An Exploratory Analysis of Microcode as a Building Block for System Defenses

by   Benjamin Kollenda, et al.

Microcode is an abstraction layer used by modern x86 processors that interprets user-visible CISC instructions to hardware-internal RISC instructions. The capability to update x86 microcode enables a vendor to modify CPU behavior in-field, and thus patch erroneous microarchitectural processes or even implement new features. Most prominently, the recent Spectre and Meltdown vulnerabilities were mitigated by Intel via microcode updates. Unfortunately, microcode is proprietary and closed source, and there is little publicly available information on its inner workings. In this paper, we present new reverse engineering results that extend and complement the public knowledge of proprietary microcode. Based on these novel insights, we show how modern system defenses and tools can be realized in microcode on a commercial, off-the-shelf AMD x86 CPU. We demonstrate how well-established system security defenses such as timing attack mitigations, hardware-assisted address sanitization, and instruction set randomization can be realized in microcode. We also present a proof-of-concept implementation of a microcode-assisted instrumentation framework. Finally, we show how a secure microcode update mechanism and enclave functionality can be implemented in microcode to realize a small trusted execution environment. All microcode programs and the whole infrastructure needed to reproduce and extend our results are publicly available.


page 4

page 17


Reverse Engineering x86 Processor Microcode

Microcode is an abstraction layer on top of the physical components of a...

Fallout: Reading Kernel Writes From User Space

Recently, out-of-order execution, an important performance optimization ...

Frontal Attack: Leaking Control-Flow in SGX via the CPU Frontend

We introduce a new timing side-channel attack on Intel CPU processors. O...

PMUSpill: The Counters in Performance Monitor Unit that Leak SGX-Protected Secrets

Performance Monitor Unit (PMU) is a significant hardware module on the c...

Towards a hardware-assisted information flow tracking ecosystem for ARM processors

This work details a hardware-assisted approach for information flow trac...

Automatic Detection of Speculative Execution Combinations

Modern processors employ different prediction mechanisms to speculate ov...

MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols

The recent Meltdown and Spectre attacks highlight the importance of auto...

Please sign up or login with your details

Forgot password? Click here to reset