Infosec boffins have released a tool to decrypt and unpack microcode for a class of low-power Intel processors, opening up a way to see how the chipmaker has implemented various security fixes and features as well as things like virtualization.
Posted Monday on GitHub, Intel Microcode Decryptor is a collection of three Python scripts that users can run to decode the microcode – including the SGX XuCode – of select Atom, Pentium and Celeron processors based on Intel’s Goldmont and Goldmont Plus microarchitectures. . The work was carried out by three researchers – Maxim Goryachy, Mark Ermolov and Dmitry Skylarov – who had previously discovered several vulnerabilities in Intel processors.
The researchers noted that the tool cannot be used to create a custom microcode update because the “microcode has an RSA signature for integrity protection.” In other words, controls are in place to prevent people, including bad guys, from creating their own microcode updates to change how processor cores work.
In response to questions from The registerIntel seemed quite relaxed about the tool’s release, although the US giant said it was not alerted to the researchers’ plans in advance.
An Intel spokesperson told us “there should be no security risk” due to the availability of the tool. In fact, the company said letting more people examine Intel’s microcode could help the chipmaker identify more vulnerabilities in the future. For anyone who does, it means potentially earning money through Intel’s bug bounty program.
“The ability for researchers to analyze microcode could lead to the discovery of new vulnerabilities. Since this microcode was exposed, Intel invites researchers to participate in the microcode bug bounty program in case issues are discovered,” we were told.
Why microcode access is a big deal
When Goryachy Internet users alerted to microcode decryption scripts on Twitter, it has turned many a head in the IT and security communities.
Today we've published Intel Microcode decryptor! It gives you an amazing opportunity for researching x86 platforms. You can understand how Intel mitigated spectre vulnerability, explore the implementation of Intel TXT, SGX,VT-x technologies! Enjoy it! https://t.co/CrMYbrPu03 pic.twitter.com/pW6iQoUGLJ
— Maxim Goryachy (@h0t_max) July 18, 2022
This is a significant achievement as it lifts the veil on the complex world of processor design.
Chip designers like Intel have long used microcode to translate low-level machine instructions into circuit-level operations in processor cores. Microcode can be loaded by the processor from memory, and so updates to that code can be issued to fix bugs. These updates usually come in the form of system software patches and BIOS upgrades.
Goryachy said Intel Microcode Decryptor can be used to understand, for example, how the chip giant mitigated the Specter vulnerability in Goldmont processors. He added that the scripts can also help people understand how Intel implemented various technologies, such as Intel Trusted Execution Technology (TXT), Intel Software Guard Extensions (SGX), and Intel Virtualization Technology (VT-x).
Ermolov, one of the other boffins, added The availability of the tool means that users can now search for XuCode, a variant of x86 code in 64-bit mode used to implement parts of Intel SGX loaded as a microcode update. SGX is Intel’s technology for creating secure enclaves in memory: these are protected areas that other software and users cannot alter, not even the operating system or the hypervisor.
XuCode is quite interesting: the special x86 instructions for handling SGX enclaves are so involved that they are broken down into sequences of XuCode instructions that perform the desired operations.
These XuCode instructions are standard 64-bit x86 with some extensions, and are then broken down by the processor into regular x86 micro-operations. When an application uses a high-level SGX instruction, the processor can jump to its XuCode to do the work.
These XuCode sequences are stored in the microcode and can now be extracted using the Python scripts above and parsed using standard x86 reverse engineering suites.
At runtime, the XuCode is stored in specially protected RAM, so some SGX instructions effectively switch to x86-like subroutines.
The genesis of tools and a mixture of reactions
According to the researchers, Intel Microcode Decryptor was made possible after the trio found vulnerabilities in Intel’s chipsets in early 2020 that allowed them to enable an undocumented debug mode called Red Unlock. This led the boffins to find the decryption key which allowed them to extract and decrypt the microcode.
Intel had a slightly different account of the tool’s genesis. The company spokesperson told us that researchers reported the Red Unlock vulnerability to the chipmaker in 2017. Boffins used this vulnerability to analyze and document the structure of the microcode in May 2021, which included the release of a disassembly script, Intel pointed out. The disclosure of the Red Unlock issue prompted Intel to launch a bug bounty program for microcode vulnerabilities.
The response to the latest online tools has been a mixture of admiration, intrigue and horror, with some people worried that the scripts could be used for malicious purposes while others hailed it as a breakthrough in understanding of how at least some of Intel’s incredibly complex silicon works. Just take a look at the quote tweets and answers for Goryachy’s original tweet.
The release of the scripts received a thumbs up from Gal Diskin, a former Intel employee who led product security for SGX and contributed to the design and architecture of the feature.
When asked if access to SGX microcode could lead to new types of attacks, Diskin had this to say“We always assumed that our code would one day be open source, and never allowed security through obscurity. At least that’s how we worked when I led the security assessment for SGX.” Diskin, however, noted that he had not been with Intel since 2013. ®
#Decryption #tool #released #Intel #CPU #microcode