Custom Processing Unit: Tracing and Patching Intel Atom Microcode

The presentation discusses the reverse engineering of microcode and the discovery of new undocumented instructions, as well as the use of a framework for analyzing microcode.

• Positive Technologies found an exploit in the SMM engine that allowed them to Red unlock the CPU and extract and reverse engineer the microcode format
• The microcode has a similar structure to x86 and is highly optimized, making it difficult to analyze
• A decompiler was used to generate C code for the microcode, allowing for easier reverse engineering
• The control register bus is used by the CPU to interact with internal components and implement functionality
• A framework for analyzing microcode using a decompiler, assembler, aperture, and tracer was presented

The speaker discussed the use of a cool technique by Brandon Fork to trace performance counters during macro code updates, allowing for inference of what is happening during the update. They also mentioned attempting to move the Epic mmio region over the L2 cache view of the processor to bypass signatures, but were prevented from exploiting it further due to the complexities of the microcode update algorithm.

The ability to debug or simply observe the microarchitecture of closed-source CPUs has always been an exclusive privilege of the product vendors. For Intel CPUs, even the details of the high-level workings of CPU microcode were only available by digging into patents and not publicly documented.In this talk, we present the first systematic study of Intel Atom Microcode and a software-only framework that can observe, trace, and even patch microcode execution, shedding unprecedented light into the internal workings of Intel CPUs.We develop a Ghidra decompiler for Atom Microcode and reverse-engineer how the CPU internally uses its control register bus to manage its resources. Resorting to previously disclosed undocumented instructions, we then create a framework that can gain complete control over CPU microcode by replicating such interactions.Our framework can assemble and patch micro-instructions, hook CPU events, and trace microcode execution. To showcase its power, we trace and reverse-engineer the routines involved in the obscure Intel CPU microcode update process. For the first time, we disclose the details of the decryption algorithms for microcode updates and the binary format of the decrypted update: an amazing discovery is that a microcode update is, in fact, a custom language interpreted by the CPU. We will make our framework available as open source.