Custom Processing Unit - BlackHat USA


The ability to debug or simply observe the microarchitecture of closed-source CPUs has always been an exclusive privilege of the product vendors. For Intel CPUs, even the details of the high-level workings of CPU microcode were only available by digging into patents and not publicly documented. In this talk, we present the first systematic study of Intel Atom Microcode and a software-only framework that can observe, trace, and even patch microcode execution, shedding unprecedented light into the internal workings of Intel CPUs. We develop a Ghidra decompiler for Atom Microcode and reverse-engineer how the CPU internally uses its control register bus to manage its resources. Resorting to previously disclosed undocumented instructions, we then create a framework that can gain complete control over CPU microcode by replicating such interactions. Our framework can assemble and patch micro-instructions, hook CPU events, and trace microcode execution. To showcase its power, we trace and reverse-engineer the routines involved in the obscure Intel CPU microcode update process. For the first time, we disclose the details of the decryption algorithms for microcode updates and the binary format of the decrypted update: an amazing discovery is that a microcode update is, in fact, a custom language interpreted by the CPU. We will make our framework available as open source.

Aug 10, 2022 12:00 AM — 12:00 AM
Black Hat USA 2022
Pietro Borrello
Pietro Borrello
Microarchitecture Security Researcher

Microarchitecture Security Researcher at Apple SEAR.