
Hacking into a CPU’S Microcode (2017) - peter_d_sherman
https://hackaday.com/2017/12/28/34c3-hacking-into-a-cpus-microcode/
======
peter_d_sherman
Excerpt: "The result was 29 microcode operations including logic, arithmetic,
load, and store commands — enough to start writing microcode code. The first
microcode programs written helped with further discovery, naturally. But
before long, they wrote microcode backdoors that triggered when a given
calculation was performed, and stealthy trojans that exfiltrate data encrypted
or “undetectably” through introducing faults programmatically into
calculations. This means nearly undetectable malware that’s resident inside
the CPU. (And you think the Intel Management Engine hacks made you paranoid!)"

~~~
Boulth
Fortunately microcode updates are not persistent and need to be applied on
every boot.

~~~
jacquesm
I think that's 'unfortunately', and I think that such updates should require
the movement of a switch or jumper to be activated. Obviously the 'hands off'
and 'lights out' trends in the datacenter make such a requirement a non-
starter but from a security perspective it would make good sense.

~~~
monocasa
I think it's good. There's not much space in the microcode patch RAM, so
hiding a malicious update like you would a root kit would be extremely
difficult.

~~~
ddingus
A stealth privilege escalation would be far more likely. Find a redundant, or
unused bit, and...

~~~
ddingus
It's too late to edit, but that's exactly what I would go for.

------
arkadiyt
Ben Hawkes from Google Project Zero has an excellent blog post on Intel CPU
Microcode:

[http://www.inertiawar.com/microcode/](http://www.inertiawar.com/microcode/)

He even extracted and posted the RSA public keys used to verify the microcode.
Though he later removed them, they're still available on the internet archive:

[https://web.archive.org/web/20140403200048/http://inertiawar...](https://web.archive.org/web/20140403200048/http://inertiawar.com/microcode/microcode_rsa_modulus.txt)

~~~
dooglius
It’s a good investigation of the microcode update binary format, but doesn’t
reveal anything about the microcode itself unfortunately.

------
craftyguy
How do they get around the crypto signature checks that the CPU does before
loading a microcode patch?

~~~
arkadiyt
From [1]:

"Most update mechanisms are protected by signatures or other cryptographic
primitives. However there were some indications that older CPU models (until
around 2013) do not have a strong cryptographic protection and thus would
accept custom updates."

[1]:
[https://media.ccc.de/v/34c3-9058-everything_you_want_to_know...](https://media.ccc.de/v/34c3-9058-everything_you_want_to_know_about_x86_microcode_but_might_have_been_afraid_to_ask)

------
drudru11
I've been waiting over a decade(s?) for someone to pull this off. Reverse
engineering this is a great accomplishment.

