BT

Facilitating the spread of knowledge and innovation in professional software development

Contribute

Topics

Choose your language

InfoQ Homepage News Two Hidden Instructions Discovered in Intel CPUs Enable Microcode Modification

Two Hidden Instructions Discovered in Intel CPUs Enable Microcode Modification

This item in japanese

Bookmarks

Security researchers Mark Ermolov, Dmitry Sklyarov, and Maxim Goryachy discovered two undocumented x86 instructions that can be used to modify the CPU microcode. The instructions can only be executed when the CPU runs in debug mode, which makes them not easily exploitable, though.

Being able to modify a CPU's microcode means you can re-program its instructions to do whatever you want. Usually, modifying CPU microcode is necessary to fix vulnerabilities and other types of bugs, which requires the CPU architecture to provide a mechanism to do it. CPU microcode updates are provided in encrypted form and the secret key that can decrypt them resides in the CPU itself. Getting access to the two instructions allows an attacker to bypass this barrier, says Goryachy:

In my opinion, on[e] of the main achievement [of] these instructions [is] bypassing the microcode update verification. Yes, you [are] right - it allows to craft your own persistent microcode patch without external debugger.

According to Ermolov, the two instructions are decoded in all processor modes, including user mode, but they will raise an undefined instruction exception unless the CPU is running in so-called red state. The red state is one of four possible DFx states supported by Intel System on a Chip, along with green, orange, and DAM. While the green state is used for normal CPU operation, the red and orange states enable debug access to all or parts of the CPU IPs.

On the good side of things, getting an Intel CPU to enter the red state is not easy to accomplish. In fact, it should never happen unless there are vulnerabilities in the Intel Management Engine (ME), an almost undocumented subsystem present in all Intel CPUs since 2008 that Intel says is required to provide full performance. Security researchers have in some cases claimed it is a security threat and users should disable it.

As a matter of fact, several vulnerabilities in Intel ME have been discovered in the past. Among others, Ermolov, Sklyarov, and Goryachy described a method to extract the secret key that is used inside the CPU to decrypt microcode updates, which also led to the possibility of executing your own microcode on the CPU or reading Intel's microcode.

The three researchers have posted a video demonstrating how to access the two instructions with only root/admin privileges. This requires uploading a custom UEFI to SPI flash and then rebooting the system, which definitely requires having physical access to it.

Ermolov, Sklyarov, and Goryachy are working on a disclosure paper and a full PoC. For the moment, Intel has refused to acknowledge the possibility of accessing the two hidden instructions as a vulnerability. InfoQ will continue to provide detailed reporting about this as new information will become available.

We need your feedback

How might we improve InfoQ for you

Thank you for being an InfoQ reader.

Each year, we seek feedback from our readers to help us improve InfoQ. Would you mind spending 2 minutes to share your feedback in our short survey? Your feedback will directly help us continually evolve how we support you.

Take the Survey

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.