Abstract
The ability to debug or simply observe the microarchitecture of closed-source CPUs has always been an exclusive privilege of the product vendors. For Intel CPUs, even the details of the high-level workings of CPU microcode were only available by digging into patents and not publicly documented. In this talk, we present the first framework for static and dynamic analysis of Intel Atom microcode. Building upon prior research, we reverse engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems. Leveraging our frameworks, we reverse engineer the confidential Intel microcode update algorithm and perform the first security analysis of its design and implementation. In three further case studies, we provide the first x86 Pointer Authentication Code (PAC) microcode implementation performing its security evaluation, design and implement fast software breakpoints (more than 1000x faster than standard breakpoints), and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization.
Pietro Borrello
Microarchitecture Security Researcher
Microarchitecture Security Researcher at Apple SEAR.