reverse engineering x86 processor microcode
play

Reverse Engineering x86 Processor Microcode CanSecWest 2018 Marc - PowerPoint PPT Presentation

Mar 14, 2024 •338 likes •1.44k views

Reverse Engineering x86 Processor Microcode CanSecWest 2018 Marc 16, 2018, Vancouver, Canada Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar, Thorsten Holz Horst Grtz Institute for IT-Security em

  1. Micro Op Encoding Uk1 Operation SwapOps OpMode Op1 Uk2 PZSFlags CFlag Uk3 OpClass SegReg Size Op2 RegMode Uk4 Uk5Imm Imm u ooooooooo x m 111111 uuu f f u CCC ssss zzz 222222 r uuuuuu u iiiiiiiiiiiiiiii 0 001111100 0 1 011111 010 0 0 0 000 1111 011 010110 0 000000 0 0000000011010101 div2 t24q reg os4 64b t15q 0xd5 Uk1 Operation SwapOps OpMode Op1 Uk2 PZSFlags CFlag Uk3 OpClass SegReg Size Op2 RegMode Uk4 Uk5Reg Op3 Uk6Reg u ooooooooo x m 111111 uuu f f u CCC ssss zzz 222222 r uuuuuu uu 333333 uuuuuuuuu 0 001111111 1 0 101001 100 0 0 0 001 0111 010 101010 1 010000 00 010000 000000000 ld regmd5 ld rs 32b t35d t9d Uk1 ShortOprn Condition SwapOps OpMode Op1 Uk2 PZSFlags CFlag Uk3 OpClass SegReg Size Op2 RegMode Uk4 RomAddr u oooo ccccc x m 111111 uuu f f u CCC ssss zzz 222222 r uuuuuu aaaaaaaaaaaaaaaaa 0 0101 00100 1 1 111001 101 0 0 0 000 1111 011 111011 0 000000 00000000000000011 jcc EZF t50q reg os4 64b t52q 0x3 Uk1 Action Uk2 RomAddr uuuuuuuuuuuuuuu ooo uu aaaaaaaaaaaa 111111111111110 010 10 010110100101 branch 0x5a5 25

  2. Microcode RTL sub eax, edx sub.C t56q, rcx, 0x100 jcc ECF, 1 .sw_next // implied sequence word if omitted ld t1d, [eax] st [edx], t1d mov eax, eax .sw_complete mov eax, 1 sub.Q rax, rcx add.EP t56d, eax, ecx .sw_branch 0xF01 26

  3. Infer Logic of ROM Triads 27

  4. Infer Logic of ROM Triads 27

  5. Infer Logic of ROM Triads 27

  6. Infer Logic of ROM Triads 27

  7. Hardware Analysis 28

  8. Hardware Analysis 28

  9. Hardware Analysis 28

  10. Hardware Analysis 28

  11. Hardware Analysis - ROM Layout 29

  12. WRMSR mov t13q, t56q, -0x1 mov t14q, t56q, -0x1 rrl t10q, rcx, 0x10 xor.Z t56w, t10w, -0x4000 jcc EZF, -0x4f7 xor.Z t56w, t10w, -0x3fff jcc EZF, 0x430 sub.C t12q, rcx, 0x200 jcc nECF, 0x9 mov.Z t11q, t56q, 0x1f jcc EZF, 0x2a3 sub.C t56q, rcx, 0x17b 30

  13. RE Results • Heatmaps - location of handlers for x86 instructions in microcode ROM 31

  14. RE Results • Heatmaps - location of handlers for x86 instructions in microcode ROM • 29 Micro Ops • Logic, arithmetic, load, store • Write x86 program counter • Conditional microcode branch • Read special internal registers (TSC, CR*, CPL) 31

  15. RE Results • Heatmaps - location of handlers for x86 instructions in microcode ROM • 29 Micro Ops • Logic, arithmetic, load, store • Write x86 program counter • Conditional microcode branch • Read special internal registers (TSC, CR*, CPL) • Sequence word • Next triad, sequence complete, unconditional branch 31

  16. RE Results • Heatmaps - location of handlers for x86 instructions in microcode ROM • 29 Micro Ops • Logic, arithmetic, load, store • Write x86 program counter • Conditional microcode branch • Read special internal registers (TSC, CR*, CPL) • Sequence word • Next triad, sequence complete, unconditional branch • Substitution engine - replace bit masks in micro ops with arguments from x86 instruction 31

  17. RE Results • Heatmaps - location of handlers for x86 instructions in microcode ROM • 29 Micro Ops • Logic, arithmetic, load, store • Write x86 program counter • Conditional microcode branch • Read special internal registers (TSC, CR*, CPL) • Sequence word • Next triad, sequence complete, unconditional branch • Substitution engine - replace bit masks in micro ops with arguments from x86 instruction • ROM dump with disassembly 31

  18. RE Results • Heatmaps - location of handlers for x86 instructions in microcode ROM • 29 Micro Ops • Logic, arithmetic, load, store • Write x86 program counter • Conditional microcode branch • Read special internal registers (TSC, CR*, CPL) • Sequence word • Next triad, sequence complete, unconditional branch • Substitution engine - replace bit masks in micro ops with arguments from x86 instruction • ROM dump with disassembly • Augmenting x86 instructions 31

  19. Offensive Microprograms • Remote microcode attacks • Control flow hijack in browsers induced by microcode • Triggered remotely with ASM.JS, WebAssembly 32

  20. Offensive Microprograms • Remote microcode attacks • Control flow hijack in browsers induced by microcode • Triggered remotely with ASM.JS, WebAssembly • Cryptographic microcode Trojans • Introduce timing side-channels in constant-time ECC implementation • Inject faults to enable fault attacks 32

  21. Constructive Microprograms • Hooking framework • Hook selected x86 instruction, jump to trampoline • Apply pre-filter in microcode directly • No overhead for non-hooked instruc- tions 33

  22. Constructive Microprograms • RDTSC - Limit resolution in userspace 34

  23. Constructive Microprograms • RDTSC - Limit resolution in userspace • BOUND - Replace with HWASAN instruction • bound reg, size • Checks the address in reg for an access of given size • Follows HWASAN semantics • No x86 register used, smaller code size, faster 34

  24. Constructive Microprograms • RDTSC - Limit resolution in userspace • BOUND - Replace with HWASAN instruction • bound reg, size • Checks the address in reg for an access of given size • Follows HWASAN semantics • No x86 register used, smaller code size, faster • WRMSR - Authenticate microcode updates • Before update compute HMAC of update blob • Verify against signature appended to original update • Jump to default handler to apply update 34

  25. Constructive Microprograms • Microcode enclave • Malicious kernel code cannot interfere, remote attestation • Limitations wrt code size and memory • Enclave program is implemented in microcode, must be well behaving 35

  26. Constructive Microprograms • Microcode enclave • Malicious kernel code cannot interfere, remote attestation • Limitations wrt code size and memory • Enclave program is implemented in microcode, must be well behaving • Instruction Set Randomization • Systems defense against code injection, JIT-ROP • Shuffle instruction semantics • Mask input/output before reading from/writing to registers or memory 35

  27. Outline • What is microcode? • Architectural crash course • Analysis • Demo 36

  28. Demo - Scenario • Not an attack, demonstration of capabilities of malicious microcode update • Unmodified Firefox and Linux • Malicious microcode update loaded • Backdoor triggered via Webassembly module 37

  29. Firefox SHRD Backdoor (simplified) mov t1d, 0xdead // load trigger constant sll t1d, 16 add t1d, 0xc0de 38

  30. Firefox SHRD Backdoor (simplified) mov t1d, 0xdead // load trigger constant sll t1d, 16 add t1d, 0xc0de sub.Z t1d, regmd4 // compare argument 1 to constant jcc nEZF, 0x3 // jump to implementation of shrd, not shown mov eax, 11 // syscall number -> eax 38

  31. Firefox SHRD Backdoor (simplified) mov t1d, 0xdead // load trigger constant sll t1d, 16 add t1d, 0xc0de sub.Z t1d, regmd4 // compare argument 1 to constant jcc nEZF, 0x3 // jump to implementation of shrd, not shown mov eax, 11 // syscall number -> eax add ebx, ecx, 20 // prepare buffer offsets and syscall args ... 38

  32. Firefox SHRD Backdoor (simplified) mov t1d, 0xdead // load trigger constant sll t1d, 16 add t1d, 0xc0de sub.Z t1d, regmd4 // compare argument 1 to constant jcc nEZF, 0x3 // jump to implementation of shrd, not shown mov eax, 11 // syscall number -> eax add ebx, ecx, 20 // prepare buffer offsets and syscall args ... mov t1d, regmd6 // get EIP offset from argument 2 add t1d, pcd // add offset and next EIP writePC t1d // set next EIP to new value .sw_complete 38

  33. Security Implications • No signature, any update accepted 39

  34. Security Implications • No signature, any update accepted • Backdoors are possible 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering In-System-Configuration Controllers Jessy Diamond Exum (diamondman) Initial

Reverse Engineering In-System-Configuration Controllers Jessy Diamond Exum (diamondman) Initial

Reverse Engineering In-System-Configuration Controllers Jessy Diamond Exum (diamondman) Initial Project 3-4 year in the making 7400 logic based processor Agenda 1. An attempt to build a Processor (and how it ended in flames) 2. A

802 views • 48 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Decompiler internals: microcode Hex-Rays Ilfak Guilfanov Presentation Outline Presentation

Decompiler internals: microcode Hex-Rays Ilfak Guilfanov Presentation Outline Presentation

Decompiler internals: microcode Hex-Rays Ilfak Guilfanov Presentation Outline Presentation Outline Decompiler architecture Overview of the microcode Opcodes and operands Stack and registers Data flow analysis, aliasibility Microcode

847 views • 58 slides
Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Building Custom Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the playing field How to obtain byte code Recognizing basic properties of the byte code Implementing an IDA Pro processor

663 views • 52 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Everything you wanted to know about x86 microcode - but might have been afraid to ask 34 th Chaos

Everything you wanted to know about x86 microcode - but might have been afraid to ask 34 th Chaos

Everything you wanted to know about x86 microcode - but might have been afraid to ask 34 th Chaos Communication Congress, Leipzig December 28, 2017 Philipp Koppe, Benjamin Kollenda, Marc Fyrbiak, Christian Kison, Robert Gawlik, Christof Paar,

1.42k views • 103 slides
JOP Design Flow Microcode make JopSim Java ModelSim JVM Quartus VHDL Eclipse FPGA IO bus

JOP Design Flow Microcode make JopSim Java ModelSim JVM Quartus VHDL Eclipse FPGA IO bus

JOP Design Flow Microcode make JopSim Java ModelSim JVM Quartus VHDL Eclipse FPGA IO bus Wishbone ACEX Spartan Cyclone The Project 4/5 programming languages VHDL, Java, Microcode, C, (Verilog) 2648 files 498k LoC

530 views • 17 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM:

Systems Architecture The ARM Processor The ARM Processor p. 1/14 The ARM Processor ARM: Advanced RISC Machine First developed in 1983 by Acorn Computers ARM Ltd was formed in 1988 to continue development Advantages of the ARM

391 views • 14 slides
Reverse Debugging of Kernel Failures in Deployed Systems Xinyang Ge, Ben Niu and Weidong Cui

Reverse Debugging of Kernel Failures in Deployed Systems Xinyang Ge, Ben Niu and Weidong Cui

Reverse Debugging of Kernel Failures in Deployed Systems Xinyang Ge, Ben Niu and Weidong Cui Microsoft Research USENIX Annual Technical Conference, 2020 What happened before the crash? REPT: Reverse Execution with Processor Trace REPT:

593 views • 21 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Information Exfiltration with Wi Wi-Fi Micro-Jamming ROM OGEN (ROMOG@POST.BGU.AC.IL) OMER

Information Exfiltration with Wi Wi-Fi Micro-Jamming ROM OGEN (ROMOG@POST.BGU.AC.IL) OMER

Sensorless, , Permissionless Information Exfiltration with Wi Wi-Fi Micro-Jamming ROM OGEN (ROMOG@POST.BGU.AC.IL) OMER SHWARTZ (OMERSHV@POST.BGU.AC.IL) KFIR ZVI (ZVIKF@POST.BGU.AC.IL) YOSSI OREN (YOS@BGU.AC.IL) BEN-GURION UNIVERSITY OF THE

296 views • 28 slides
Micro-Blog: Sharing and Querying Content Through Mobile Phones and Social Participation

Micro-Blog: Sharing and Querying Content Through Mobile Phones and Social Participation

Micro-Blog: Sharing and Querying Content Through Mobile Phones and Social Participation Presented by Paul Ksiazek Motivation Sensor Networks Inexpensive Gather data over large area Mobile phones Virtual Information

455 views • 17 slides
zero to cloud micro-app in 300ms Local Computing: User Friendly but Limited, Isolated Web

zero to cloud micro-app in 300ms Local Computing: User Friendly but Limited, Isolated Web

zero to cloud micro-app in 300ms Local Computing: User Friendly but Limited, Isolated Web Computing: Connected, Scalable but Overwhelming With no simple approach to creating small cloud programs... many cloud ideas simply dont get

68 views • 6 slides
Micro-debates for Policy-Making Simone Gabbriellini and Paolo Torroni Department of Informatics:

Micro-debates for Policy-Making Simone Gabbriellini and Paolo Torroni Department of Informatics:

Micro-debates for Policy-Making Simone Gabbriellini and Paolo Torroni Department of Informatics: Science & Engineering (DISI) University of Bologna Introduction Administrations and policy-makers are more and more interested in using

480 views • 22 slides
Mic r o Pur c hase & Small Pur c hase Pr oc ur e me nt Informa l Proc ure me nt Me

Mic r o Pur c hase & Small Pur c hase Pr oc ur e me nt Informa l Proc ure me nt Me

Mic r o Pur c hase & Small Pur c hase Pr oc ur e me nt Informa l Proc ure me nt Me thods Sma ll Purc ha se Mic ro Purc ha se s Proc e dure s 200. 320(a ) 200.320(b ) Re g ula tions 200.67 200.88 Mic ro -purc ha se : a c q

561 views • 29 slides
Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search

Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search

Faster, Faster, Faster: . . . Blame It on Einsteins . . . Honey, I Shrunk the . . . Why Is Micro-World . . . Quantum Computing, At First Glance, This . . . Here We Come! Making Lemonade . . . Fast Search Vladik Kreinovich End of

566 views • 25 slides
EC487 Advanced Microeconomics, Part I: Lecture 1 Leonardo Felli 32L.LG.04 29 September, 2017

EC487 Advanced Microeconomics, Part I: Lecture 1 Leonardo Felli 32L.LG.04 29 September, 2017

EC487 Advanced Microeconomics, Part I: Lecture 1 Leonardo Felli 32L.LG.04 29 September, 2017 Course Outline Microeconomic Theory Lecture 1: Production Theory and Profit Maximization. Lecture 2: Cost Minimization and Aggregation.

996 views • 55 slides
A Micro-service Approach for Cloud-Native Network Services Sebastiano Miano, Fulvio Risso Dept.

A Micro-service Approach for Cloud-Native Network Services Sebastiano Miano, Fulvio Risso Dept.

A Micro-service Approach for Cloud-Native Network Services Sebastiano Miano, Fulvio Risso Dept. of Control and Computer Engineering Politecnico di Torino, Italy CCS CONCEPTS applications are notoriously slow and ineffjcient given their

208 views • 3 slides

More recommend