Tweet
Backdoor in the Core - Altering the Intel x86 Instruction Set at Runtime ,
Alexander Dalsgaard Krog, Vulnerability Researcher at Vectorize, He/Him
Alexander Skovsende , Grad Student at Technical University of Denmark, He/Him
| Demo, Tool | 45
In this work, we present the novel results of our research on Intel CPU microcode. Building upon prior research on Intel Goldmont CPUs, we have reverse-engineered the implementations of complex x86 instructions, leading to the discovery of hidden microcode which serves to prevent the persistence of any changes made. Using this knowledge, we were able to patch those discovered sections, allowing us to make persistent microcode changes from userspace on Linux. We have developed and improved microcode tracing tools, giving us deeper insight into Intel Atom microcode than was previously possible, by allowing more dynamic analysis of the ROM.
Along with this presentation, we provide a C library for making microcode changes and documentation on the reverse-engineered microcode.
We show that vendor updates to the microcode, which cannot be verified by the user, impose a security risk by demonstrating how a Linux system can be compromised through a backdoor within a CPU core's microcode.
Alexander Dalsgaard Krog is a Vulnerability Researcher at Vectorize with a focus on the low level, close to the hardware, and this talk will be no exception. He has a passion for binary exploitation and together with his prior team at Lyrebirds discovered the critical bug Cable Haunt, affecting millions of devices with a vulnerability allowing remote code execution. Both him and his co-speaker Alexander Skovsende are also heavily invested in CTF and have played a big role in putting the Danish team Kalmarunionen on top of the scoreboard in many CTFs.
https://twitter.com/alexanderkrog ,
https://www.linkedin.com/in/alexander-dalsgaard-krog
REFERENCES:
Intel TXE POC:
https://github.com/chip-red-pill/IntelTXE-PoC
Exploit used to gain Red Unlock.
uCodeDisam:
https://github.com/chip-red-pill/uCodeDisasm
First research (to the best of our knowledge) allowing for dumping microcode ROM as well as a publicly available disassembler for Intel's microcode.
Undocumented x86 instructions to control the CPU at the micro-architecture level in modern Intel processors:
https://github.com/chip-red-pill/udbgInstr
https://github.com/chip-red-pill/udb...ch_control.pdf
From the research above, two undocumented instructions intended for debug perpuse at Intel were found. This layed the groundwork for us to experiment and test the behavior of microcode operations.
Custom Processing Unit:
https://github.com/pietroborrello/CustomProcessingUnit
Custom Processing Unit is the first dynamic analysis framework able to hook, patch and trace microcode from a UEFI application