



#### Inside the AMD Microcode ROM -

# (Ab)Using AMD Microcode for fun and security

35<sup>th</sup> Chaos Communication Congress, Leipzig December 27, 2018

> Benjamin Kollenda, Philipp Koppe, Marc Fyrbiak, Christian Kison, Christof Paar, Thorsten Holz

Horst Görtz Institute for IT-Security Ruhr-Universität Bochum <firstname.lastname>@rub.de

emproof www.emproof.de



1

- Crash course: Micro-architecture basics and Microcode
- Reconstructing the Microcode ROM
- Application examples
- Framework overview



#### Crash course: Micro-architecture basics and Microcode

- Reconstructing the Microcode ROM
- Application examples
- Framework overview



• Firmware for the processor

- Firmware for the processor
  - Fix CPU bugs



- Firmware for the processor
  - Fix CPU bugs
  - Instruction decoding



UNIVERSITÄT BOCHUM **RU**B

- Firmware for the processor
  - Fix CPU bugs
  - Instruction decoding
  - Exception handling



BOCHUM

- Firmware for the processor
  - Fix CPU bugs
  - Instruction decoding
  - Exception handling
  - Power Management



- Firmware for the processor
  - Fix CPU bugs
  - Instruction decoding
  - Exception handling
  - Power Management
  - Complex features (Intel SGX)

UNIVERSITÄT BOCHUM RUB

- Firmware for the processor
  - Fix CPU bugs
  - Instruction decoding
  - Exception handling
  - Power Management
  - Complex features (Intel SGX)
- Update capabilities



UNIVERSITÄT BOCHUM RUB

# x86 Instruction Decoding















RUHR UNIVERSITÄT BOCHUM **RU**B













5



• Updates are loaded by BIOS or kernel



- Updates are loaded by BIOS or kernel
- Header followed by multiple triads



- Updates are loaded by BIOS or kernel
- Header followed by multiple triads
- Triad structure:

| 0 | 6           | 4           | 128 | 1           | 92 22            | 4 |
|---|-------------|-------------|-----|-------------|------------------|---|
|   | Operation 1 | Operation 2 |     | Operation 3 | Sequence<br>Word |   |



- Updates are loaded by BIOS or kernel
- Header followed by multiple triads
- Triad structure:

| 0 | 6           | 4           | 128 | 1           | 92 22            | 4 |
|---|-------------|-------------|-----|-------------|------------------|---|
|   | Operation 1 | Operation 2 |     | Operation 3 | Sequence<br>Word |   |

Updates protected by weak authentication

RUHR UNIVERSITÄT BOCHUM

- Updates are loaded by BIOS or kernel
- Header followed by multiple triads
- Triad structure:

| 0 | 6           | 4 1         | 28          | 192 224          |
|---|-------------|-------------|-------------|------------------|
|   | Operation 1 | Operation 2 | Operation 3 | Sequence<br>Word |

- Updates protected by weak authentication
- Only one update may be loaded at a time



```
sub eax, edx
sub.C t56q, rcx, 0x100
jcc ECF, 1
.sw_next // implied sequence word if omitted
```

ld t1d, [eax]
st [edx], t1d
mov eax, eax
.sw\_complete

mov eax, 1
sub.Q rax, rcx
add.EP t56d, eax, ecx
.sw\_branch 0xF01



- Crash course: Micro-architecture basics and Microcode
- Reconstructing the Microcode ROM
- Application examples
- Framework overview









#### **ROM - Recovery Process Overview**





#### **ROM - Recovery Process Overview**







Mapping recovery requires physical-virtual address pairs

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs



RUHR

UNIVERSITÄT BOCHUM RUB

RUHR UNIVERSITÄT BOCHUM

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution
- Implement microcode emulator to extract semantics

RUHR

UNIVERSITÄT

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution
- Implement microcode emulator to extract semantics
  - Works on triad level

RUHR

UNIVERSITÄT

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution
- Implement microcode emulator to extract semantics
  - Works on triad level
  - Determines output state based on given input (x86 and microcode registers)

RUHR

UNIVERSITÄT

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution
- Implement microcode emulator to extract semantics
  - Works on triad level
  - Determines output state based on given input (x86 and microcode registers)
  - Supports known arithmetic operations

RUHR

UNIVERSITÄT

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution
- Implement microcode emulator to extract semantics
  - Works on triad level
  - Determines output state based on given input (x86 and microcode registers)
  - Supports known arithmetic operations
  - Whitelist of no-op operations

RUHR

UNIVERSITÄT

## **ROM - Mapping Recovery Details**

- Mapping recovery requires physical-virtual address pairs
- Updates yield only two pairs
- Generate mappings by matching the semantics of triads between ROM dump and address based execution
- Implement microcode emulator to extract semantics
  - Works on triad level
  - Determines output state based on given input (x86 and microcode registers)
  - Supports known arithmetic operations
  - Whitelist of no-op operations
- Emulation yielded 54 additional address pairs

RUHR

UNIVERSITÄT







- SHRD 0×ACA
- RDTSC 0x318
- WRMSR 0×6A9



- Crash course: Micro-architecture basics and Microcode
- Reconstructing the Microcode ROM
- Application examples
- Framework overview



Configurable rdtsc precision



- Configurable rdtsc precision
- Microcode assisted Address Sanitizer



- Configurable rdtsc precision
- Microcode assisted Address Sanitizer
- Microcode instruction set randomization



- Configurable rdtsc precision
- Microcode assisted Address Sanitizer
- Microcode instruction set randomization
- Microcode-assisted instrumentation



- Configurable rdtsc precision
- Microcode assisted Address Sanitizer
- Microcode instruction set randomization
- Microcode-assisted instrumentation
- Authenticated microcode updates



- Configurable rdtsc precision
- Microcode assisted Address Sanitizer
- Microcode instruction set randomization
- Microcode-assisted instrumentation
- Authenticated microcode updates
- Enclave-like execution environment



Address Sanitizer: software instrumentation to detected invalid memory accesses

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN

RUHR

UNIVERSITÄT BOCHUM

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN
- New instruction performs ASAN checks, raises fault if invalid

RUHR

UNIVERSITÄT BOCHUM

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN
- New instruction performs ASAN checks, raises fault if invalid

```
CheckAddressAndCrashIfBad(Addr, kSize) {
 ShadowAddr = (Addr >> 3) + kOffset;
 if (kSize < 8) {
    Shadow = LoadByte(ShadowAddr);
    if (Shadow && Shadow <= (Addr & 7) + kSize - 1)
     ReportBug(Addr);
 } else {
    Shadow = LoadNBytes(ShadowAddr, kSize / 8);
   if (Shadow) ReportBug(Addr);
 }
}
```

RUHR

UNIVERSITÄT

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN
- New instruction performs ASAN checks, raises fault if invalid
- Advantages:

RUHR

UNIVERSITÄT BOCHUM

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN
- New instruction performs ASAN checks, raises fault if invalid
- Advantages:
  - Better performance

RUHR

UNIVERSITÄT BOCHUM

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN
- New instruction performs ASAN checks, raises fault if invalid
- Advantages:
  - Better performance
  - More compact code

RUHR

UNIVERSITÄT BOCHUM

- Address Sanitizer: software instrumentation to detected invalid memory accesses
- Authors proposed HWASAN hardware assisted ASAN
- New instruction performs ASAN checks, raises fault if invalid
- Advantages:
  - Better performance
  - More compact code
  - Runtime configuration

RUHR

UNIVERSITÄT

RUHR UNIVERSITÄT BOCHUM

Implement HWASAN by replacing bound

- Implement HWASAN by replacing bound
  - New interface: bound reg, [size]



- Implement HWASAN by replacing bound
  - New interface: bound reg, [size]
  - No-op for successful check



- Implement HWASAN by replacing bound
  - New interface: bound reg, [size]
  - No-op for successful check
  - Configurable action taken for invalid access



- Implement HWASAN by replacing bound
  - New interface: bound reg, [size]
  - No-op for successful check
  - Configurable action taken for invalid access
- Single Instruction error check

RUHR

UNIVERSITÄT BOCHUM

- Implement HWASAN by replacing bound
  - New interface: bound reg, [size]
  - No-op for successful check
  - Configurable action taken for invalid access
- Single Instruction error check
- No x86 registers needed



- Implement HWASAN by replacing bound
  - New interface: bound reg, [size]
  - No-op for successful check
  - Configurable action taken for invalid access
- Single Instruction error check
- No x86 registers needed
- Micro benchmark shows performance advantage (106 vs. 129 cycles)





- Crash course: Micro-architecture basics and Microcode
- Reconstructing the Microcode ROM
- Application examples
- Framework overview























Minimal custom operating system



- Minimal custom operating system
- Control 100% of executed instructions



- Minimal custom operating system
- Control 100% of executed instructions
- Listens for commands on the serial port



- Minimal custom operating system
- Control 100% of executed instructions
- Listens for commands on the serial port
- Apply updates, run streamed test code, error reporting



• Microcode assembler and verbose disassembler



- Microcode assembler and verbose disassembler
- x86 assembler to write test code



- Microcode assembler and verbose disassembler
- x86 assembler to write test code
- Disassemble existing updates and ROM contents after extraction



- Microcode assembler and verbose disassembler
- x86 assembler to write test code
- Disassemble existing updates and ROM contents after extraction
- Create new updates, loadable by Linux update driver



- Microcode assembler and verbose disassembler
- x86 assembler to write test code
- Disassemble existing updates and ROM contents after extraction
- Create new updates, loadable by Linux update driver
- Control Angry OS node via serial and GPIO



- Microcode assembler and verbose disassembler
- x86 assembler to write test code
- Disassemble existing updates and ROM contents after extraction
- Create new updates, loadable by Linux update driver
- Control Angry OS node via serial and GPIO
- Remote execution wrapper



- Reversing of the ROM opens up many more possibilities
- Lots left to do, if you want to help, contact us!
- Framework, Angry OS, example programs and more available on Github

# https://github.com/RUB-SysSec/Microcode

Horst Görtz Institute for IT-Security Ruhr-Universität Bochum **em**proof www.emproof.de