Inside the AMD Microcode ROM - (Ab)Using AMD Microcode for fun and security 35th Chaos Communication Congress, Leipzig December 27, 2018 Benjamin Kollenda, Philipp Koppe, Marc Fyrbiak, Christian Kison, Christof Paar, Thorsten Holz Horst Görtz Institute for IT-Security emproof Ruhr-Universität Bochum www.emproof.de <firstname.lastname>@rub.de Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 1 Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 1 • Fix CPU bugs • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor 2 • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs 2 • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding 2 • Power Management • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling 2 • Complex features (Intel SGX) • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling • Power Management 2 • Update capabilities Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) 2 Microcode Essentials • Firmware for the processor • Fix CPU bugs • Instruction decoding • Exception handling • Power Management • Complex features (Intel SGX) • Update capabilities 2 x86 Instruction Decoding 3 x86 Instruction Decoding 4 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 Microcode Engine (Vector Decoder) 5 • Header followed by multiple triads • Triad structure: • Updates protected by weak authentication • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel 6 • Triad structure: • Updates protected by weak authentication • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads 6 • Updates protected by weak authentication • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads • Triad structure: 6 • Only one update may be loaded at a time Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads • Triad structure: • Updates protected by weak authentication 6 Microcode Updates • Updates are loaded by BIOS or kernel • Header followed by multiple triads • Triad structure: • Updates protected by weak authentication • Only one update may be loaded at a time 6 Microcode RTL sub eax, edx sub.C t56q, rcx, 0x100 jcc ECF, 1 .sw_next // implied sequence word if omitted ld t1d, [eax] st [edx], t1d mov eax, eax .sw_complete mov eax, 1 sub.Q rax, rcx add.EP t56d, eax, ecx .sw_branch 0xF01 7 Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 8 Hardware Analysis 9 Hardware Analysis 9 ROM - Recovery Process Overview 10 ROM - Recovery Process Overview 10 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs 11 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs 11 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Implement microcode emulator to extract semantics • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution 11 • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics 11 • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level 11 • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) 11 • Whitelist of no-op operations • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations 11 • Emulation yielded 54 additional address pairs ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations 11 ROM - Mapping Recovery Details • Mapping recovery requires physical-virtual address pairs • Updates yield only two pairs • Generate mappings by matching the semantics of triads between ROM dump and address based execution • Implement microcode emulator to extract semantics • Works on triad level • Determines output state based on given input (x86 and microcode registers) • Supports known arithmetic operations • Whitelist of no-op operations • Emulation yielded 54 additional address pairs 11 ROM - Mapping Result 12 ROM - Implementation of Instructions • SHRD - 0xACA • RDTSC - 0x318 • WRMSR - 0x6A9 13 Outline • Crash course: Micro-architecture basics and Microcode • Reconstructing the Microcode ROM • Application examples • Framework overview 14 • Microcode assisted Address Sanitizer • Microcode instruction set randomization • Microcode-assisted instrumentation • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision 15 • Microcode instruction set randomization • Microcode-assisted instrumentation • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer 15 • Microcode-assisted instrumentation • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer • Microcode instruction set randomization 15 • Authenticated microcode updates • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer • Microcode instruction set randomization • Microcode-assisted instrumentation 15 • Enclave-like execution environment Microcode applications • Configurable rdtsc precision • Microcode assisted Address Sanitizer • Microcode instruction set randomization • Microcode-assisted instrumentation • Authenticated microcode updates 15 Microcode applications •