How Low Can You Go? Microcode Update

 < Day Day Up > 

Modern processors from Intel and AMD[7] include a feature known as a microcode update. It allows special code to be uploaded to the processor that can alter the way the hardware works. That is, the processor chip can be internally modified. How it actually works under the hood remains somewhat of a mystery. When we were writing this book, the public documentation was sparse.

[7] AMD's U.S. Patent No. 6438664.

Microcode update wasn't designed for hacking; it is intended to allow bug fixes to be applied to the processor. If something is wrong with the processor, a microcode update can fix it. This prevents the need to recall computers (a very expensive process). Internally, the microcode allows new "micro-opcodes" to be added or altered. This can alter the way existing instructions are executed, or disable features on the chip.

In theory, if a hacker were to supply or replace microcode in the processor, she could add subversive instructions. It seems that the biggest hurdle is understanding the microcode update mechanism itself. If it is understood, it might be possible to craft additional back-door op-codes. An obvious example would be an instruction that can bypass the restriction between Ring Zero and Ring Three. A GORINGZERO instruction, for example, could put the chip into supervisor mode without a security check.

The microcode update is stored as a data block and must be uploaded to the processor every time it is booted. The update takes place using special control registers on the chip. Typically, the microcode update block would be stored in the system BIOS (a flash chip) and applied by the system BIOS upon startup. If used by a hacker, the microcode could be altered in the startup BIOS, or it could be applied "on the fly." No reboot is required the new microcode is utilized immediately.

Intel processors protect their microcode update blocks with strong encryption. In order to correctly modify the update block, the crypto would need to be broken. AMD chips do not use encryption, so they are easier to work with. For Linux there exists an update driver that can upload new microcode to the AMD or Intel processor. To find it, search for "AMD K8 microcode update driver" or "IA32 microcode driver" on the Internet.

Although many people are currently "playing around" with microcode updates in efforts to reverse engineer them, it should be noted that modifications made to the microcode update blocks could, in theory, damage the microchip.[8]

[8] If the processor includes FPGA-like gates that can be reconfigured, it might be possible to alter the physical configuration of gates in a way that permanently damages the hardware.

     < Day Day Up > 

    Rootkits(c) Subverting the Windows Kernel
    Rootkits: Subverting the Windows Kernel
    ISBN: 0321294319
    EAN: 2147483647
    Year: 2006
    Pages: 111

    Similar book on Amazon © 2008-2017.
    If you may any questions please contact us: