> if you can find such cool way to a safe environment + update firmware --> load your own private mega patched microcode --> disable intel unsafe microcode --> you can eat such backdoors++ --> but not IME himself(

--> wait for more years + if you are not catch by authorities with such a bastard NSA backdoor slipping cobalt strike beacon inside the white house network or you are such journalist --> RISC-V))))

NSA Backdoor Slipping Cobalt Strike in the White house network lol this made my day