0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/835 Thanks! 1 00:00:15,800 --> 00:00:17,539 These two research assistants. 2 00:00:19,320 --> 00:00:22,349 First published in 2014. 3 00:00:22,350 --> 00:00:25,109 Since then, they have often collaborated 4 00:00:25,110 --> 00:00:27,299 for all vulnerabilities to 5 00:00:27,300 --> 00:00:29,699 improving low level defenses. 6 00:00:29,700 --> 00:00:32,099 Please give a warm 34C three Welcome 7 00:00:32,100 --> 00:00:33,810 to Benjamin on Philip. 8 00:00:42,970 --> 00:00:43,959 Thanks for the intro. 9 00:00:43,960 --> 00:00:44,960 Thanks for coming. 10 00:00:46,230 --> 00:00:48,579 Today, we present our research 11 00:00:48,580 --> 00:00:50,259 on Michael Cote. 12 00:00:50,260 --> 00:00:52,449 This is a joint book with our colleagues 13 00:00:52,450 --> 00:00:54,699 and our supervisors from Whole University 14 00:00:54,700 --> 00:00:55,700 Belgium. 15 00:00:56,920 --> 00:00:58,719 First of all, I want to give a small 16 00:00:58,720 --> 00:00:59,720 disclaimer. 17 00:01:00,850 --> 00:01:03,849 The technical 18 00:01:03,850 --> 00:01:06,009 details in this talk are quite specific 19 00:01:06,010 --> 00:01:07,329 to in the UK. 20 00:01:07,330 --> 00:01:09,459 Tim and his processors, 21 00:01:10,510 --> 00:01:13,539 the newest release processor 22 00:01:13,540 --> 00:01:15,729 that our stuff works with, is from 23 00:01:15,730 --> 00:01:16,870 2013 24 00:01:19,150 --> 00:01:21,309 and also most of 25 00:01:21,310 --> 00:01:22,779 the findings are from reverse 26 00:01:22,780 --> 00:01:23,769 engineering. 27 00:01:23,770 --> 00:01:26,589 So if you want to replicate experiments 28 00:01:26,590 --> 00:01:28,749 at home, please proceed at your own 29 00:01:28,750 --> 00:01:31,209 risk because we may trigger unintended 30 00:01:31,210 --> 00:01:32,949 behavior on the CPU. 31 00:01:32,950 --> 00:01:34,390 So let's get started. 32 00:01:35,950 --> 00:01:38,889 First of all, we want across 33 00:01:38,890 --> 00:01:40,659 the board microscope, which is 34 00:01:41,910 --> 00:01:44,049 a given architecture of a crash 35 00:01:44,050 --> 00:01:45,069 course. 36 00:01:45,070 --> 00:01:47,169 We want to solely explore the 37 00:01:47,170 --> 00:01:49,329 question whether it's hackable. 38 00:01:49,330 --> 00:01:51,369 And in the end, there will be something 39 00:01:51,370 --> 00:01:52,370 more time. 40 00:01:54,460 --> 00:01:56,679 So first of all, let's Michael 41 00:01:56,680 --> 00:01:57,680 code. 42 00:01:58,360 --> 00:01:59,859 If this is your CPU, 43 00:02:00,880 --> 00:02:03,429 you can imagine 44 00:02:03,430 --> 00:02:05,559 microcode to be 45 00:02:05,560 --> 00:02:07,809 a small computer within your 46 00:02:07,810 --> 00:02:10,089 CPU, which does all 47 00:02:10,090 --> 00:02:12,309 sorts of complex things that you cover 48 00:02:12,310 --> 00:02:14,469 in the stock, and we will see how 49 00:02:14,470 --> 00:02:15,470 you can deal with it. 50 00:02:17,110 --> 00:02:19,030 So first of all, I want to 51 00:02:20,170 --> 00:02:22,629 give some previous work. 52 00:02:22,630 --> 00:02:25,509 First of all, there are empty patents 53 00:02:25,510 --> 00:02:27,849 that are publicly available, and 54 00:02:27,850 --> 00:02:30,459 they give us a good general overview 55 00:02:31,570 --> 00:02:34,209 of the architectural details. 56 00:02:34,210 --> 00:02:37,009 So then there's the website to architect, 57 00:02:37,010 --> 00:02:39,759 and there are some rather 58 00:02:39,760 --> 00:02:41,949 detailed article about 59 00:02:41,950 --> 00:02:44,349 the physical placement 60 00:02:44,350 --> 00:02:46,599 of specific components on 61 00:02:46,600 --> 00:02:48,099 the top of the chip. 62 00:02:50,200 --> 00:02:52,569 Then there's the anonymous blog post 63 00:02:52,570 --> 00:02:54,639 from 2004 up to 64 00:02:54,640 --> 00:02:57,129 the next post, and 65 00:02:57,130 --> 00:02:59,229 basically it's revealed for the 66 00:02:59,230 --> 00:03:01,989 first time that microcode 67 00:03:01,990 --> 00:03:04,209 is updatable and the 68 00:03:04,210 --> 00:03:06,879 some Mississippi use even except 69 00:03:06,880 --> 00:03:09,219 microcode if they are modified 70 00:03:09,220 --> 00:03:11,409 and the text is corrected. 71 00:03:11,410 --> 00:03:13,479 So this basically was the initial 72 00:03:13,480 --> 00:03:14,800 idea of our research. 73 00:03:18,350 --> 00:03:20,469 There's a paper security analysis 74 00:03:20,470 --> 00:03:22,449 of x86 processor microcode. 75 00:03:22,450 --> 00:03:23,450 They cover 76 00:03:24,700 --> 00:03:26,919 mostly security 77 00:03:27,970 --> 00:03:31,089 stuff related about microcode updates 78 00:03:31,090 --> 00:03:32,139 from Internet M.D. 79 00:03:32,140 --> 00:03:34,569 processors and 80 00:03:34,570 --> 00:03:35,860 give a general overview. 81 00:03:37,090 --> 00:03:39,249 So then there's the work of 82 00:03:39,250 --> 00:03:40,250 a recall. 83 00:03:41,140 --> 00:03:43,089 He's he probably has some internal 84 00:03:43,090 --> 00:03:45,489 knowledge and is also 85 00:03:45,490 --> 00:03:47,499 doing really cool stuff, only medical 86 00:03:47,500 --> 00:03:48,579 code. 87 00:03:48,580 --> 00:03:50,649 So not 88 00:03:50,650 --> 00:03:52,269 even though. But Michael, coders and not 89 00:03:52,270 --> 00:03:53,360 related work to us. 90 00:03:54,430 --> 00:03:56,649 Let's have a look at what it's actually 91 00:03:56,650 --> 00:03:57,699 used for. 92 00:03:57,700 --> 00:03:59,989 So first of all, it's used 93 00:03:59,990 --> 00:04:01,869 for instruction decoding. 94 00:04:03,010 --> 00:04:05,199 It's used to bucks to fix 95 00:04:05,200 --> 00:04:07,539 bugs and CPUs that are in the field 96 00:04:07,540 --> 00:04:09,280 already, so they are already rolled out 97 00:04:12,970 --> 00:04:14,889 its use for exception handling on the 98 00:04:14,890 --> 00:04:16,389 architectural level. 99 00:04:16,390 --> 00:04:18,458 So, um, 100 00:04:18,459 --> 00:04:20,559 if there is some division 101 00:04:20,560 --> 00:04:22,719 by zero, for example, the CPU 102 00:04:22,720 --> 00:04:25,239 somehow needs to detect it and 103 00:04:25,240 --> 00:04:27,939 test the exception and the information 104 00:04:27,940 --> 00:04:29,229 to the operating system. 105 00:04:29,230 --> 00:04:31,539 And this is handled in local court. 106 00:04:31,540 --> 00:04:33,849 Also, microcode is used 107 00:04:33,850 --> 00:04:36,309 for power management in the CPU 108 00:04:36,310 --> 00:04:38,769 and can be used by the vendors 109 00:04:38,770 --> 00:04:41,139 to implement complex CPU 110 00:04:41,140 --> 00:04:43,519 features like Intel's two x, for example. 111 00:04:45,100 --> 00:04:47,319 Um, so we heard 112 00:04:47,320 --> 00:04:49,419 that Michael Code is used 113 00:04:49,420 --> 00:04:51,039 for instruction decoding. 114 00:04:52,090 --> 00:04:54,249 No one to see why this 115 00:04:54,250 --> 00:04:56,439 is so the 116 00:04:56,440 --> 00:04:58,299 x86 instruction that architecture is 117 00:04:58,300 --> 00:04:59,469 quite complex. 118 00:04:59,470 --> 00:05:01,629 Um, it is some variable 119 00:05:01,630 --> 00:05:03,279 length instructions that, as you can see 120 00:05:03,280 --> 00:05:05,019 here, there's an instruction of a 121 00:05:05,020 --> 00:05:06,639 thunderbolt and an instruction with 122 00:05:06,640 --> 00:05:08,199 several bytes. 123 00:05:08,200 --> 00:05:10,269 And usually the first 124 00:05:10,270 --> 00:05:12,069 byte indicates how long such an 125 00:05:12,070 --> 00:05:14,379 instruction is, which helps 126 00:05:14,380 --> 00:05:16,059 during the recording process. 127 00:05:16,060 --> 00:05:17,469 But of course, there's an exception to 128 00:05:17,470 --> 00:05:19,569 this the instruction 129 00:05:19,570 --> 00:05:22,059 prefixes which delay the decision, 130 00:05:22,060 --> 00:05:24,099 how long instruction is going to be one 131 00:05:24,100 --> 00:05:25,509 for the boys. 132 00:05:25,510 --> 00:05:27,669 And on top of that, several 133 00:05:27,670 --> 00:05:30,159 of those and they can also be applied 134 00:05:30,160 --> 00:05:32,409 combined to form all 135 00:05:32,410 --> 00:05:35,649 kinds of complex 136 00:05:35,650 --> 00:05:37,149 instructions. 137 00:05:37,150 --> 00:05:39,639 Also, the instructions 138 00:05:39,640 --> 00:05:41,559 that extensions. 139 00:05:41,560 --> 00:05:42,610 If you have a victor 140 00:05:44,560 --> 00:05:46,629 floating point, addition and 141 00:05:46,630 --> 00:05:48,699 subtraction, the pectin, 142 00:05:48,700 --> 00:05:51,099 a precision floating point units. 143 00:05:51,100 --> 00:05:53,079 And this instruction has several 144 00:05:53,080 --> 00:05:55,059 operations and is quite complex to 145 00:05:56,140 --> 00:05:58,359 decode and 146 00:05:58,360 --> 00:06:00,489 also quite complex to execute or to 147 00:06:00,490 --> 00:06:02,529 be executed, the fantasy view you. 148 00:06:02,530 --> 00:06:04,959 And due to this 149 00:06:04,960 --> 00:06:06,680 complexity in it 150 00:06:07,840 --> 00:06:10,279 and small computer 151 00:06:10,280 --> 00:06:12,489 in our CPU to actually 152 00:06:12,490 --> 00:06:13,490 decode this 153 00:06:16,180 --> 00:06:18,099 now, we are going to have a quick look at 154 00:06:18,100 --> 00:06:20,559 how this decoding looks like. 155 00:06:20,560 --> 00:06:23,169 We have an 86 instruction 156 00:06:23,170 --> 00:06:26,619 on the left pop up the referenced, 157 00:06:26,620 --> 00:06:28,839 and this 158 00:06:28,840 --> 00:06:31,389 instruction gets decoded to several 159 00:06:31,390 --> 00:06:34,060 microcode instructions or microbes 160 00:06:36,300 --> 00:06:37,839 on the right. You can see those 161 00:06:39,160 --> 00:06:41,349 at first. We read 162 00:06:41,350 --> 00:06:42,910 the top of the stick and 163 00:06:43,960 --> 00:06:46,509 lotus value in the temporal 164 00:06:46,510 --> 00:06:48,849 register after what's the statistic? 165 00:06:48,850 --> 00:06:51,249 It's stored in the location 166 00:06:51,250 --> 00:06:53,319 indicated by X and 167 00:06:53,320 --> 00:06:54,669 afterwards to take point that gets 168 00:06:54,670 --> 00:06:55,670 incremented. 169 00:06:57,160 --> 00:06:58,449 So we also 170 00:07:00,100 --> 00:07:02,379 just heard that microcode is used 171 00:07:02,380 --> 00:07:04,779 to update 172 00:07:04,780 --> 00:07:07,689 type use that are around us 173 00:07:07,690 --> 00:07:09,519 and that are older than the field. 174 00:07:09,520 --> 00:07:11,889 And this behavior probably is 175 00:07:11,890 --> 00:07:14,379 motivated by the infamous into Pentium 176 00:07:14,380 --> 00:07:16,959 F2F stuck in 1994. 177 00:07:16,960 --> 00:07:19,269 We have certain Intel Pentium processors 178 00:07:19,270 --> 00:07:21,040 would produce 179 00:07:22,420 --> 00:07:24,819 slightly off results for 180 00:07:24,820 --> 00:07:26,350 certain floating point operations. 181 00:07:27,490 --> 00:07:29,559 This was quite a mess, and 182 00:07:29,560 --> 00:07:31,659 Inter had to pay a ton to replace 183 00:07:31,660 --> 00:07:33,099 processors in the field. 184 00:07:33,100 --> 00:07:35,309 So both Intel and 185 00:07:35,310 --> 00:07:38,079 D-Von to to avoid this in the future 186 00:07:38,080 --> 00:07:40,240 and at update ability. 187 00:07:41,740 --> 00:07:44,679 So one example this year 188 00:07:44,680 --> 00:07:46,749 there was this Intel Kaby 189 00:07:46,750 --> 00:07:49,239 Lake bug, where 190 00:07:49,240 --> 00:07:51,519 certain Hyper-Threading behavior 191 00:07:51,520 --> 00:07:53,919 of certain Hyper-Threading conditions 192 00:07:53,920 --> 00:07:55,909 would lead to a instead of existing 193 00:07:55,910 --> 00:07:58,149 behavior. And this bug was 194 00:07:58,150 --> 00:07:59,529 fixed with Michael Code update. 195 00:08:01,000 --> 00:08:03,129 So then we had to 196 00:08:03,130 --> 00:08:05,559 this side also some 197 00:08:05,560 --> 00:08:07,869 bugs. There was an AMD phenom bug 198 00:08:07,870 --> 00:08:09,160 in 2008 199 00:08:10,450 --> 00:08:13,149 that Andreas could not be 200 00:08:13,150 --> 00:08:15,309 coaxed reliably, and this bug was 201 00:08:15,310 --> 00:08:16,420 also fixed of mobile code. 202 00:08:17,890 --> 00:08:20,109 So again, 203 00:08:20,110 --> 00:08:22,689 quite recently this year, there was an 204 00:08:22,690 --> 00:08:24,610 empty Hoosen bug, 205 00:08:26,440 --> 00:08:28,959 which also got fixed by a local code. 206 00:08:28,960 --> 00:08:31,329 So let's now have a look at the 207 00:08:31,330 --> 00:08:33,369 inner workings of the microarchitecture 208 00:08:33,370 --> 00:08:35,469 and how Michael 209 00:08:35,470 --> 00:08:37,600 code is embedded within that. 210 00:08:38,799 --> 00:08:41,229 So, um, and instruction 211 00:08:41,230 --> 00:08:43,839 gets executed on the CPU, 212 00:08:43,840 --> 00:08:46,119 and first 213 00:08:46,120 --> 00:08:47,709 it gets from the main memory to the 214 00:08:47,710 --> 00:08:49,899 caches, and at some point 215 00:08:51,100 --> 00:08:53,499 it gets to the decode engine 216 00:08:53,500 --> 00:08:55,869 and gets the code to microbes. 217 00:08:55,870 --> 00:08:57,979 Then the 218 00:08:57,980 --> 00:09:00,279 microbes are then scheduled, possibly 219 00:09:00,280 --> 00:09:03,369 reordered to the pipeline, 220 00:09:03,370 --> 00:09:06,429 and the pipeline then leverages the 221 00:09:06,430 --> 00:09:09,069 numerous functional units 222 00:09:09,070 --> 00:09:11,269 like an automatic logic unit or at 223 00:09:11,270 --> 00:09:12,340 first generation units 224 00:09:13,420 --> 00:09:15,449 in parallel to actually execute the 225 00:09:15,450 --> 00:09:16,570 multicore instructions. 226 00:09:19,020 --> 00:09:20,949 We now zoom into the decoder and have a 227 00:09:20,950 --> 00:09:21,950 closer look. The. 228 00:09:24,080 --> 00:09:25,309 You have to instruct some buffer that 229 00:09:25,310 --> 00:09:28,069 stores the crew, stream of pilots 230 00:09:28,070 --> 00:09:30,199 and several other 231 00:09:30,200 --> 00:09:32,149 kinds of decoders. 232 00:09:32,150 --> 00:09:34,249 We have short decoders that can 233 00:09:34,250 --> 00:09:36,859 each translate one simple 234 00:09:36,860 --> 00:09:39,679 5:52 instruction to one microchip 235 00:09:39,680 --> 00:09:41,090 and pick them together 236 00:09:42,410 --> 00:09:44,569 and put this pick to get 237 00:09:44,570 --> 00:09:46,279 us into the scheduler. 238 00:09:46,280 --> 00:09:49,309 Then we have the long decoder, 239 00:09:49,310 --> 00:09:50,449 which is able to 240 00:09:52,130 --> 00:09:54,299 translate complex or 241 00:09:54,300 --> 00:09:57,259 more complex physics instructions 242 00:09:57,260 --> 00:10:00,079 to several microchips. 243 00:10:00,080 --> 00:10:01,849 Now we get to the most interesting 244 00:10:01,850 --> 00:10:03,649 decoder, which is the Victoria code on 245 00:10:03,650 --> 00:10:04,650 the right. 246 00:10:05,450 --> 00:10:07,669 This because the contents Typekit code 247 00:10:07,670 --> 00:10:09,979 engine and an 248 00:10:09,980 --> 00:10:12,319 86 instruction that gets decoded 249 00:10:12,320 --> 00:10:14,659 by the vector decoder actually triggers 250 00:10:14,660 --> 00:10:16,759 a small microcode program 251 00:10:16,760 --> 00:10:18,829 to be run in the spool. 252 00:10:18,830 --> 00:10:21,019 And this program may generate 253 00:10:21,020 --> 00:10:23,329 an arbitrary number of microbes 254 00:10:23,330 --> 00:10:25,639 that then gets get used 255 00:10:25,640 --> 00:10:27,109 to the pipeline and executed. 256 00:10:29,800 --> 00:10:31,929 So we just heard 257 00:10:31,930 --> 00:10:34,099 that the NAACP, you and 258 00:10:34,100 --> 00:10:36,219 Michael pogroms are 259 00:10:36,220 --> 00:10:38,709 run. So they need to be stored somewhere, 260 00:10:38,710 --> 00:10:40,809 and there are some onto from 261 00:10:40,810 --> 00:10:42,519 the Michael coat, from the stores to 262 00:10:42,520 --> 00:10:44,649 Michael Coat and basically 263 00:10:44,650 --> 00:10:46,479 all of the Michael Michael programs. 264 00:10:47,950 --> 00:10:49,690 So then we have Michael courtroom 265 00:10:51,550 --> 00:10:53,469 during runtime, the clip. 266 00:10:53,470 --> 00:10:55,689 You can get the microcode updates and 267 00:10:55,690 --> 00:10:57,199 the Michael could update gets taught in 268 00:10:57,200 --> 00:10:58,779 the courtroom that you can see there. 269 00:11:00,700 --> 00:11:02,799 Then there's all kinds of Cocodrie around 270 00:11:02,800 --> 00:11:05,199 to make the whole thing working 271 00:11:05,200 --> 00:11:07,419 for somebody a different unit 272 00:11:07,420 --> 00:11:09,279 that increments the program, control for 273 00:11:09,280 --> 00:11:11,889 the microcode engine and 274 00:11:11,890 --> 00:11:13,179 most importantly, for us, 275 00:11:14,740 --> 00:11:15,809 the match with justice. 276 00:11:17,380 --> 00:11:19,569 They basically provide us with 277 00:11:19,570 --> 00:11:21,879 break points in the Michael courtroom, 278 00:11:23,380 --> 00:11:25,509 and those break points 279 00:11:25,510 --> 00:11:27,969 can be set at certain local court 280 00:11:27,970 --> 00:11:29,109 addresses. 281 00:11:29,110 --> 00:11:31,209 And once 282 00:11:31,210 --> 00:11:33,489 such an address gets executed, 283 00:11:33,490 --> 00:11:35,499 the control is directed to make a court 284 00:11:35,500 --> 00:11:36,729 room. 285 00:11:36,730 --> 00:11:38,529 Michael could update is thought. 286 00:11:38,530 --> 00:11:40,479 This is a very important mechanism for 287 00:11:40,480 --> 00:11:42,400 microcode updates to actually 288 00:11:43,840 --> 00:11:44,840 get control 289 00:11:46,090 --> 00:11:48,369 of things happening happening 290 00:11:48,370 --> 00:11:50,559 in the CPU and 291 00:11:50,560 --> 00:11:53,379 changing behavior like sanitizing, 292 00:11:53,380 --> 00:11:55,389 sanitizing inputs for instructions, for 293 00:11:55,390 --> 00:11:56,390 example. 294 00:11:57,910 --> 00:12:00,279 So how do we actually 295 00:12:00,280 --> 00:12:03,129 update the market code for a CPU core? 296 00:12:03,130 --> 00:12:04,659 Well, we need to be in kernel mode. 297 00:12:04,660 --> 00:12:06,459 We need to load. 298 00:12:06,460 --> 00:12:08,350 The market could update into the RAM. 299 00:12:09,490 --> 00:12:11,649 We need to write the vote for areas of 300 00:12:11,650 --> 00:12:13,449 the updates into the given mission, 301 00:12:13,450 --> 00:12:14,450 specifically just 302 00:12:15,850 --> 00:12:18,729 as the microcode update gets us 303 00:12:18,730 --> 00:12:20,559 gets loaded into the local court room. 304 00:12:21,880 --> 00:12:23,589 Those updates are not persistent. 305 00:12:23,590 --> 00:12:26,649 And once your boot or set, the CPU 306 00:12:26,650 --> 00:12:28,570 is in its initial state again. 307 00:12:31,290 --> 00:12:33,779 So the microcode updates from what 308 00:12:33,780 --> 00:12:36,179 you can see here, it contains 309 00:12:36,180 --> 00:12:38,369 an Hedera of several fields, such 310 00:12:38,370 --> 00:12:40,199 as state patch I.D. 311 00:12:40,200 --> 00:12:41,969 and a checksum. 312 00:12:41,970 --> 00:12:44,219 And this is followed by 313 00:12:44,220 --> 00:12:46,859 the metal sisters, which contain 314 00:12:46,860 --> 00:12:49,199 the contents for the break 315 00:12:49,200 --> 00:12:50,099 points. 316 00:12:50,100 --> 00:12:52,589 And afterwards, the microcode 317 00:12:52,590 --> 00:12:54,779 follows the medical 318 00:12:54,780 --> 00:12:56,039 code as followed. 319 00:12:56,040 --> 00:12:58,379 It's organized and so-called 320 00:12:58,380 --> 00:13:00,599 triads, and one triad 321 00:13:00,600 --> 00:13:03,029 contains three microchips 322 00:13:03,030 --> 00:13:05,279 and one sequence about the microchips 323 00:13:05,280 --> 00:13:08,189 are actually microcode instructions 324 00:13:08,190 --> 00:13:10,259 that execute code, and the 325 00:13:10,260 --> 00:13:12,389 sequence route is 326 00:13:12,390 --> 00:13:14,129 for control flow direction. 327 00:13:16,870 --> 00:13:19,239 So now we want to answer the question 328 00:13:19,240 --> 00:13:21,279 whether this is hackable. 329 00:13:21,280 --> 00:13:22,280 So 330 00:13:23,470 --> 00:13:25,029 we learned it's updatable, 331 00:13:26,440 --> 00:13:29,319 you have opted updated drivers 332 00:13:29,320 --> 00:13:31,659 in different biases and 333 00:13:31,660 --> 00:13:33,609 also the Linux kernel. 334 00:13:33,610 --> 00:13:35,620 So we know the procedure how to update. 335 00:13:37,090 --> 00:13:39,789 We have a glitch in the microcode 336 00:13:39,790 --> 00:13:41,260 updates by the vendors. 337 00:13:42,370 --> 00:13:44,649 They are distributed through bios 338 00:13:44,650 --> 00:13:46,839 updates, but also 339 00:13:46,840 --> 00:13:48,970 has quite a huge collection of them, 340 00:13:50,660 --> 00:13:52,090 you know, to update file format. 341 00:13:53,290 --> 00:13:55,449 And there are hints that there is 342 00:13:55,450 --> 00:13:58,869 no strong cryptography protecting 343 00:13:58,870 --> 00:14:02,289 the integrity of the code updates. 344 00:14:02,290 --> 00:14:04,419 So this is a 345 00:14:04,420 --> 00:14:06,849 hex dump of one of Timoko code updates. 346 00:14:06,850 --> 00:14:10,179 Just want to have a quick glance? 347 00:14:10,180 --> 00:14:12,429 You can see here 348 00:14:12,430 --> 00:14:14,769 a repeating value over and over. 349 00:14:14,770 --> 00:14:17,379 They too often and 350 00:14:17,380 --> 00:14:19,780 a feature color more the use 351 00:14:20,860 --> 00:14:22,929 that the same values, you can 352 00:14:22,930 --> 00:14:25,329 basically see patterns emerging. 353 00:14:25,330 --> 00:14:27,579 So meaning we have no 354 00:14:27,580 --> 00:14:28,899 strong group to apply them, 355 00:14:30,460 --> 00:14:32,889 and we've learned that the CPU 356 00:14:32,890 --> 00:14:34,989 accepts modified updates 357 00:14:34,990 --> 00:14:36,669 if the checks on those corrected. 358 00:14:36,670 --> 00:14:38,829 So yes, 359 00:14:38,830 --> 00:14:39,830 it's a heck of a 360 00:14:40,900 --> 00:14:41,900 um. 361 00:14:42,610 --> 00:14:44,739 At this point, we we knew that 362 00:14:44,740 --> 00:14:45,849 we had to generate 363 00:14:46,900 --> 00:14:48,879 a lot of microcode updates in an 364 00:14:48,880 --> 00:14:49,880 automatic manner 365 00:14:51,730 --> 00:14:54,489 to be able to 366 00:14:54,490 --> 00:14:56,649 trigger behavior 367 00:14:56,650 --> 00:14:58,899 change and from that behavior 368 00:14:58,900 --> 00:15:01,899 change, learn of the inner workings. 369 00:15:01,900 --> 00:15:05,289 So if you build a framework 370 00:15:05,290 --> 00:15:07,419 and the framework 371 00:15:07,420 --> 00:15:09,759 contains a lot of nodes, 372 00:15:09,760 --> 00:15:11,859 the nodes run our own 373 00:15:11,860 --> 00:15:14,229 custom written x86 374 00:15:14,230 --> 00:15:15,399 operating system. 375 00:15:15,400 --> 00:15:17,689 That's very low, nice environment. 376 00:15:17,690 --> 00:15:19,839 So we control all the instructions 377 00:15:19,840 --> 00:15:20,840 that get executed 378 00:15:23,110 --> 00:15:25,299 and the operating system runs on 379 00:15:25,300 --> 00:15:27,579 computers powered by 380 00:15:27,580 --> 00:15:30,069 the processors, so 381 00:15:30,070 --> 00:15:31,629 the nodes are connected to a Raspberry 382 00:15:31,630 --> 00:15:34,149 Pi. We are still together 383 00:15:34,150 --> 00:15:36,339 for data communication and 384 00:15:36,340 --> 00:15:38,439 the use of chip by open source 385 00:15:38,440 --> 00:15:40,719 connected to the CPU set and power 386 00:15:40,720 --> 00:15:42,879 switches on the main boards to 387 00:15:42,880 --> 00:15:45,099 automatically power up and down and 388 00:15:45,100 --> 00:15:46,179 reset nodes. 389 00:15:46,180 --> 00:15:48,339 Because then the nodes 390 00:15:48,340 --> 00:15:50,349 execute random microcode, they often hang 391 00:15:50,350 --> 00:15:51,450 and are not recoverable. 392 00:15:52,780 --> 00:15:54,819 So the whole setup a suitable from the 393 00:15:54,820 --> 00:15:57,249 internet to have remote access and 394 00:15:57,250 --> 00:15:59,109 just as a convenience feature. 395 00:15:59,110 --> 00:16:01,119 So this is what looked like in the very 396 00:16:01,120 --> 00:16:03,189 beginning at our home. 397 00:16:03,190 --> 00:16:04,959 This is what it looked like later at 398 00:16:04,960 --> 00:16:05,960 university. 399 00:16:07,390 --> 00:16:09,459 And now we have 400 00:16:09,460 --> 00:16:12,489 the tools for automotive testing 401 00:16:12,490 --> 00:16:15,399 and we used it for 402 00:16:15,400 --> 00:16:18,039 generating heat maps so 403 00:16:18,040 --> 00:16:20,349 that the name is a little bit misleading. 404 00:16:20,350 --> 00:16:23,679 Let me just explain what we refer 405 00:16:23,680 --> 00:16:24,809 as to them. 406 00:16:24,810 --> 00:16:26,919 Um, basically, it's a mapping 407 00:16:26,920 --> 00:16:29,619 from microcode quote addresses 408 00:16:29,620 --> 00:16:31,839 to the corresponding x86 409 00:16:31,840 --> 00:16:33,179 instruction. 410 00:16:33,180 --> 00:16:35,319 Um, so and 411 00:16:35,320 --> 00:16:37,779 x86 instruction is implemented 412 00:16:37,780 --> 00:16:39,909 in local court and the 413 00:16:39,910 --> 00:16:42,279 microcode is located at 414 00:16:42,280 --> 00:16:44,409 certain home addresses 415 00:16:44,410 --> 00:16:46,659 and the map. Basically, this 416 00:16:46,660 --> 00:16:48,999 fits home address implements what 417 00:16:49,000 --> 00:16:50,320 x86 instruction 418 00:16:52,010 --> 00:16:53,740 generated the heat maps by 419 00:16:55,300 --> 00:16:57,729 iteratively hooking all microcode 420 00:16:57,730 --> 00:16:59,439 combat courses with the break point of 421 00:16:59,440 --> 00:17:01,429 justice and then executing all 422 00:17:02,710 --> 00:17:04,699 x86 instruction. 423 00:17:04,700 --> 00:17:06,789 Um, you 424 00:17:06,790 --> 00:17:09,999 know, so 425 00:17:10,000 --> 00:17:12,159 um, once you have the heat maps, 426 00:17:12,160 --> 00:17:14,439 we can reliably execute our 427 00:17:14,440 --> 00:17:17,439 own bits as microcode 428 00:17:17,440 --> 00:17:19,598 by just setting 429 00:17:19,599 --> 00:17:22,059 the breakpoint just to a 430 00:17:22,060 --> 00:17:24,669 known location and executing 431 00:17:24,670 --> 00:17:26,769 the corresponding 432 00:17:26,770 --> 00:17:28,299 physics instruction. 433 00:17:28,300 --> 00:17:30,549 Then and the controller 434 00:17:30,550 --> 00:17:32,919 gets redirected to 435 00:17:32,920 --> 00:17:35,289 our own microcode updates. 436 00:17:35,290 --> 00:17:37,089 And you can just put random bits and the 437 00:17:37,090 --> 00:17:39,279 CPU into this random puts 438 00:17:39,280 --> 00:17:40,779 a smoker code and executed. 439 00:17:41,980 --> 00:17:44,079 So because there's no documentation 440 00:17:44,080 --> 00:17:46,359 on the microphone 441 00:17:46,360 --> 00:17:49,059 instructions that we basically 442 00:17:49,060 --> 00:17:50,599 had to conduct an unknown instructions, 443 00:17:50,600 --> 00:17:52,779 that analysis this 444 00:17:52,780 --> 00:17:55,269 a black box model because there's no 445 00:17:55,270 --> 00:17:56,829 publicly available assembler, this 446 00:17:56,830 --> 00:17:59,259 assembler compiler or any documentation. 447 00:18:00,670 --> 00:18:02,859 But luckily we had an oracle, the CPU 448 00:18:02,860 --> 00:18:03,969 itself. 449 00:18:03,970 --> 00:18:06,669 We can just fitted inputs and observe 450 00:18:06,670 --> 00:18:09,159 the outputs, and from the differences 451 00:18:09,160 --> 00:18:11,439 in behavior, we can infer 452 00:18:11,440 --> 00:18:12,880 structure encoding and meaning. 453 00:18:14,930 --> 00:18:17,149 So we now have a quick look 454 00:18:17,150 --> 00:18:19,249 at how the CBO overall looks like. 455 00:18:20,420 --> 00:18:22,910 First, we fitted an 86 instruction 456 00:18:24,490 --> 00:18:26,780 and defeated an initial state 457 00:18:28,100 --> 00:18:30,409 which basically contains out of their use 458 00:18:30,410 --> 00:18:32,509 in x86 criticism 459 00:18:33,920 --> 00:18:36,109 and defeated the microcode updates that 460 00:18:36,110 --> 00:18:38,059 we've generated on our own. 461 00:18:38,060 --> 00:18:40,219 The metric system is 462 00:18:40,220 --> 00:18:41,759 a corresponding metric, a good start to 463 00:18:41,760 --> 00:18:44,239 the 86 instruction that we execute 464 00:18:44,240 --> 00:18:46,549 so that the call 465 00:18:46,550 --> 00:18:48,769 ups that are also contained could 466 00:18:48,770 --> 00:18:51,139 update that these random 467 00:18:51,140 --> 00:18:52,940 inputs get executed by the CPU. 468 00:18:55,520 --> 00:18:58,249 Afterwards, we get 469 00:18:58,250 --> 00:18:59,269 an output state 470 00:19:00,380 --> 00:19:01,380 that basically 471 00:19:02,480 --> 00:19:04,669 mirrors the states the 472 00:19:04,670 --> 00:19:07,099 CPI was in after they executed 473 00:19:07,100 --> 00:19:09,140 our random bits, as Michael called. 474 00:19:11,040 --> 00:19:13,189 Very often vendors view 475 00:19:13,190 --> 00:19:15,259 executes random bits of smoke or caught 476 00:19:15,260 --> 00:19:16,939 the CPU for just Chris. 477 00:19:16,940 --> 00:19:19,009 And sometimes we would see no difference 478 00:19:19,010 --> 00:19:20,599 in the inputs and outputs it 479 00:19:23,240 --> 00:19:24,920 after some weeks of 480 00:19:26,570 --> 00:19:27,529 forcing. 481 00:19:27,530 --> 00:19:28,859 Pretty much. 482 00:19:28,860 --> 00:19:31,159 We finally got to end 483 00:19:31,160 --> 00:19:33,469 the string that would not crush 484 00:19:33,470 --> 00:19:35,899 the CPU, and it would yield 485 00:19:35,900 --> 00:19:37,969 a difference in input and output 486 00:19:37,970 --> 00:19:38,970 state. 487 00:19:39,710 --> 00:19:41,900 And this basically was our 488 00:19:42,950 --> 00:19:45,229 early attempt and initial step 489 00:19:45,230 --> 00:19:46,460 for further analysis. 490 00:19:48,050 --> 00:19:49,579 Now, of course, you want to know what 491 00:19:49,580 --> 00:19:51,079 this puts things actually doing. 492 00:19:51,080 --> 00:19:54,409 So what operation is it executing? 493 00:19:54,410 --> 00:19:56,669 And to get that if you start 494 00:19:56,670 --> 00:19:59,599 to to, uh, toggle 495 00:19:59,600 --> 00:20:01,819 bonded by one bit in the string 496 00:20:01,820 --> 00:20:03,349 that we found randomly 497 00:20:04,730 --> 00:20:06,739 and here we change bits on the very 498 00:20:06,740 --> 00:20:07,699 right. 499 00:20:07,700 --> 00:20:09,889 And we saw that the output changed 500 00:20:09,890 --> 00:20:10,999 again. 501 00:20:11,000 --> 00:20:13,219 And after changing 502 00:20:13,220 --> 00:20:15,499 to bits on very right several times 503 00:20:15,500 --> 00:20:17,599 and looking at the outputs and 504 00:20:17,600 --> 00:20:20,449 inputs, we finally concluded 505 00:20:20,450 --> 00:20:22,519 that this between three percent and 506 00:20:23,600 --> 00:20:25,849 X at immediate instruction 507 00:20:27,110 --> 00:20:28,110 on microcode level. 508 00:20:29,450 --> 00:20:31,819 So we then use that knowledge 509 00:20:31,820 --> 00:20:33,919 to build a small 510 00:20:33,920 --> 00:20:36,439 database of opcode operations 511 00:20:36,440 --> 00:20:38,149 and fields. 512 00:20:38,150 --> 00:20:40,429 And here you can see that we determine 513 00:20:40,430 --> 00:20:42,889 the length of the immediate opcode field 514 00:20:42,890 --> 00:20:44,900 and put it there. 515 00:20:46,550 --> 00:20:48,859 So if you change other 516 00:20:48,860 --> 00:20:50,959 bits, like some bits more to 517 00:20:50,960 --> 00:20:51,960 the left, 518 00:20:53,330 --> 00:20:54,890 we get other outputs 519 00:20:56,330 --> 00:20:58,639 and we already know on the Berkeley riots 520 00:20:58,640 --> 00:21:00,379 the immediate field. 521 00:21:00,380 --> 00:21:02,509 If you changed, it mediates 522 00:21:02,510 --> 00:21:04,609 the output changes 523 00:21:04,610 --> 00:21:06,859 again, but it changes differently. 524 00:21:06,860 --> 00:21:08,119 And if you look at the binary 525 00:21:08,120 --> 00:21:10,459 representation of the inputs and outputs 526 00:21:10,460 --> 00:21:13,339 it can, after several attempts 527 00:21:13,340 --> 00:21:15,289 can infer that we found an off. 528 00:21:17,700 --> 00:21:20,069 So after some more testing, 529 00:21:20,070 --> 00:21:22,229 we found that the operation 530 00:21:22,230 --> 00:21:24,359 field has a certain lengths that the 531 00:21:24,360 --> 00:21:26,269 can be seen on the slides. 532 00:21:26,270 --> 00:21:28,499 And this was 533 00:21:28,500 --> 00:21:29,820 basically a starting point. 534 00:21:30,900 --> 00:21:32,939 And we leveraged the framework to conduct 535 00:21:32,940 --> 00:21:35,089 a lot of automated testing 536 00:21:35,090 --> 00:21:36,090 to be 537 00:21:37,440 --> 00:21:39,569 sometimes more randomly, sometimes 538 00:21:39,570 --> 00:21:41,969 less randomly talk of bits 539 00:21:41,970 --> 00:21:43,079 and selected bits. 540 00:21:43,080 --> 00:21:45,149 And the further the outputs 541 00:21:45,150 --> 00:21:47,429 to be interesting so that we only 542 00:21:47,430 --> 00:21:49,559 had to look at a few 543 00:21:49,560 --> 00:21:51,719 set of outputs and interesting 544 00:21:51,720 --> 00:21:53,729 outputs of the CPU. 545 00:21:53,730 --> 00:21:56,699 And Chris, there are changes in behavior. 546 00:21:56,700 --> 00:21:58,739 You also had to manually filter out some 547 00:21:58,740 --> 00:22:01,289 random noise that's sometimes occurring 548 00:22:02,340 --> 00:22:04,889 and then, uh, 549 00:22:04,890 --> 00:22:06,809 after a lot of work. 550 00:22:06,810 --> 00:22:08,279 Don't worry if you can't read it, 551 00:22:09,510 --> 00:22:10,529 we got to this. 552 00:22:12,780 --> 00:22:14,849 So we have quite an exhaustive list 553 00:22:14,850 --> 00:22:16,949 of, uh, 554 00:22:16,950 --> 00:22:19,499 operation fields 555 00:22:19,500 --> 00:22:21,879 that are sometimes immediate, sometimes 556 00:22:21,880 --> 00:22:24,419 called just us or size fields, 557 00:22:24,420 --> 00:22:27,089 and if flicks get propagated 558 00:22:27,090 --> 00:22:28,590 or not and so on. 559 00:22:30,900 --> 00:22:32,999 So, uh, one other thing that 560 00:22:33,000 --> 00:22:35,189 we wanted to conduct is 561 00:22:35,190 --> 00:22:37,859 to infer the logic of Michael quote 562 00:22:37,860 --> 00:22:39,989 from triads, so 563 00:22:39,990 --> 00:22:41,459 triads that are stored in the local court 564 00:22:41,460 --> 00:22:43,589 from the concrete them because they 565 00:22:43,590 --> 00:22:45,989 are in local quota areas 566 00:22:45,990 --> 00:22:47,489 on the tire itself. 567 00:22:47,490 --> 00:22:49,889 So we wanted to indirectly infer 568 00:22:49,890 --> 00:22:51,179 the behavior of some of those. 569 00:22:53,160 --> 00:22:54,659 We first used to break point records 570 00:22:54,660 --> 00:22:57,509 still at the known address 571 00:22:57,510 --> 00:23:00,509 to get initial control. 572 00:23:00,510 --> 00:23:02,219 We would then execute the corresponding 573 00:23:02,220 --> 00:23:04,439 x86 instruction to get 574 00:23:04,440 --> 00:23:06,539 control in our first local court column 575 00:23:06,540 --> 00:23:08,789 stage, and we would 576 00:23:08,790 --> 00:23:11,249 then fry its microcode in our opted 577 00:23:11,250 --> 00:23:14,009 to jump back to my home 578 00:23:14,010 --> 00:23:14,969 to exactly it. 579 00:23:14,970 --> 00:23:16,469 This from a trust that you want to 580 00:23:16,470 --> 00:23:17,470 analyze 581 00:23:18,840 --> 00:23:20,909 it, then add one to this 582 00:23:20,910 --> 00:23:23,129 address and 583 00:23:23,130 --> 00:23:25,429 put this address into another metro just 584 00:23:25,430 --> 00:23:28,049 to jump back to my quote from that room. 585 00:23:28,050 --> 00:23:30,479 So our second ago called REM states, 586 00:23:30,480 --> 00:23:33,329 and this would then output the 587 00:23:33,330 --> 00:23:34,930 um the the 588 00:23:36,120 --> 00:23:38,279 um so that you can compare input 589 00:23:38,280 --> 00:23:39,689 and output state again. 590 00:23:39,690 --> 00:23:42,239 But this time we didn't execute our own 591 00:23:42,240 --> 00:23:44,429 random or less random, but string, 592 00:23:44,430 --> 00:23:46,959 but we executed and local court 593 00:23:46,960 --> 00:23:48,479 prior that stored on the wrong. 594 00:23:49,920 --> 00:23:52,019 This approach has several topics. 595 00:23:53,190 --> 00:23:55,439 For one, um, 596 00:23:55,440 --> 00:23:56,729 the microcode control. 597 00:23:56,730 --> 00:23:59,309 It might just modify some internship, 598 00:23:59,310 --> 00:24:00,839 you stated. We don't know. 599 00:24:00,840 --> 00:24:02,789 So we can't really observe it or 600 00:24:02,790 --> 00:24:03,839 CrossFit. 601 00:24:03,840 --> 00:24:06,179 And uh, another disadvantage 602 00:24:06,180 --> 00:24:08,339 is that the microcode one 603 00:24:08,340 --> 00:24:11,009 triad may not execute 604 00:24:11,010 --> 00:24:12,239 the triad. 605 00:24:12,240 --> 00:24:14,309 It was, uh, 606 00:24:14,310 --> 00:24:16,569 further, but it may just jump some 607 00:24:16,570 --> 00:24:18,149 of its local court room. 608 00:24:18,150 --> 00:24:20,339 In this case, we would lose the control, 609 00:24:20,340 --> 00:24:22,559 but we designed all my courtroom 610 00:24:22,560 --> 00:24:25,379 rom stage to not notice this. 611 00:24:25,380 --> 00:24:27,659 And so people just try 612 00:24:27,660 --> 00:24:29,279 not to control it in this case. 613 00:24:32,410 --> 00:24:34,839 So quite late in a 614 00:24:34,840 --> 00:24:37,269 protect the 615 00:24:37,270 --> 00:24:39,579 decided to give it a try 616 00:24:39,580 --> 00:24:42,429 and agreed to make a quote from 617 00:24:42,430 --> 00:24:44,859 from the disrepute itself. 618 00:24:44,860 --> 00:24:47,169 So it kept 619 00:24:47,170 --> 00:24:50,079 the tip until I got a tip 620 00:24:50,080 --> 00:24:52,009 and took it out. 621 00:24:52,010 --> 00:24:54,189 So it looks like this. 622 00:24:54,190 --> 00:24:56,499 Maybe you can see an increase in 623 00:24:56,500 --> 00:24:58,869 the medical code from areas, 624 00:24:58,870 --> 00:25:01,089 so they take quite a bit of the 625 00:25:01,090 --> 00:25:02,289 sippy you surface. 626 00:25:05,290 --> 00:25:07,149 If he should do a little bit more of a 627 00:25:07,150 --> 00:25:09,099 scanning electron microscope, you can 628 00:25:09,100 --> 00:25:11,769 start to see bits and patterns. 629 00:25:11,770 --> 00:25:13,989 And if you assume an even more, 630 00:25:13,990 --> 00:25:16,089 you can see why thoughts 631 00:25:16,090 --> 00:25:17,619 that are either a little bit more to the 632 00:25:17,620 --> 00:25:19,749 left or to the right. 633 00:25:19,750 --> 00:25:22,299 That means they are either connected to 634 00:25:22,300 --> 00:25:24,429 ground or to the. 635 00:25:24,430 --> 00:25:26,289 And that, in turn, means that this 636 00:25:26,290 --> 00:25:28,869 specific home cell is 637 00:25:28,870 --> 00:25:30,970 representing either one or a zero 638 00:25:33,190 --> 00:25:34,899 reduced optical character recognition. 639 00:25:34,900 --> 00:25:38,019 To get 640 00:25:38,020 --> 00:25:40,989 that, say most of the bits out. 641 00:25:40,990 --> 00:25:43,349 And we could actually, after some 642 00:25:43,350 --> 00:25:45,699 rearranging because the physical layout 643 00:25:45,700 --> 00:25:47,919 is a little bit strange to our software 644 00:25:47,920 --> 00:25:50,019 guys. At least you could 645 00:25:50,020 --> 00:25:52,089 actually find some vocal court's 646 00:25:52,090 --> 00:25:53,229 instructions in there. 647 00:25:54,940 --> 00:25:57,669 It's a challenge, though, to us 648 00:25:57,670 --> 00:25:59,979 to get the exact mapping from 649 00:25:59,980 --> 00:26:01,829 the physical layout to the motor control 650 00:26:01,830 --> 00:26:02,830 mattresses. 651 00:26:05,550 --> 00:26:07,539 So let's pick up our first instant 652 00:26:07,540 --> 00:26:10,049 results will click, so we generated 653 00:26:10,050 --> 00:26:11,050 those heat maps 654 00:26:12,720 --> 00:26:14,849 we found in total 29 655 00:26:14,850 --> 00:26:16,199 local ups. 656 00:26:16,200 --> 00:26:18,449 So these are logic arithmetic 657 00:26:18,450 --> 00:26:21,719 operations, memory load and stores. 658 00:26:21,720 --> 00:26:23,849 We can write to 86 program 659 00:26:23,850 --> 00:26:26,099 counter and we have a medical code 660 00:26:26,100 --> 00:26:27,100 conditional branch. 661 00:26:28,790 --> 00:26:31,099 So we also reverse engineer 662 00:26:31,100 --> 00:26:33,379 the features of the sequence vote, 663 00:26:33,380 --> 00:26:35,509 for example, that can be used to just 664 00:26:35,510 --> 00:26:36,980 execute the next try it, 665 00:26:38,030 --> 00:26:40,319 it can be used to signal 666 00:26:40,320 --> 00:26:42,559 the sequence complete, which means 667 00:26:42,560 --> 00:26:44,959 that the decoding of the current x86 668 00:26:44,960 --> 00:26:47,059 instruction is completed 669 00:26:47,060 --> 00:26:49,399 and that the next x86 instruction 670 00:26:49,400 --> 00:26:50,400 will be executed. 671 00:26:51,590 --> 00:26:53,379 The sequence it can also be used to 672 00:26:53,380 --> 00:26:55,490 prance in local code unconditionally. 673 00:26:58,010 --> 00:27:00,019 Then we also found the substitution 674 00:27:00,020 --> 00:27:02,179 engine and the substitution engine can 675 00:27:02,180 --> 00:27:05,029 be used to automatically 676 00:27:05,030 --> 00:27:06,680 put on 677 00:27:08,810 --> 00:27:10,969 operations that are in the exact physics 678 00:27:10,970 --> 00:27:13,129 instruction to the microcode 679 00:27:13,130 --> 00:27:15,289 instruction so that an 680 00:27:15,290 --> 00:27:17,509 X in physics 681 00:27:17,510 --> 00:27:19,729 instruction would automatically 682 00:27:19,730 --> 00:27:21,879 be X and then the 683 00:27:21,880 --> 00:27:23,209 A code instruction as well. 684 00:27:24,380 --> 00:27:26,809 This heavily simplifies 685 00:27:26,810 --> 00:27:29,389 the implementation of x86 instructions 686 00:27:29,390 --> 00:27:30,390 and local code. 687 00:27:31,470 --> 00:27:34,229 So we also want to document 688 00:27:34,230 --> 00:27:36,409 x 86 instructions. 689 00:27:36,410 --> 00:27:39,289 Until now, we can just, uh, 690 00:27:39,290 --> 00:27:41,389 replace the logic of the 691 00:27:41,390 --> 00:27:44,719 x86 instruction by 692 00:27:44,720 --> 00:27:46,489 setting a breakpoint Colchester to the 693 00:27:46,490 --> 00:27:48,769 entry point and I 694 00:27:48,770 --> 00:27:49,999 on Michael code. 695 00:27:50,000 --> 00:27:52,459 But we also wanted to extend existing 696 00:27:52,460 --> 00:27:53,839 logic and preserve the autonomous 697 00:27:53,840 --> 00:27:56,719 romantics, and we can do that by 698 00:27:56,720 --> 00:27:59,179 either jumping back to Rome 699 00:27:59,180 --> 00:28:01,729 to execute the alternate triads 700 00:28:01,730 --> 00:28:04,699 or for simpler physics instructions. 701 00:28:04,700 --> 00:28:06,889 You can also emulate instruction 702 00:28:06,890 --> 00:28:08,809 logic ourselves. 703 00:28:08,810 --> 00:28:10,069 And there are some examples. 704 00:28:13,830 --> 00:28:14,830 So 705 00:28:16,140 --> 00:28:18,839 once you reverse engineered the 706 00:28:18,840 --> 00:28:21,929 x86 microcode 707 00:28:21,930 --> 00:28:24,539 instructions or some of it, 708 00:28:24,540 --> 00:28:26,639 we started to implement our own local 709 00:28:26,640 --> 00:28:29,099 code programs and 710 00:28:29,100 --> 00:28:30,719 the first part of your program that you 711 00:28:30,720 --> 00:28:32,969 wrote isn't simple instrumentation, but 712 00:28:32,970 --> 00:28:34,409 it's just a proof of concept more or 713 00:28:34,410 --> 00:28:36,509 less. It's pretty 714 00:28:36,510 --> 00:28:38,939 much just in local code columns 715 00:28:38,940 --> 00:28:41,039 how often this certain x86 instruction 716 00:28:41,040 --> 00:28:42,040 was executed 717 00:28:43,260 --> 00:28:44,519 and that instrumentation that we 718 00:28:44,520 --> 00:28:46,859 implemented as a small framework 719 00:28:46,860 --> 00:28:49,559 that allows to hook x86 720 00:28:49,560 --> 00:28:52,229 instructions and redirect control 721 00:28:52,230 --> 00:28:54,989 to an arbitrary function 722 00:28:54,990 --> 00:28:56,970 that's implemented and see, for example. 723 00:29:00,770 --> 00:29:03,229 If also implemented some remote microcode 724 00:29:03,230 --> 00:29:06,289 attacks, so given 725 00:29:06,290 --> 00:29:07,290 back towards 726 00:29:08,390 --> 00:29:10,679 the CPU that has the big to implement 727 00:29:10,680 --> 00:29:11,680 at the local court. 728 00:29:13,160 --> 00:29:15,709 If the computer visits 729 00:29:15,710 --> 00:29:16,710 a website, 730 00:29:17,930 --> 00:29:20,300 it may it trigger the 731 00:29:21,710 --> 00:29:24,229 detector and the implemented 732 00:29:24,230 --> 00:29:26,329 sample websites that 733 00:29:26,330 --> 00:29:28,879 can trigger that to microcode vector. 734 00:29:28,880 --> 00:29:31,189 And we have two versions 735 00:29:31,190 --> 00:29:32,509 available. 736 00:29:32,510 --> 00:29:34,879 One is implemented is Morris 737 00:29:34,880 --> 00:29:35,960 and one the state assembly 738 00:29:38,000 --> 00:29:40,249 will also implement some local 739 00:29:40,250 --> 00:29:42,439 programs that contain 740 00:29:42,440 --> 00:29:44,659 cryptographic trojans, so they 741 00:29:44,660 --> 00:29:46,879 are harder to detect 742 00:29:46,880 --> 00:29:49,519 and to make a code. 743 00:29:49,520 --> 00:29:51,709 The cryptographic like Trojans either 744 00:29:51,710 --> 00:29:53,659 introduce the timings I channel in the 745 00:29:53,660 --> 00:29:55,939 constant time the implementation, 746 00:29:55,940 --> 00:29:58,369 or they allow to 747 00:29:58,370 --> 00:30:00,589 inject false to enable 748 00:30:00,590 --> 00:30:02,749 foiled attacks on 749 00:30:02,750 --> 00:30:04,279 a cryptographic primitives. 750 00:30:05,940 --> 00:30:08,009 So now we want to have a quick 751 00:30:08,010 --> 00:30:10,319 look at how that medical program 752 00:30:10,320 --> 00:30:12,260 looks like, um, 753 00:30:13,470 --> 00:30:16,079 the Michael program has given 754 00:30:16,080 --> 00:30:18,569 in our own 755 00:30:18,570 --> 00:30:20,699 focus of control of a language that 756 00:30:20,700 --> 00:30:23,009 we developed to implement 757 00:30:23,010 --> 00:30:25,019 local programs efficiently so that we 758 00:30:25,020 --> 00:30:27,719 don't have to put together 759 00:30:27,720 --> 00:30:29,849 long streams of bits on our 760 00:30:29,850 --> 00:30:30,850 own. 761 00:30:31,260 --> 00:30:33,419 So the first instruction you consider 762 00:30:33,420 --> 00:30:35,759 this is abstraction that's actually used 763 00:30:35,760 --> 00:30:36,839 as a computer. 764 00:30:36,840 --> 00:30:39,029 So the value in T1D, 765 00:30:39,030 --> 00:30:40,319 which is the medical code internal 766 00:30:40,320 --> 00:30:42,389 Rochester, is compared 767 00:30:42,390 --> 00:30:44,189 to the value in X 768 00:30:45,630 --> 00:30:48,119 after what follows a conditional jump. 769 00:30:48,120 --> 00:30:50,489 And if you want to first consider the 770 00:30:50,490 --> 00:30:51,930 jump not to take in Perth, 771 00:30:53,310 --> 00:30:54,310 that's here. 772 00:30:55,440 --> 00:30:57,569 This is just a 773 00:30:57,570 --> 00:30:59,519 bit of instruction that 774 00:31:00,630 --> 00:31:02,280 set up an integer division. 775 00:31:03,390 --> 00:31:05,459 And here we see in the 776 00:31:05,460 --> 00:31:07,619 very last instruction that we jump back 777 00:31:07,620 --> 00:31:09,089 to the macro quote from. 778 00:31:09,090 --> 00:31:11,399 So what's happening in this case 779 00:31:11,400 --> 00:31:13,739 is that we mimic 780 00:31:13,740 --> 00:31:15,929 the setup of an integer division and 781 00:31:15,930 --> 00:31:18,239 then we jump back to the original triads 782 00:31:18,240 --> 00:31:20,519 and run to just continue the normal 783 00:31:20,520 --> 00:31:21,720 integer division process. 784 00:31:22,770 --> 00:31:24,899 Now we consider the jump taking 785 00:31:24,900 --> 00:31:28,049 perf that only gets executed 786 00:31:28,050 --> 00:31:30,389 if the value in 787 00:31:30,390 --> 00:31:32,339 X matches the value in T1D 788 00:31:34,470 --> 00:31:36,459 in this specific case. 789 00:31:36,460 --> 00:31:38,549 Um, we add one 790 00:31:38,550 --> 00:31:40,919 to the polychrome contour and 791 00:31:40,920 --> 00:31:43,049 then we write this 792 00:31:43,050 --> 00:31:45,359 value to the 86 program 793 00:31:45,360 --> 00:31:47,670 counter. So this basically means 794 00:31:48,780 --> 00:31:51,629 this model code spectra, if you will, 795 00:31:51,630 --> 00:31:53,939 would compare it to a certain 796 00:31:53,940 --> 00:31:55,019 metric value. 797 00:31:55,020 --> 00:31:56,519 And if that's what the metric value was 798 00:31:56,520 --> 00:31:58,679 found, then the x86 799 00:31:58,680 --> 00:32:00,959 program count of the incremented by one, 800 00:32:00,960 --> 00:32:03,059 which means that all of the successive 801 00:32:03,060 --> 00:32:05,129 86 instructions to be 802 00:32:05,130 --> 00:32:07,199 executed out of out 803 00:32:07,200 --> 00:32:09,389 of alignment or this aligned. 804 00:32:09,390 --> 00:32:11,789 Um, this is a very useful primitive 805 00:32:11,790 --> 00:32:13,990 that can be used for, um, 806 00:32:15,000 --> 00:32:17,279 JavaScript exploits, for example, without 807 00:32:17,280 --> 00:32:18,390 the presence of a close up look. 808 00:32:20,360 --> 00:32:22,639 So now it's 809 00:32:22,640 --> 00:32:24,589 time, and I'm handing the stage to 810 00:32:24,590 --> 00:32:25,879 Benjamin. 811 00:32:25,880 --> 00:32:26,990 OK, so. 812 00:32:35,700 --> 00:32:36,809 First of all, I have. 813 00:32:36,810 --> 00:32:38,429 If you see this means that this warning 814 00:32:38,430 --> 00:32:40,019 and autumn deceive you. 815 00:32:40,020 --> 00:32:42,209 And it's actually as if we can target 816 00:32:42,210 --> 00:32:43,859 with all my programs. 817 00:32:43,860 --> 00:32:45,899 And at first, I'm going to want to walk 818 00:32:45,900 --> 00:32:47,909 you through with Hawkins that's actually 819 00:32:47,910 --> 00:32:50,429 currently loaded inside to see if you and 820 00:32:50,430 --> 00:32:52,739 I both at your standard Linux on it. 821 00:32:52,740 --> 00:32:54,929 And yes, it's 822 00:32:54,930 --> 00:32:57,479 just some micro protector. 823 00:32:57,480 --> 00:32:59,399 And first, you load the values that you 824 00:32:59,400 --> 00:33:01,659 want to trigger on and then 825 00:33:01,660 --> 00:33:03,599 performs on magic to condense it down to 826 00:33:03,600 --> 00:33:05,639 one bit. If you actually trigger this 827 00:33:05,640 --> 00:33:08,259 value and 828 00:33:08,260 --> 00:33:10,380 the actually the actual 829 00:33:11,760 --> 00:33:12,760 magic happens to you, 830 00:33:14,520 --> 00:33:17,049 you eat out what is written inside 831 00:33:17,050 --> 00:33:18,539 the buffer in memory. 832 00:33:18,540 --> 00:33:19,559 And was this important? 833 00:33:19,560 --> 00:33:20,489 You'll see it in the second. 834 00:33:20,490 --> 00:33:22,539 When I show you the actually payload, 835 00:33:22,540 --> 00:33:23,519 we're going to one. 836 00:33:23,520 --> 00:33:25,709 But essentially, you read out 837 00:33:25,710 --> 00:33:27,929 my movie and place 838 00:33:27,930 --> 00:33:29,279 it inside 839 00:33:30,690 --> 00:33:32,879 a timber register and performs enough 840 00:33:32,880 --> 00:33:34,169 metric on it. 841 00:33:34,170 --> 00:33:35,170 And 842 00:33:37,290 --> 00:33:39,719 then you implement actually as the actual 843 00:33:39,720 --> 00:33:41,909 semantics of shift to a double, which 844 00:33:41,910 --> 00:33:43,889 is an x86 of code. 845 00:33:43,890 --> 00:33:45,989 And you do this because 846 00:33:45,990 --> 00:33:47,219 if you are talking about you didn't 847 00:33:47,220 --> 00:33:48,960 match, you don't want to. 848 00:33:50,040 --> 00:33:51,629 You don't want to cause any trouble 849 00:33:51,630 --> 00:33:54,119 because some sometimes the common 850 00:33:54,120 --> 00:33:55,979 might use this instruction or some other 851 00:33:55,980 --> 00:33:57,949 application on your host system modules. 852 00:33:57,950 --> 00:33:58,979 Use this instruction. 853 00:33:58,980 --> 00:34:00,239 So it is important to preserve the 854 00:34:00,240 --> 00:34:01,889 semantics if you don't want it to go back 855 00:34:01,890 --> 00:34:02,939 to. 856 00:34:02,940 --> 00:34:04,290 So at this point, 857 00:34:05,880 --> 00:34:08,130 we know whether or not to trigger and. 858 00:34:10,159 --> 00:34:11,599 We can do it, we can now 859 00:34:12,770 --> 00:34:15,319 conditionally at some values to adjusters 860 00:34:15,320 --> 00:34:17,178 or otherwise modify them. 861 00:34:17,179 --> 00:34:18,948 And we do exactly that. 862 00:34:18,949 --> 00:34:21,109 And at first we is that 863 00:34:21,110 --> 00:34:23,299 said, six to 11, which happens 864 00:34:23,300 --> 00:34:25,399 to be the execute useless call on 865 00:34:25,400 --> 00:34:27,619 line ups and 866 00:34:27,620 --> 00:34:30,049 send you set some other adjusters 867 00:34:30,050 --> 00:34:32,359 that we need to actually launch system 868 00:34:32,360 --> 00:34:33,649 call. This augments we control. 869 00:34:34,730 --> 00:34:36,919 And you 870 00:34:36,920 --> 00:34:39,499 do this for would be just us. 871 00:34:39,500 --> 00:34:41,658 And in the end, 872 00:34:41,659 --> 00:34:43,939 you conditionally white the program 873 00:34:43,940 --> 00:34:46,129 count to a specific value you give 874 00:34:46,130 --> 00:34:47,899 them, actually, and you have a payload. 875 00:34:47,900 --> 00:34:49,519 So is a JavaScript payload. 876 00:34:49,520 --> 00:34:51,738 You can choose where you want to go. 877 00:34:51,739 --> 00:34:54,169 And so this all happens conditionally. 878 00:34:54,170 --> 00:34:56,388 It only triggers if an 879 00:34:56,389 --> 00:34:58,459 input to the instruction matches or met 880 00:34:58,460 --> 00:34:59,779 a constant. 881 00:34:59,780 --> 00:35:01,959 And how did we achieve it? 882 00:35:01,960 --> 00:35:04,069 This is was somebody module and 883 00:35:04,070 --> 00:35:06,589 a carefully crafted some 884 00:35:06,590 --> 00:35:08,969 calculations that contain this aligned 885 00:35:08,970 --> 00:35:10,130 x86 instructions. 886 00:35:11,180 --> 00:35:13,429 And as you can see, we end 887 00:35:13,430 --> 00:35:15,739 with an interrupt into a corner 888 00:35:15,740 --> 00:35:17,599 so we trigger and execute your system 889 00:35:17,600 --> 00:35:18,600 call. 890 00:35:19,980 --> 00:35:22,169 And the buffer we're reading from is 891 00:35:22,170 --> 00:35:23,669 sure John Hume. 892 00:35:23,670 --> 00:35:26,129 And essentially, 893 00:35:26,130 --> 00:35:28,260 we just say, please pop us a call 894 00:35:29,400 --> 00:35:30,400 and. 895 00:35:32,640 --> 00:35:35,339 This is an animal unmodified Firefox, 896 00:35:35,340 --> 00:35:38,139 and I haven't I haven't added any 897 00:35:38,140 --> 00:35:40,139 new code to it, and it's not running a 898 00:35:40,140 --> 00:35:42,119 vulnerable version, as far as I know. 899 00:35:42,120 --> 00:35:43,440 So I just calculate. 900 00:35:45,140 --> 00:35:47,209 And because of that such a debacle, are 901 00:35:47,210 --> 00:35:48,320 you going to break you in the second? 902 00:35:54,560 --> 00:35:56,479 Need to wait a bit, because OPEC is 903 00:35:56,480 --> 00:35:58,639 actually really slow, especially if you 904 00:35:58,640 --> 00:35:59,929 are directing Firefox. 905 00:35:59,930 --> 00:36:02,059 And so we go and I'm just gonna 906 00:36:02,060 --> 00:36:04,639 step some instructions that are part of. 907 00:36:04,640 --> 00:36:06,799 So who can you to to sit in order 908 00:36:06,800 --> 00:36:08,090 to get that trust I want to go to? 909 00:36:13,870 --> 00:36:15,339 And now we're inside insights of possibly 910 00:36:15,340 --> 00:36:17,409 module, I showed you earlier this all 911 00:36:17,410 --> 00:36:19,479 code that is emitted by Firefox during 912 00:36:19,480 --> 00:36:21,309 one time, so an attacker is free to 913 00:36:21,310 --> 00:36:23,349 choose what should be emitted by 914 00:36:23,350 --> 00:36:25,779 providing the appropriate WebAssembly 915 00:36:25,780 --> 00:36:27,069 module and. 916 00:36:28,960 --> 00:36:31,119 As you can see, this execution 917 00:36:31,120 --> 00:36:33,369 of our shift, right, dear opcode, 918 00:36:33,370 --> 00:36:35,649 and we actually back towards this one. 919 00:36:35,650 --> 00:36:36,650 And 920 00:36:38,110 --> 00:36:40,029 what I had took special care of is 921 00:36:40,030 --> 00:36:41,030 placing 922 00:36:42,130 --> 00:36:44,769 our constant inside an argument we could. 923 00:36:44,770 --> 00:36:47,139 So actually object of a trigger. 924 00:36:47,140 --> 00:36:49,569 And because she 925 00:36:49,570 --> 00:36:51,819 is going to lose control in the second. 926 00:36:51,820 --> 00:36:52,820 I'm going to cheat a bit. 927 00:36:58,010 --> 00:37:00,319 And I know that we're going to jump 928 00:37:00,320 --> 00:37:02,059 six points more so just at six. 929 00:37:03,640 --> 00:37:04,900 And press continue. 930 00:37:06,360 --> 00:37:07,949 And we had this client inside 931 00:37:07,950 --> 00:37:08,999 instructions. 932 00:37:09,000 --> 00:37:11,159 And as you can see, you perform 933 00:37:11,160 --> 00:37:13,859 all the things we actually coded into. 934 00:37:13,860 --> 00:37:16,169 Make records to prepare the documents 935 00:37:16,170 --> 00:37:17,309 with justice. 936 00:37:17,310 --> 00:37:19,799 And if you 937 00:37:19,800 --> 00:37:21,779 if you compare, it was the episode the 938 00:37:21,780 --> 00:37:22,780 output. 939 00:37:24,410 --> 00:37:26,809 I said, please, Mrs. OPCODE, 940 00:37:26,810 --> 00:37:29,599 followed by a jump five and pre-summit. 941 00:37:29,600 --> 00:37:32,759 Lastly, these two up coats and 942 00:37:32,760 --> 00:37:35,480 squeezes of coats we have, so 943 00:37:36,800 --> 00:37:38,419 let's just continue and hope it works 944 00:37:38,420 --> 00:37:39,420 this time. 945 00:37:40,750 --> 00:37:41,919 And of course, it didn't. 946 00:37:41,920 --> 00:37:43,719 Let me just quickly you on it also the 947 00:37:43,720 --> 00:37:44,720 opportunity to be. 948 00:38:00,810 --> 00:38:02,460 And so you're going to get stuck. 949 00:38:12,160 --> 00:38:14,229 And as well research, we can 950 00:38:14,230 --> 00:38:15,549 also implement some cryptographic 951 00:38:15,550 --> 00:38:17,229 backdoors and because we need to reboot 952 00:38:17,230 --> 00:38:19,419 for the story. I'm going to show you the 953 00:38:19,420 --> 00:38:21,279 notes. We're getting codes first. 954 00:38:21,280 --> 00:38:23,379 So we have here and we 955 00:38:23,380 --> 00:38:25,419 have a standard signature verification 956 00:38:25,420 --> 00:38:27,159 and it just a political job because 957 00:38:27,160 --> 00:38:28,389 everything is fine. 958 00:38:28,390 --> 00:38:30,699 But now we're going to 959 00:38:31,870 --> 00:38:33,880 quickly apply the picture. 960 00:38:43,260 --> 00:38:44,729 And request a custom kill them 961 00:38:45,750 --> 00:38:47,459 because we need to somehow mobilize 962 00:38:47,460 --> 00:38:48,359 update. 963 00:38:48,360 --> 00:38:50,849 And why is this actually reboots? 964 00:38:50,850 --> 00:38:52,139 I'm going to show you a different e-mail. 965 00:38:55,240 --> 00:38:56,260 I have 966 00:38:57,730 --> 00:39:00,069 this console is actually going to push 967 00:39:00,070 --> 00:39:01,939 as Group two of us blue Pine Country 968 00:39:01,940 --> 00:39:03,549 sitting in the binary assembly in the 969 00:39:03,550 --> 00:39:05,649 studio. And this is 970 00:39:05,650 --> 00:39:07,959 connected, we assume, to an AMD 971 00:39:07,960 --> 00:39:10,329 note, and 972 00:39:10,330 --> 00:39:11,829 this is going to undermine a quote we 973 00:39:11,830 --> 00:39:13,059 tell you to run. 974 00:39:13,060 --> 00:39:15,219 And first, I'm going to show you 975 00:39:15,220 --> 00:39:17,169 what happens if I just say, don't hook 976 00:39:17,170 --> 00:39:18,250 anything into microcode, 977 00:39:19,270 --> 00:39:21,509 so you'll just go ahead and say one word 978 00:39:21,510 --> 00:39:22,510 and. 979 00:39:23,860 --> 00:39:25,929 So just as you should pay attention 980 00:39:25,930 --> 00:39:26,930 to is 981 00:39:28,180 --> 00:39:30,799 currently it's over, because I didn't 982 00:39:30,800 --> 00:39:31,900 I didn't change anything. 983 00:39:33,310 --> 00:39:35,289 And now I'm going to 984 00:39:36,430 --> 00:39:37,930 say, OK, that's good. 985 00:39:45,730 --> 00:39:47,619 And suddenly something changed. 986 00:39:47,620 --> 00:39:48,909 And what changed is 987 00:39:50,560 --> 00:39:53,529 this is a microcode approach to the CPU, 988 00:39:53,530 --> 00:39:55,899 and all it does is 989 00:39:55,900 --> 00:39:58,539 push the next x86 990 00:39:58,540 --> 00:40:00,879 instruction and will be executed 991 00:40:00,880 --> 00:40:02,949 and stored on the 992 00:40:02,950 --> 00:40:05,049 stick and then just jump to 993 00:40:05,050 --> 00:40:07,059 a location I predefined. 994 00:40:07,060 --> 00:40:09,189 And this location ends 995 00:40:09,190 --> 00:40:10,510 up all the way over here. 996 00:40:12,160 --> 00:40:14,859 So we actually get control in x86 997 00:40:14,860 --> 00:40:16,989 without having to hide any like 998 00:40:16,990 --> 00:40:19,029 program rewriting stuff. 999 00:40:19,030 --> 00:40:20,030 It just works. 1000 00:40:21,340 --> 00:40:23,439 So there's also something we 1001 00:40:23,440 --> 00:40:25,539 can do. We can introduce like micro 1002 00:40:25,540 --> 00:40:28,039 code hooks and actually 1003 00:40:28,040 --> 00:40:29,919 he finished booting. So let me quickly 1004 00:40:29,920 --> 00:40:31,030 set up and see again. 1005 00:40:53,460 --> 00:40:54,460 Second. 1006 00:40:57,410 --> 00:40:59,599 OK, so again, we the APC, 1007 00:40:59,600 --> 00:41:01,189 but this time you voted a different 1008 00:41:01,190 --> 00:41:02,749 update, for example, is this update one 1009 00:41:02,750 --> 00:41:05,029 triggers a back to be placed in Firefox, 1010 00:41:05,030 --> 00:41:07,169 but instead you're going to run 1011 00:41:07,170 --> 00:41:09,050 the crypto demon yourself before again. 1012 00:41:10,730 --> 00:41:12,319 And suddenly it's a similar signature 1013 00:41:12,320 --> 00:41:13,999 because we introduced an error into the 1014 00:41:14,000 --> 00:41:15,889 calculation that is performed, doing the 1015 00:41:15,890 --> 00:41:18,739 ecliptic calculation 1016 00:41:18,740 --> 00:41:19,760 and using this, 1017 00:41:20,840 --> 00:41:22,289 you can actually perform the 1018 00:41:22,290 --> 00:41:23,290 cryptographic attacks 1019 00:41:24,350 --> 00:41:25,350 and 1020 00:41:26,450 --> 00:41:27,889 just a bit of theory. 1021 00:41:29,060 --> 00:41:30,489 I introduced and 1022 00:41:31,490 --> 00:41:32,490 cryptographic 1023 00:41:33,620 --> 00:41:35,989 witness into an otherwise secure crypto 1024 00:41:35,990 --> 00:41:38,479 by introducing an arbitrary error 1025 00:41:38,480 --> 00:41:40,919 and using this, you can reconstruct 1026 00:41:40,920 --> 00:41:43,189 material, and all of this 1027 00:41:43,190 --> 00:41:44,659 is done in microcode alone. 1028 00:41:44,660 --> 00:41:46,729 I didn't need to modify the final 1029 00:41:46,730 --> 00:41:47,730 result as one thing. 1030 00:41:49,400 --> 00:41:51,110 So that brings us. 1031 00:41:58,420 --> 00:42:00,099 True security issue, I said actually a 1032 00:42:00,100 --> 00:42:01,810 crew of ISS set up 1033 00:42:03,220 --> 00:42:04,689 your car and you can push any update as 1034 00:42:04,690 --> 00:42:06,279 you saw. I mean, I modified the live 1035 00:42:06,280 --> 00:42:07,719 picture to see if you accepted it. 1036 00:42:08,890 --> 00:42:11,559 You can picture it as you saw and 1037 00:42:11,560 --> 00:42:13,629 you can't really fix it because you would 1038 00:42:13,630 --> 00:42:15,219 need to do an hartfield card to introduce 1039 00:42:15,220 --> 00:42:16,659 some people on cryptographic checking. 1040 00:42:17,680 --> 00:42:20,019 And of course, you can 1041 00:42:20,020 --> 00:42:21,189 hack. You fix it. 1042 00:42:21,190 --> 00:42:22,570 You just accepted mechanism 1043 00:42:23,620 --> 00:42:24,969 or. 1044 00:42:24,970 --> 00:42:26,939 But in the end, it isn't that bad because 1045 00:42:26,940 --> 00:42:28,329 you only have a really strong attack on 1046 00:42:28,330 --> 00:42:30,669 what someone had to actually modify 1047 00:42:30,670 --> 00:42:33,099 your bios to apply this on every boot up. 1048 00:42:33,100 --> 00:42:35,349 So usually it isn't a problem 1049 00:42:35,350 --> 00:42:36,350 for you. 1050 00:42:37,210 --> 00:42:39,429 And in the end, yes, my 1051 00:42:39,430 --> 00:42:41,559 company like A can be reversed and 1052 00:42:41,560 --> 00:42:42,699 you can change it. 1053 00:42:42,700 --> 00:42:44,439 And if you want to talk a bit more about 1054 00:42:44,440 --> 00:42:46,299 it or even try your hand at modifying 1055 00:42:46,300 --> 00:42:47,319 microcode yourself. 1056 00:42:47,320 --> 00:42:49,569 Visit us to kill US Europeans 1057 00:42:49,570 --> 00:42:51,099 by new security assembly. 1058 00:42:51,100 --> 00:42:53,289 And we have a set of results, including 1059 00:42:53,290 --> 00:42:55,419 the CPC and an old curtain that 1060 00:42:55,420 --> 00:42:56,769 you can push it live at once. 1061 00:42:56,770 --> 00:42:57,999 So angry with us. 1062 00:42:58,000 --> 00:43:00,309 And also, we pushed out some updates and 1063 00:43:00,310 --> 00:43:02,049 we go to him if I was to get up, 1064 00:43:02,050 --> 00:43:03,819 including an update wherever we can pitch 1065 00:43:03,820 --> 00:43:04,719 your own CPU. 1066 00:43:04,720 --> 00:43:06,139 But please be careful. 1067 00:43:06,140 --> 00:43:07,909 This can actually break us if you ever 1068 00:43:07,910 --> 00:43:09,219 did manage to play ours, but we 1069 00:43:09,220 --> 00:43:10,839 eventually set our bios settings at some 1070 00:43:10,840 --> 00:43:12,550 point. So please be careful. 1071 00:43:13,920 --> 00:43:14,920 And. 1072 00:43:25,650 --> 00:43:27,389 So now we have time for questions from 1073 00:43:27,390 --> 00:43:29,189 the audience, you see microphones around 1074 00:43:29,190 --> 00:43:31,019 the arena with numbers stuck on them on 1075 00:43:31,020 --> 00:43:32,679 the internet. We have a signal angel who 1076 00:43:32,680 --> 00:43:34,079 was already telling me that we have 1077 00:43:34,080 --> 00:43:35,639 questions from the internets. 1078 00:43:35,640 --> 00:43:37,799 Before we get to the questions I said in 1079 00:43:37,800 --> 00:43:39,479 advance, you may be asked to leave the 1080 00:43:39,480 --> 00:43:41,579 hall entirely when going 1081 00:43:41,580 --> 00:43:43,529 back. And now I'm asking you that when 1082 00:43:43,530 --> 00:43:45,359 you leave, please leave entirely and 1083 00:43:45,360 --> 00:43:46,919 reenter the hall through the main 1084 00:43:46,920 --> 00:43:48,979 entrance, not the hall, but the whole 1085 00:43:48,980 --> 00:43:51,299 message here. So now from the signal 1086 00:43:51,300 --> 00:43:52,829 angel in the internets. 1087 00:43:52,830 --> 00:43:54,959 Thank you. We had a question that came 1088 00:43:54,960 --> 00:43:56,249 up quite early in the talk. 1089 00:43:57,360 --> 00:43:59,369 Is it possible to cause physical damage 1090 00:43:59,370 --> 00:44:01,979 to a CPU using malicious 1091 00:44:01,980 --> 00:44:04,289 Michael Colt has either 1092 00:44:04,290 --> 00:44:06,569 of you, you know, ever brake to stop 1093 00:44:06,570 --> 00:44:07,570 you? 1094 00:44:08,390 --> 00:44:10,469 Yeah, we didn't break any CPUs 1095 00:44:10,470 --> 00:44:12,709 apart from the ones we to and 1096 00:44:12,710 --> 00:44:14,909 we kept to put into Micron Electron 1097 00:44:14,910 --> 00:44:16,979 Microscope, and maybe 1098 00:44:16,980 --> 00:44:18,899 it is possible we haven't managed it yet, 1099 00:44:18,900 --> 00:44:21,029 but the the design 1100 00:44:21,030 --> 00:44:23,249 of at least the AMD we analyze doesn't 1101 00:44:23,250 --> 00:44:25,679 look like you can unless there are some 1102 00:44:25,680 --> 00:44:27,749 feature inside microcode that 1103 00:44:27,750 --> 00:44:29,999 you can trigger. We haven't found it yet. 1104 00:44:30,000 --> 00:44:32,069 Maybe it's possible, but most likely 1105 00:44:32,070 --> 00:44:33,070 doesn't. 1106 00:44:33,960 --> 00:44:35,489 Microphone techs? 1107 00:44:35,490 --> 00:44:36,490 Yes. 1108 00:44:36,870 --> 00:44:38,939 Is it possible to fix performance 1109 00:44:38,940 --> 00:44:39,989 issues with microcode? 1110 00:44:41,580 --> 00:44:43,919 So we've thought about 1111 00:44:43,920 --> 00:44:46,019 that as well, folks on 1112 00:44:46,020 --> 00:44:48,119 before binary instrumentation. 1113 00:44:48,120 --> 00:44:50,039 There are several different approaches to 1114 00:44:50,040 --> 00:44:52,289 that. You can emulate 1115 00:44:52,290 --> 00:44:54,780 the codes like 1116 00:44:55,950 --> 00:44:57,269 Vulkan String, for example, 1117 00:44:58,530 --> 00:45:00,269 or you can instrument the code 1118 00:45:00,270 --> 00:45:01,270 statically. 1119 00:45:02,160 --> 00:45:04,259 But they all have like topics 1120 00:45:04,260 --> 00:45:06,629 like either they are slow 1121 00:45:06,630 --> 00:45:08,879 or they are not complete, like the static 1122 00:45:08,880 --> 00:45:10,589 flooding, for example, at least not 1123 00:45:10,590 --> 00:45:11,939 complete in general. 1124 00:45:11,940 --> 00:45:14,399 So Michael Cole can actually be 1125 00:45:14,400 --> 00:45:17,309 quite performant and complete 1126 00:45:17,310 --> 00:45:18,310 instrumentation 1127 00:45:19,380 --> 00:45:21,329 basis that an instrumentation framework 1128 00:45:21,330 --> 00:45:23,489 could be based on the 1129 00:45:23,490 --> 00:45:24,569 problems of microcode. 1130 00:45:24,570 --> 00:45:26,429 Or is that at the moment, it's quite 1131 00:45:26,430 --> 00:45:28,649 limited because for newer 1132 00:45:28,650 --> 00:45:30,569 and DCP use and pretty much for all 1133 00:45:30,570 --> 00:45:32,849 intensive you microphone is closed. 1134 00:45:32,850 --> 00:45:35,249 But maybe the 1135 00:45:35,250 --> 00:45:37,469 CPU vendors will open it up a little 1136 00:45:37,470 --> 00:45:39,959 bit and then it could be used 1137 00:45:39,960 --> 00:45:42,449 to to increase performance 1138 00:45:42,450 --> 00:45:43,889 for instrumentation frameworks. 1139 00:45:45,420 --> 00:45:47,699 It can also be used to 1140 00:45:48,870 --> 00:45:50,400 implement new instructions. 1141 00:45:52,230 --> 00:45:54,599 But I doubt that it's going to be 1142 00:45:54,600 --> 00:45:55,559 very fast. 1143 00:45:55,560 --> 00:45:57,749 And if you just implement x86 1144 00:45:57,750 --> 00:45:58,750 instructions 1145 00:45:59,970 --> 00:46:01,079 microphone one. 1146 00:46:01,080 --> 00:46:02,339 Yes. Have you looked at the 1147 00:46:02,340 --> 00:46:04,019 older Intel microcode 1148 00:46:04,020 --> 00:46:05,189 updates as well? 1149 00:46:05,190 --> 00:46:06,779 Because if you look at them, they are 1150 00:46:06,780 --> 00:46:08,909 like encrypted, but it's 1151 00:46:08,910 --> 00:46:11,039 clearly not strong crypto. 1152 00:46:11,040 --> 00:46:13,259 It's either a constant stream cipher 1153 00:46:13,260 --> 00:46:13,439 or 1154 00:46:13,440 --> 00:46:14,249 a small 1155 00:46:14,250 --> 00:46:15,959 block cipher. 1156 00:46:15,960 --> 00:46:18,269 So because also I have 1157 00:46:18,270 --> 00:46:20,219 previously succeeded in actually loading 1158 00:46:20,220 --> 00:46:22,949 patched microcode updates that 1159 00:46:22,950 --> 00:46:24,509 I've been able to control the contents. 1160 00:46:24,510 --> 00:46:26,969 But so clearly the verification mechanism 1161 00:46:26,970 --> 00:46:28,320 isn't very strong either. 1162 00:46:29,520 --> 00:46:31,379 So, OK, if it didn't have a close look 1163 00:46:31,380 --> 00:46:33,929 into the into update, 1164 00:46:33,930 --> 00:46:36,059 but that's a very good question, and we 1165 00:46:36,060 --> 00:46:37,649 should probably have the discussion 1166 00:46:37,650 --> 00:46:38,849 offline. So 1167 00:46:40,050 --> 00:46:42,059 feel free to visit us at 270 and then we 1168 00:46:42,060 --> 00:46:43,979 can have a look together what you call 1169 00:46:43,980 --> 00:46:47,279 the microphone to. 1170 00:46:47,280 --> 00:46:49,469 How accurate is it to refer to 1171 00:46:49,470 --> 00:46:51,989 the microcode as 1172 00:46:51,990 --> 00:46:54,209 a risk architecture rather than 1173 00:46:54,210 --> 00:46:56,159 SysRq? I mean, are there any instructions 1174 00:46:56,160 --> 00:46:58,289 in there you wouldn't typically find 1175 00:46:58,290 --> 00:47:00,719 on on a regular risk 1176 00:47:00,720 --> 00:47:01,720 architecture? 1177 00:47:04,620 --> 00:47:07,049 So the question 1178 00:47:07,050 --> 00:47:09,029 was better, veterans use construction 1179 00:47:09,030 --> 00:47:11,099 sites like architecture, 1180 00:47:11,100 --> 00:47:12,929 so I can agree on that. 1181 00:47:12,930 --> 00:47:15,419 Um, the instructions 1182 00:47:15,420 --> 00:47:17,670 are mostly quite simple. 1183 00:47:19,170 --> 00:47:21,479 One quite interesting feature, actually 1184 00:47:21,480 --> 00:47:23,819 is that you can have three 1185 00:47:23,820 --> 00:47:25,919 upfront mode that you can give three 1186 00:47:25,920 --> 00:47:27,839 registers and you can have one 1187 00:47:27,840 --> 00:47:30,029 destination register and to source 1188 00:47:30,030 --> 00:47:32,279 suggests it is not possible on 1189 00:47:32,280 --> 00:47:34,649 x86. As you all know, probably, 1190 00:47:34,650 --> 00:47:36,269 but it's possible that microcode level. 1191 00:47:36,270 --> 00:47:37,829 So it's quite interesting. 1192 00:47:37,830 --> 00:47:38,830 Hmm. 1193 00:47:39,690 --> 00:47:41,010 Back to the signal angel. 1194 00:47:42,450 --> 00:47:43,589 Thank you. 1195 00:47:43,590 --> 00:47:45,689 How do you know the microcode entry point 1196 00:47:45,690 --> 00:47:47,639 for a given instruction? 1197 00:47:47,640 --> 00:47:48,640 That's a very good question. 1198 00:47:50,280 --> 00:47:52,499 We showed you the heat maps and 1199 00:47:52,500 --> 00:47:54,030 we generate them by 1200 00:47:55,110 --> 00:47:57,149 basically setting the breakpoint at each 1201 00:47:57,150 --> 00:47:59,249 possible code on the address 1202 00:47:59,250 --> 00:48:02,009 and then just trying all x86 1203 00:48:02,010 --> 00:48:03,299 instructions. 1204 00:48:03,300 --> 00:48:05,759 And obviously, sometimes 1205 00:48:05,760 --> 00:48:08,189 people have multiple hits for one 1206 00:48:08,190 --> 00:48:10,829 eighty-six instruction because 1207 00:48:10,830 --> 00:48:13,169 not one at first is enough 1208 00:48:13,170 --> 00:48:15,779 to implement the whole x86 instruction. 1209 00:48:15,780 --> 00:48:18,179 And what we then can do, we have eight. 1210 00:48:18,180 --> 00:48:19,679 That's the good stuff. So we can set 1211 00:48:19,680 --> 00:48:21,749 eight break points at once 1212 00:48:21,750 --> 00:48:23,939 before just that eight 1213 00:48:23,940 --> 00:48:26,159 break points at those different locations 1214 00:48:26,160 --> 00:48:28,109 and see which one gets triggered first. 1215 00:48:28,110 --> 00:48:30,449 And so if you could actually step by step 1216 00:48:30,450 --> 00:48:33,599 debug in which order 1217 00:48:33,600 --> 00:48:36,629 code ROM addresses get executed 1218 00:48:36,630 --> 00:48:38,699 to implement an x86 instruction. 1219 00:48:38,700 --> 00:48:40,799 And so we way you also find the 1220 00:48:40,800 --> 00:48:41,800 entry point. 1221 00:48:43,860 --> 00:48:44,860 Microphone three. 1222 00:48:46,770 --> 00:48:48,899 You said that there was microcode 1223 00:48:48,900 --> 00:48:51,149 updates are not persistent across reboots 1224 00:48:51,150 --> 00:48:53,309 right across processor is 1225 00:48:53,310 --> 00:48:55,469 it doesn't mean that when 1226 00:48:55,470 --> 00:48:57,629 vendor issues a microscope update, 1227 00:48:57,630 --> 00:48:59,699 it is actually a program 1228 00:48:59,700 --> 00:49:01,799 and patch to a bias that should 1229 00:49:01,800 --> 00:49:03,989 install the update on every 1230 00:49:03,990 --> 00:49:05,849 reboot, even a boot sequence. 1231 00:49:05,850 --> 00:49:06,839 Right? 1232 00:49:06,840 --> 00:49:07,840 Yeah. 1233 00:49:08,160 --> 00:49:10,469 So the CPU vendors, they 1234 00:49:10,470 --> 00:49:12,719 don't publish those market updates, but 1235 00:49:12,720 --> 00:49:14,669 they put them or they give them to the 1236 00:49:14,670 --> 00:49:16,739 main. Both vendors and vendors 1237 00:49:16,740 --> 00:49:18,839 usually put them into 1238 00:49:18,840 --> 00:49:21,689 bios or if you updates and 1239 00:49:21,690 --> 00:49:23,519 those updates don't contain the microcode 1240 00:49:23,520 --> 00:49:26,429 updates and do Computicket instead. 1241 00:49:26,430 --> 00:49:29,249 Also, there actually is on Linux 1242 00:49:29,250 --> 00:49:31,529 into microphone package and this actually 1243 00:49:31,530 --> 00:49:32,489 performs. 1244 00:49:32,490 --> 00:49:34,109 I would update on every boot. 1245 00:49:34,110 --> 00:49:36,299 And I actually hijacked its drive on to 1246 00:49:36,300 --> 00:49:37,829 perform our custom update. 1247 00:49:37,830 --> 00:49:39,959 So depending on the US, you are wondering 1248 00:49:39,960 --> 00:49:41,369 who is going to form your bios or you get 1249 00:49:41,370 --> 00:49:42,370 it from your operating system? 1250 00:49:44,550 --> 00:49:45,550 Microphone for 1251 00:49:47,190 --> 00:49:48,360 I wanted to ask, 1252 00:49:49,470 --> 00:49:51,570 you mentioned it might be possible to use 1253 00:49:52,980 --> 00:49:55,379 a crafted Microsoft 1254 00:49:55,380 --> 00:49:57,929 microcode update to actually 1255 00:49:57,930 --> 00:50:00,629 patch out the update mechanism? 1256 00:50:00,630 --> 00:50:03,090 Or how do you think it would be to 1257 00:50:04,120 --> 00:50:05,120 to implement 1258 00:50:06,180 --> 00:50:08,579 to implement that inside, say, 1259 00:50:08,580 --> 00:50:10,859 boot and make sure that 1260 00:50:10,860 --> 00:50:13,349 the other microcode update mechanism 1261 00:50:13,350 --> 00:50:15,549 is patched out very early 1262 00:50:15,550 --> 00:50:17,729 on in the boot process? 1263 00:50:17,730 --> 00:50:19,979 So this would actually be quite 1264 00:50:19,980 --> 00:50:21,599 easy to do. 1265 00:50:21,600 --> 00:50:23,999 It's the first, some 1266 00:50:24,000 --> 00:50:27,029 obvious engineering work on our site, 1267 00:50:27,030 --> 00:50:29,279 but through the heatmaps, we already 1268 00:50:29,280 --> 00:50:31,139 have quite a good understanding. 1269 00:50:31,140 --> 00:50:32,969 We have to make code. Update mechanism is 1270 00:50:32,970 --> 00:50:35,099 probably going to be because 1271 00:50:35,100 --> 00:50:37,409 once you set breakpoints down, 1272 00:50:37,410 --> 00:50:39,989 you can't apply code updates anymore. 1273 00:50:39,990 --> 00:50:41,400 Um, so 1274 00:50:42,410 --> 00:50:44,279 it would require some work there, but 1275 00:50:44,280 --> 00:50:46,469 then it would be quite easy 1276 00:50:46,470 --> 00:50:48,569 to just have a 1277 00:50:48,570 --> 00:50:50,119 microcode update mechanism and be 1278 00:50:50,120 --> 00:50:52,199 prepared and in the boot 1279 00:50:52,200 --> 00:50:53,610 disabled update mechanism. 1280 00:50:55,470 --> 00:50:56,470 Thank you very much. Mm-Hmm. 1281 00:50:57,750 --> 00:50:59,609 Signal, Angel, 1282 00:50:59,610 --> 00:51:01,380 can you use this trick 1283 00:51:02,940 --> 00:51:05,339 so that the CPU is revealing any secrets 1284 00:51:05,340 --> 00:51:07,439 e.g. keys out of secure 1285 00:51:07,440 --> 00:51:09,569 enclaves like TPM, 1286 00:51:09,570 --> 00:51:12,030 like entities in the CPU? 1287 00:51:13,590 --> 00:51:16,529 Probably not, at least not named. 1288 00:51:16,530 --> 00:51:18,839 But we can't really tell you with a 1289 00:51:18,840 --> 00:51:20,339 definitive answer to that, because I 1290 00:51:20,340 --> 00:51:22,359 suppose we can carry on or don't have an 1291 00:51:22,360 --> 00:51:24,539 secure enclave, so we didn't test it. 1292 00:51:24,540 --> 00:51:26,819 And what we actually 1293 00:51:26,820 --> 00:51:29,399 observed is that the microcode follows 1294 00:51:29,400 --> 00:51:30,959 the same permissions that the code that 1295 00:51:30,960 --> 00:51:32,009 actually trigger to make a code. 1296 00:51:32,010 --> 00:51:34,139 For example, if you have an 1297 00:51:34,140 --> 00:51:36,479 IMU and the 1298 00:51:36,480 --> 00:51:37,709 microphone actually follows minimum 1299 00:51:37,710 --> 00:51:38,909 protection toolset. 1300 00:51:38,910 --> 00:51:41,429 So most likely, no. 1301 00:51:41,430 --> 00:51:43,070 But maybe you can take it 1302 00:51:45,000 --> 00:51:46,499 microphone to. 1303 00:51:46,500 --> 00:51:48,839 So you said you have 1304 00:51:48,840 --> 00:51:50,879 trained him on microbes. 1305 00:51:50,880 --> 00:51:53,189 Do you know how much of 1306 00:51:53,190 --> 00:51:55,709 the total space 1307 00:51:55,710 --> 00:51:57,719 that supported this? 1308 00:51:57,720 --> 00:52:00,359 So do you think or some microcode 1309 00:52:00,360 --> 00:52:02,789 instructions you didn't find out also 1310 00:52:02,790 --> 00:52:04,169 told us. 1311 00:52:04,170 --> 00:52:06,329 So it's very, very likely 1312 00:52:06,330 --> 00:52:08,159 that we didn't find many 1313 00:52:09,300 --> 00:52:10,470 of those instructions. 1314 00:52:11,940 --> 00:52:13,229 There are still 1315 00:52:14,580 --> 00:52:16,679 certain regions within the 1316 00:52:16,680 --> 00:52:18,089 local court instructions that we don't 1317 00:52:18,090 --> 00:52:20,219 understand. And if you talk with them, 1318 00:52:20,220 --> 00:52:22,529 it crashes or the behavior. 1319 00:52:22,530 --> 00:52:24,659 It's different and we can't 1320 00:52:24,660 --> 00:52:26,849 tell what operation it's 1321 00:52:26,850 --> 00:52:27,850 doing. 1322 00:52:28,320 --> 00:52:30,419 Also, we can't just observe some of the 1323 00:52:30,420 --> 00:52:32,609 court justice and you can't observe 1324 00:52:32,610 --> 00:52:34,679 all the intel in the workings of the CPU. 1325 00:52:34,680 --> 00:52:36,839 So a lot of 1326 00:52:36,840 --> 00:52:39,419 instructions that's modified 1327 00:52:39,420 --> 00:52:41,369 at Intel instead of TTP, you let's say 1328 00:52:41,370 --> 00:52:43,379 it's enabled or disabled certain 1329 00:52:43,380 --> 00:52:44,789 features. 1330 00:52:44,790 --> 00:52:46,859 What enables and disable certain slow of 1331 00:52:46,860 --> 00:52:48,929 hers perf for some 1332 00:52:48,930 --> 00:52:51,209 features, be noticed 1333 00:52:51,210 --> 00:52:53,729 it and 1334 00:52:53,730 --> 00:52:54,960 do it so that we can't, 1335 00:52:56,320 --> 00:52:58,979 uh, we don't know what 1336 00:52:58,980 --> 00:53:00,209 the instruction is doing, what the 1337 00:53:00,210 --> 00:53:02,519 bitstream is doing, testing currently. 1338 00:53:02,520 --> 00:53:04,229 So probably there are many instructions 1339 00:53:04,230 --> 00:53:05,230 we don't know. 1340 00:53:07,200 --> 00:53:08,200 Microphone one. 1341 00:53:09,750 --> 00:53:11,879 Have you considered ways to 1342 00:53:11,880 --> 00:53:14,249 say my if my 1343 00:53:14,250 --> 00:53:16,439 microphone is being backdoored to 1344 00:53:16,440 --> 00:53:17,329 detect that? 1345 00:53:17,330 --> 00:53:18,119 Can you can 1346 00:53:18,120 --> 00:53:19,619 you help me in that situation? 1347 00:53:21,040 --> 00:53:22,739 Oh, OK. 1348 00:53:22,740 --> 00:53:25,319 So, um, during 1349 00:53:25,320 --> 00:53:27,779 our research, we didn't have a look 1350 00:53:27,780 --> 00:53:28,829 into this yet, 1351 00:53:29,850 --> 00:53:32,099 but we already had some internal 1352 00:53:32,100 --> 00:53:33,969 discussions regarding this point. 1353 00:53:33,970 --> 00:53:35,669 That's a really good question. 1354 00:53:35,670 --> 00:53:37,889 So, um, if 1355 00:53:37,890 --> 00:53:39,989 you if you use microcode 1356 00:53:39,990 --> 00:53:42,359 to hook an 86 1357 00:53:42,360 --> 00:53:44,429 instruction, you introduce a 1358 00:53:44,430 --> 00:53:45,869 small timing overhead. 1359 00:53:45,870 --> 00:53:47,639 And if you carefully measure that 1360 00:53:47,640 --> 00:53:49,919 instruction, you can probably detect 1361 00:53:49,920 --> 00:53:51,750 that suddenly it this 1362 00:53:53,100 --> 00:53:55,199 x86 instruction is doing more than 1363 00:53:55,200 --> 00:53:56,399 it should actually do. 1364 00:53:56,400 --> 00:53:59,009 So you can detect most of it. 1365 00:53:59,010 --> 00:54:01,619 Um, but it also depends. 1366 00:54:01,620 --> 00:54:03,869 Microcode is doing not only decoding, 1367 00:54:03,870 --> 00:54:05,309 as you've seen in the talk, but also 1368 00:54:05,310 --> 00:54:06,659 other things in the CPU. 1369 00:54:06,660 --> 00:54:08,819 So you might be able to hide 1370 00:54:08,820 --> 00:54:11,369 trojans there that 1371 00:54:11,370 --> 00:54:13,139 are not detectable that easily. 1372 00:54:15,180 --> 00:54:18,029 Microphone two Again, OK? 1373 00:54:18,030 --> 00:54:20,309 Considering that you can basically 1374 00:54:20,310 --> 00:54:22,469 implement instructions, could 1375 00:54:22,470 --> 00:54:24,629 you implement a completely different 1376 00:54:24,630 --> 00:54:25,630 instruction set? 1377 00:54:26,870 --> 00:54:27,569 Yeah. 1378 00:54:27,570 --> 00:54:28,589 You could do that. 1379 00:54:28,590 --> 00:54:30,749 And I showed you in the collected 1380 00:54:30,750 --> 00:54:32,489 work, the 1381 00:54:33,570 --> 00:54:35,729 tubas talk from the recall 1382 00:54:35,730 --> 00:54:37,979 and, uh, he's actually doing something 1383 00:54:37,980 --> 00:54:40,469 like this. So, yes, it's possible. 1384 00:54:40,470 --> 00:54:42,809 Um, we are still not 1385 00:54:42,810 --> 00:54:45,449 far enough of our knowledge to 1386 00:54:45,450 --> 00:54:47,979 do that, but he is feasible. 1387 00:54:47,980 --> 00:54:50,579 I think he has some 1388 00:54:50,580 --> 00:54:51,809 internal insights. 1389 00:54:55,340 --> 00:54:57,559 Microphone to OK 1390 00:54:57,560 --> 00:54:59,599 took us to was actually the first is, 1391 00:54:59,600 --> 00:55:02,209 have you found any ways to trigger the 1392 00:55:02,210 --> 00:55:03,799 co-processor static sex? 1393 00:55:03,800 --> 00:55:05,630 X86 has plenty of. 1394 00:55:07,280 --> 00:55:09,349 So let's say, 1395 00:55:09,350 --> 00:55:10,999 a floating point unit and another 1396 00:55:11,000 --> 00:55:12,709 extension extensions, right? 1397 00:55:12,710 --> 00:55:15,019 It didn't look into that, but 1398 00:55:15,020 --> 00:55:17,299 from the patents, we know 1399 00:55:17,300 --> 00:55:19,199 that there must be some way to do it. 1400 00:55:19,200 --> 00:55:20,369 Hmm. 1401 00:55:20,370 --> 00:55:23,209 OK. And second question this 1402 00:55:23,210 --> 00:55:25,309 after decoding the isn't there those shot 1403 00:55:25,310 --> 00:55:26,479 operations just showed. 1404 00:55:26,480 --> 00:55:28,609 Are they not going to this 1405 00:55:28,610 --> 00:55:31,309 up cache and throws make up decoding 1406 00:55:31,310 --> 00:55:33,439 and they're directly omitting those 1407 00:55:33,440 --> 00:55:34,339 instructions? 1408 00:55:34,340 --> 00:55:36,529 So are they safe in my code and cannot 1409 00:55:36,530 --> 00:55:37,639 be altered? 1410 00:55:37,640 --> 00:55:40,309 So the short decoders 1411 00:55:40,310 --> 00:55:43,279 they translate simple x86 instructions 1412 00:55:43,280 --> 00:55:44,449 and um 1413 00:55:45,590 --> 00:55:47,719 um, we we know 1414 00:55:47,720 --> 00:55:50,329 that there's also a way to 1415 00:55:50,330 --> 00:55:52,849 hook not Michael coded instructions, 1416 00:55:52,850 --> 00:55:54,619 so they are not safe. 1417 00:55:54,620 --> 00:55:56,569 We know that this mechanism exists, but 1418 00:55:56,570 --> 00:55:57,199 we didn't find it. 1419 00:55:57,200 --> 00:55:59,389 It might 1420 00:55:59,390 --> 00:56:00,390 be a fun one. 1421 00:56:01,520 --> 00:56:03,949 Hey, maybe you said it, but 1422 00:56:03,950 --> 00:56:06,049 I missed it. But did you contact 1423 00:56:06,050 --> 00:56:06,469 into did 1424 00:56:06,470 --> 00:56:08,689 you get any feedback? 1425 00:56:08,690 --> 00:56:10,759 So we did not 1426 00:56:10,760 --> 00:56:12,829 contact until we 1427 00:56:12,830 --> 00:56:14,729 contacted MDA. 1428 00:56:14,730 --> 00:56:17,299 Um, this work is 1429 00:56:17,300 --> 00:56:20,329 also published on Unix, and 1430 00:56:20,330 --> 00:56:22,549 they longer than 90 days before 1431 00:56:22,550 --> 00:56:24,709 the symptoms took assaults 1432 00:56:24,710 --> 00:56:26,869 and the findings and 1433 00:56:26,870 --> 00:56:28,369 asked for feedback. 1434 00:56:28,370 --> 00:56:30,529 They didn't communicate much with us, 1435 00:56:30,530 --> 00:56:32,659 probably because they already have an up 1436 00:56:32,660 --> 00:56:35,449 to date, um, secure, 1437 00:56:35,450 --> 00:56:36,799 more or less secure. We don't really know 1438 00:56:36,800 --> 00:56:39,619 about Tom Krypto 1439 00:56:39,620 --> 00:56:41,119 protection mechanism for making put in 1440 00:56:41,120 --> 00:56:44,419 place for the latest CPU architectures. 1441 00:56:44,420 --> 00:56:46,969 So we are probably not that interested 1442 00:56:46,970 --> 00:56:47,970 in this. Mm hmm. 1443 00:56:49,880 --> 00:56:51,169 All right, great. Let's give our speakers 1444 00:56:51,170 --> 00:56:52,699 another big round of applause. 1445 00:57:20,520 --> 00:57:21,520 The.