DOCSLIB.ORG

Inside the AMD Microcode ROM - (Ab)Using AMD Microcode for Fun and Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Inside the AMD Microcode ROM - (Ab)Using AMD Microcode for Fun and Security Inside the AMD Microcode ROM - (Ab)Using AMD Microcode for fun and security 35th Chaos Communication Congress, Leipzig December 27, 2018 Benjamin Kollenda, Philipp Koppe, Marc Fyrbiak, Christian Kison, Christof Paar, Thorsten Holz Horst Görtz Institute for IT-Security emproof Ruhr-Universität Bochum www.emproof.de <firstname.lastname>@rub.de Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 1 Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 1 • Fix CPU bugs • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor 2 • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs 2 • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding 2 • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling 2 • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling • Power Management 2 • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) 2 Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities 2 x86 Instruction Decoding 3 x86 Instruction Decoding 4 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 • Header followed by multiple triads • Triad structure: • Updates protected by weak authentication • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel 6 • Triad structure: • Updates protected by weak authentication • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads 6 • Updates protected by weak authentication • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads • Triad structure: 6 • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads • Triad structure: • Updates protected by weak authentication 6 Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads • Triad structure: • Updates protected by weak authentication • Only one update may be loaded at a time 6 Microcode RTL sub eax, edx sub.C t56q, rcx, 0x100 jcc ECF, 1 .sw_next // implied sequence word if omitted ld t1d, [eax] st [edx], t1d mov eax, eax .sw_complete mov eax, 1 sub.Q rax, rcx add.EP t56d, eax, ecx .sw_branch 0xF01 7 Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 8 Hardware Analysis 9 Hardware Analysis 9 ROM - Recovery Process Overview 10 ROM - Recovery Process Overview 10 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs 11 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs 11 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Implement microcode emulator to extract semantics • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution 11 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics 11 • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level 11 • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) 11 • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations 11 • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations 11 ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs 11 ROM - Mapping Result 12 ROM - Implementation of Instructions • SHRD - 0xACA • RDTSC - 0x318 • WRMSR - 0x6A9 13 Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 14 • Microcode assisted Address Sanitizer • Microcode instruction set randomization • Microcode-assisted instrumentation • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision 15 • Microcode instruction set randomization • Microcode-assisted instrumentation • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer 15 • Microcode-assisted instrumentation • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer • Microcode instruction set randomization 15 • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer • Microcode instruction set randomization • Microcode-assisted instrumentation 15 • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer • Microcode instruction set randomization • Microcode-assisted instrumentation • Authenticated microcode updates 15 Microcode applications •
Load more

Recommended publications
  • General Processor Emulator [Genproemu]
    Special Issue - 2015 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 NCRTS-2015 Conference Proceedings General Processor Emulator [GenProEmu] Bindu B, Shravani K L, Sinchana Hegde Guide: Mr.Aditya Koundinya B, Asst. Prof Computer Science Department Jyothy Institute Of Technology Tatguni,Bangalore-82 Abstract - GenProEmu is an interactive computer emulation programmable device that accepts digital data as input, package in which the user specifies the details of the CPU to processes it according to instructions stored in its memory, be emulated, including the register set, memory, the and provides results as output. It is an example of microinstruction set, machine instruction set, and assembly sequential digital logic, as it has internal memory. language instructions. Users can write machine or assembly Microprocessors operate on numbers and symbols language programs and run them on the CPU they’ve created. represented in the binary numeral system. GenProEmu simulates computer architectures at the register- transfer level. That is, the basic hardware units from which a The fundamental operation of most CPUs, regardless of the hypothetical CPU is constructed consist of registers and physical form they take, is to execute a sequence of stored memory (RAM). The user does not need to deal with instructions called a program. The instructions are kept in individual transistors or gates on the digital logic level of a some kind of computer memory. There are three steps that machine. nearly all CPUs use in their operation: fetch, decode, and execute. 1. INTRODUCTION Fetch- An embedded system is a computer system with a The first step, fetch, involves retrieving an instruction dedicated function within a larger mechanical or electrical (which is represented by a number or sequence of numbers) system, often with real-time computing constraints.
    [Show full text]
  • Microcode Revision Guidance August 31, 2019 MCU Recommendations
    microcode revision guidance August 31, 2019 MCU Recommendations Section 1 – Planned microcode updates • Provides details on Intel microcode updates currently planned or available and corresponding to Intel-SA-00233 published June 18, 2019. • Changes from prior revision(s) will be highlighted in yellow. Section 2 – No planned microcode updates • Products for which Intel does not plan to release microcode updates. This includes products previously identified as such. LEGEND: Production Status: • Planned – Intel is planning on releasing a MCU at a future date. • Beta – Intel has released this production signed MCU under NDA for all customers to validate. • Production – Intel has completed all validation and is authorizing customers to use this MCU in a production environment.
    [Show full text]
  • Aviva for Terminal Server(NA)
    Aviva Solutions – Unleashing the Power of Enterprise Information™ Aviva® for Terminal Servers™ Thin-client Multi-host access for thin-clients solution for multi-host connectivity Corporations are in a constant search to protect their technology investments. Bringing 32-bit applications to older generation desktops, Microsoft® Windows Terminal Server platforms has given traditional PCs a new lease on life. Aviva Solutions’ Aviva for Terminal Servers extends the capabilities of Terminal Server technology by providing PC, Mac and UNIX users with the power and capabilities of full-function, 32-bit SNA emulation, Advantages without compromising on features or performance. Users have, at their own legacy desktops, complete access to all Key Features of the emulation, customization, automation, and programmatic Client Platform Independence – Provides DOS, Windows® 3.11, Windows® 95, Windows® 98, capabilities of a full-function emulator, Windows NT®, Windows® 2000, Mac and UNIX users with the power, speed, and features equal without any loss of functionality. to those of a full-function, 32-bit SNA emulator. State-of-the-art, PC-to-host connectivity is now available to a wide range of Multi-Host Connectivity – Supports all the gateways as well as IP connectivity to IBM hosts operating systems and computers, and standard Telnet connectivity to DEC and UNIX hosts. without large investments in new software and hardware. Aviva HotConnect™ – Unique patent-pending “configure once–detect automatically” technology that provides secure, automatic migration from SNA to TCP/IP networks, Aviva Solutions’ Aviva for Terminal and ensures failsafe connectivity; transparently detects and uses the first available network Servers is a true thin-client solution for connection from a pre-defined list of multiple connection types.
    [Show full text]
  • Fax86: an Open-Source FPGA-Accelerated X86 Full-System Emulator
    FAx86: An Open-Source FPGA-Accelerated x86 Full-System Emulator by Elias El Ferezli A thesis submitted in conformity with the requirements for the degree of Master of Applied Science (M.A.Sc.) Graduate Department of Electrical and Computer Engineering University of Toronto Copyright c 2011 by Elias El Ferezli Abstract FAx86: An Open-Source FPGA-Accelerated x86 Full-System Emulator Elias El Ferezli Master of Applied Science (M.A.Sc.) Graduate Department of Electrical and Computer Engineering University of Toronto 2011 This thesis presents FAx86, a hardware/software full-system emulator of commodity computer systems using x86 processors. FAx86 is based upon the open-source IA-32 full-system simulator Bochs and is implemented over a single Virtex-5 FPGA. Our first prototype uses an embedded PowerPC to run the software portion of Bochs and off- loads the instruction decoding function to a low-cost hardware decoder since instruction decode was measured to be the most time consuming part of the software-only emulation. Instruction decoding for x86 architectures is non-trivial due to their variable length and instruction encoding format. The decoder requires only 3% of the total LUTs and 5% of the BRAMs of the FPGA's resources making the design feasible to replicate for many- core emulator implementations. FAx86 prototype boots Linux Debian version 2.6 and runs SPEC CPU 2006 benchmarks. FAx86 improves simulation performance over the default Bochs by 5 to 9% depending on the workload. ii Acknowledgements I would like to begin by thanking my supervisor, Professor Andreas Moshovos, for his patient guidance and continuous support throughout this work.
    [Show full text]
  • COMPLETE MAME 0139 Arcade Emulator FULL Romset
    COMPLETE MAME 0.139 Arcade Emulator FULL RomSet 1 / 4 COMPLETE MAME 0.139 Arcade Emulator FULL RomSet 2 / 4 3 / 4 CoolROM.com's MAME ROMs section. Browse: Top ROMs - By Letter - By Genre. Mobile optimized. ... Top Arcade Emulator. » MAME (Windows). » Kawaks .... Arcade Games Emulator supported by original MAME 0.139. Copy or move your 0.139 MAME zipped ROMs under '/ROMs/ArcadeEmu/roms' directory! And play .... COMPLETE MAME 0.139 Arcade Emulator FULL RomSet -> http://urllio.com/y4hmj c1bf6049bf There are a variety of arcade emulator versions .... Switch between ROMs, Emulators, Music, Scans, etc. by selecting the category tabs below! ... System: Complete ROM Sets (Full Sets in One File) Size: 960M.. For simplicity I will often use the terms MAME and 'Arcade game emulation' ... Download Mame 0 139 Full Bios, Mame 0 137 Roms (Complete 0 Missing.. MAME4DROID 0.139u1 ROMs for Android, iOS, Ouya, etc. ... developed by David Valdeita (Seleuco), port of MAME 0.139u1 emulator by Nicola Salmoria and TEAM. ... FB Alpha v0.2.97.39 Arcade Set ROMS + Samples Size: 11.1 GB Hosting: .... Alpha Fighter / Head On Astropal Born To Fight Brodjaga (Arcade bootleg of ZX Spectrum \'Inspector Gadget and the Circus of Fear\') Carrera .... 100 in 1 Arcade Action II (AT-103), 2.13 Mo ... 3 Bags Full (3VXFC5345, New Zealand), 25 Ko ... 48 in 1 MAME bootleg (set 2, ver 3.09, alt flash), 2.8 Mo.. So, shall I select Ir-mame2010 as emulator as it seems to be the most ... Or will only the roms listed in 0.139 work, and roms added after that not work ? ..
    [Show full text]
  • Simulator, ICE Or ICD?
    Simulator,Simulator, ICEICE oror ICD?ICD? ChoosingChoosing aa DebugDebug ToolTool © 2006 Microchip Technology Incorporated Choosing a Debug Tool Slide 1 Developing an embedded application requires hardware design, software coding and programming a system that is subject to real-world interactions. Hardware and software component must work together in an effective design. A debug tool can •help bring a prototype system up, •it can help identify hardware and software problems both in the prototype and final application and •can assist in fine-tuning the system. Welcome to this seminar. This session is going to discuss the debug tools, examining the reasons why you might choose one over another. 1 WhyWhy Debug?Debug? Difficult to get right the first time Reality interacts with your design Performance issues O Interrupts O Real time response Unit testing Performance analysis © 2006 Microchip Technology Incorporated Debugging Methods Slide 2 “Why Debug at All?” Why do we need this kind of tool? •One answer is that designing an embedded system is a fairly complex activity, involving hardware and software interfacing with the environment -- and few engineers get it exactly right the first time. •Secondly, even well-designed systems will have unknown interactions when deployed. •Third, there may be performance issues with the code. Even correctly running code may not be effective with rapidly recurring interrupts. Alternately, the real time execution of code may not be as expected because of unpredictable behavior when external inputs are applied. •Unit testing may or may not be a requirement of the design. However, to verify that each element is performing according to design, the engineer may need debug functions to test the various modules across a range of controlled conditions.
    [Show full text]
  • Pokas X86 Emulator for Generic Unpacking
    BLUE KAIZEN CENTER OF IT SECURITY Cairo Security Camp 2010 Pokas x86 Emulator for Generic Unpacking Subject : This document gives the user a problem, its solution concept, Previous Solutions, Pokas x86 Emulator, Reliability, Getting the Emulator, Pokas x86 Emulator Design, Usage steps, Debugger Conditions, Debugger Examples and TODO. Author : Amr Thabet Version : 1.0 Date : July, 2010 Nb pages : 17 Pokas x86 Emulator for Generic Unpacking By Amr Thabet [email protected] The Problem: Many packed worms : no time to reverse and step through the packer‟s code Many polymorphic viruses around change their decryptor code and algorithm Need to write a detection algorithm for such viruses The Solution Concept: We need an automatic unpacker Static Unpacker : very sensitive of any changes of the packer No Time for keeping up-to-date of every release of any Unpacker Dynamic Unpacker: not sensitive of the minor changes. It can unpack new packers. We need a Program runs the packed application until it unpacked and stop in the real OEP So we need a Debugger Why not a Debugger? Easily to be detected Dangerous Can‟t monitor the memory Writes Allows only breakpoints on a specific place in memory Previous Solutions: OllyBone: dangerous if it‟s not a packer and could be fooled It‟s not scriptable and semi-automatic It could be easy detected Ida-x86emu: doesn‟t monitor memory writes and no conditional Breakpoints Pandora’s Bochs: hard to be installed, hard to be customized very slow 200 secs for notepad.exe packed with PECompact 2 with a PC 3.14 GHz and 2.00 GB ram Pokas x86 Emulator It‟s a Dynamic link library Easily to be customized Monitor all memory writes and log up to 10 previous Eips and saves the last accessed and the last modified place in memory.
    [Show full text]
  • Mame Rom Free
    Mame rom free click here to download MAME ROMS downloads including MAME emulators.​ROM. · ​Metal Slug 3 ROM. · ​AD ROM. MAME ROMS · ​Most Popular. Download M.A.M.E. - Multiple Arcade Machine Emulator ROMs. Step 1» To browse MAME ROMs, scroll up and choose a letter or select Browse by Genre. www.doorway.ru's MAME ROMs section. Browse: Top ROMs or By Letter. Mobile optimized. Note: The ROMs on these pages have been approved for free distribution on this site only. Just because they are available here for download does not entitle. Today i will start test mame games with this version of emulator. Do not delete files from directory "Roms". There are Bios files what emulator need for. Download section for MAME ROMs of Rom Hustler. Browse ROMs by download count and ratings. % Fast Downloads! Top MameROMs @ Dope Roms. com. ROM Page: Top Mame Roms - DopeROMs. GEO: USA | Language: EN. The ROM Top Mame ROMs. MAME ROMs. Here are all 1, ROMs that I have that work with MacMame! Back to the MacMame 45 | 46 | 47 | 48 | 49 | 50 | Game, Rom, Screenshot. 1. 48 in 1 MAME bootleg (set 1, ver ), Ko. 48 in 1 MAME bootleg (set 2, ver , alt flash), Mo. 48 in 1 MAME bootleg (set 3, ver ), Ko. MAME Roms|MAME Emulators|Free Downloads for Android iPhone iPad|Cool Free MAME Roms. Video game arcade classics with screenshots - MAME roms for download. Download MAME b11 ROMs quickly and free. ROMs work perfectly with PC, Android, iPhone, and Windows Phones! Download MAME b11 ROMs for free and play on your Windows, Mac, Android and iOS devices! MAME (an acronym of Multiple Arcade Machine Emulator) is an emulator application designed to recreate the hardware of arcade game.
    [Show full text]
  • The Central Processor Unit
    Systems Architecture The Central Processing Unit The Central Processing Unit – p. 1/11 The Computer System Application High-level Language Operating System Assembly Language Machine level Microprogram Digital logic Hardware / Software Interface The Central Processing Unit – p. 2/11 CPU Structure External Memory MAR: Memory MBR: Memory Address Register Buffer Register Address Incrementer R15 / PC R11 R7 R3 R14 / LR R10 R6 R2 R13 / SP R9 R5 R1 R12 R8 R4 R0 User Registers Booth’s Multiplier Barrel IR Shifter Control Unit CPSR 32-Bit ALU The Central Processing Unit – p. 3/11 CPU Registers Internal Registers Condition Flags PC Program Counter C Carry IR Instruction Register Z Zero MAR Memory Address Register N Negative MBR Memory Buffer Register V Overflow CPSR Current Processor Status Register Internal Devices User Registers ALU Arithmetic Logic Unit Rn Register n CU Control Unit n = 0 . 15 M Memory Store SP Stack Pointer MMU Mem Management Unit LR Link Register Note that each CPU has a different set of User Registers The Central Processing Unit – p. 4/11 Current Process Status Register • Holds a number of status flags: N True if result of last operation is Negative Z True if result of last operation was Zero or equal C True if an unsigned borrow (Carry over) occurred Value of last bit shifted V True if a signed borrow (oVerflow) occurred • Current execution mode: User Normal “user” program execution mode System Privileged operating system tasks Some operations can only be preformed in a System mode The Central Processing Unit – p. 5/11 Register Transfer Language NAME Value of register or unit ← Transfer of data MAR ← PC x: Guard, only if x true hcci: MAR ← PC (field) Specific field of unit ALU(C) ← 1 (name), bit (n) or range (n:m) R0 ← MBR(0:7) Rn User Register n R0 ← MBR num Decimal number R0 ← 128 2_num Binary number R1 ← 2_0100 0001 0xnum Hexadecimal number R2 ← 0x40 M(addr) Memory Access (addr) MBR ← M(MAR) IR(field) Specified field of IR CU ← IR(op-code) ALU(field) Specified field of the ALU(C) ← 1 Arithmetic and Logic Unit The Central Processing Unit – p.
    [Show full text]
  • Pep8cpu: a Programmable Simulator for a Central Processing Unit J
    Pep8CPU: A Programmable Simulator for a Central Processing Unit J. Stanley Warford Ryan Okelberry Pepperdine University Novell 24255 Pacific Coast Highway 1800 South Novell Place Malibu, CA 90265 Provo, UT 84606 [email protected] [email protected] ABSTRACT baum [5]: application, high-order language, assembly, operating This paper presents a software simulator for a central processing system, instruction set architecture (ISA), microcode, and logic unit. The simulator features two modes of operation. In the first gate. mode, students enter individual control signals for the multiplex- For a number of years we have used an assembler/simulator for ers, function controls for the ALU, memory read/write controls, Pep/8 in the Computer Systems course to give students a hands-on register addresses, and clock pulses for the registers required for a experience at the high-order language, assembly, and ISA levels. single CPU cycle via a graphical user interface. In the second This paper presents a software package developed by an under- mode, students write a control sequence in a text window for the graduate student, now a software engineer at Novell, who took the cycles necessary to implement a single instruction set architecture Computer Organization course and was motivated to develop a (ISA) instruction. The simulator parses the sequence and allows programmable simulator at the microcode level. students to single step through its execution showing the color- Yurcik gives a survey of machine simulators [8] and maintains a coded data flow through the CPU. The paper concludes with a Web site titled Computer Architecture Simulators [9] with links to description of the use of the software in the Computer Organiza- papers and internet sources for machine simulators.
    [Show full text]
  • Reverse Engineering X86 Processor Microcode
    Reverse Engineering x86 Processor Microcode Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar, and Thorsten Holz, Ruhr-University Bochum https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/koppe This paper is included in the Proceedings of the 26th USENIX Security Symposium August 16–18, 2017 • Vancouver, BC, Canada ISBN 978-1-931971-40-9 Open access to the Proceedings of the 26th USENIX Security Symposium is sponsored by USENIX Reverse Engineering x86 Processor Microcode Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar, and Thorsten Holz Ruhr-Universitat¨ Bochum Abstract hardware modifications [48]. Dedicated hardware units to counter bugs are imperfect [36, 49] and involve non- Microcode is an abstraction layer on top of the phys- negligible hardware costs [8]. The infamous Pentium fdiv ical components of a CPU and present in most general- bug [62] illustrated a clear economic need for field up- purpose CPUs today. In addition to facilitate complex and dates after deployment in order to turn off defective parts vast instruction sets, it also provides an update mechanism and patch erroneous behavior. Note that the implementa- that allows CPUs to be patched in-place without requiring tion of a modern processor involves millions of lines of any special hardware. While it is well-known that CPUs HDL code [55] and verification of functional correctness are regularly updated with this mechanism, very little is for such processors is still an unsolved problem [4, 29]. known about its inner workings given that microcode and the update mechanism are proprietary and have not been Since the 1970s, x86 processor manufacturers have throughly analyzed yet.
    [Show full text]
  • The Legality and Morality of Video Game Emulation (Research-In- Progress)
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by AIS Electronic Library (AISeL) Association for Information Systems AIS Electronic Library (AISeL) SAIS 2020 Proceedings Southern (SAIS) Fall 9-11-2020 The Legality and Morality of Video Game Emulation (Research-In- Progress) Mehruz Kamal State University of New York at Brockport, [email protected] Xavier Vogel State University of New York at Brockport, [email protected] Follow this and additional works at: https://aisel.aisnet.org/sais2020 Recommended Citation Kamal, Mehruz and Vogel, Xavier, "The Legality and Morality of Video Game Emulation (Research-In- Progress)" (2020). SAIS 2020 Proceedings. 14. https://aisel.aisnet.org/sais2020/14 This material is brought to you by the Southern (SAIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in SAIS 2020 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact [email protected]. Kamal & Vogel The Legality and Morality of Video Game Emulation THE LEGALITY AND MORALITY OF VIDEO GAME EMULATION Mehruz Kamal Xavier Vogel State University of New York at Brockport State University of New York at Brockport [email protected] [email protected] ABSTRACT The purpose of this paper is to examine the various factors surrounding video game emulation as well as the legal and moral implications of the technology. Firstly, the background and history of the technology is described and explored. Next, the laws surrounding emulation are examined, with it being shown that a great deal of people are not aware of how the law impacts the technology and the consequences of this.
    [Show full text]