CustomProcessingUnit: Reverse Engineering and Customization of Intel Microcode

Microcode provides an abstraction layer over the instruction set to decompose complex instructions into simpler micro-operations that can be more easily implemented in hardware. It is an essential optimization to simplify the design of x86 processors. However, introducing an additional layer of software beneath the instruction set poses security and reliability concerns. The microcode details are confidential to the manufacturers, preventing independent auditing or customization of the microcode. Moreover, microcode patches are signed and encrypted to prevent unauthorized patching and reverse engineering. However, recent research has recovered decrypted microcode and reverse-engineered read/write debug mechanisms on Intel Goldmont (Atom), making analysis and customization of microcode possible on a modern Intel microarchitecture. In this work, we present the first framework for static and dynamic analysis of Intel microcode. Building upon prior research, we reverse-engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. For static analysis, we implement a Ghidra processor module for decompilation and analysis of decrypted microcode. For dynamic analysis, we create a UEFI application that can trace and patch microcode to provide complete microcode control on Goldmont systems. Leveraging our framework, we reverse-engineer the confidential Intel microcode update algorithm and perform the first security analysis of its design and implementation. In three further case studies, we illustrate the potential security and performance benefits of microcode customization. We provide the first x86 Pointer Authentication Code (PAC) microcode implementation and its security evaluation, design and implement fast software breakpoints that are more than 1000x faster than standard breakpoints, and present constant-time microcode division, illustrating the potential security and performance benefits of microcode customization

Practical Timing Side-Channel Attacks on Memory Compression

Compression algorithms have side channels due to their data-dependent operations. So far only the compression-ratio side channel was exploited, e.g., the compressed data size. In this paper, we present Decomp+Time, the first memory compression attack exploiting a timing side channel in compression algorithms. While Decomp+Time affects a much broader set of applications than prior work, a key challenge is precisely crafting attacker-controlled compression payloads to enable the attack with sufficient resolution. We develop an evolutionary fuzzer, Comprezzor, to find effective Decomp+Time payloads that optimize latency differences and find payloads that are so effective that decompression timing can even be exploited in remote Decomp+Time attacks across the Internet. Decomp+Time has a capacity of 9.73 kB/s locally, and 10.72 bit/min across the internet (14 hops, > 700 miles). Using Comprezzor, we develop attacks that leak data byte-by-byte in four different case studies: First, we leak 1.50 bit/min from Memcached on a remote server running a PHP application. Second, we leak database records with 2.69 bit/min from PostgreSQL, managed by a Python-Flask application, over the internet. Third, we leak secrets with 49.14 bit/min locally from ZRAM-compressed pages on Linux. Fourth, we leak internal heap pointers from the V8 engine within the Google Chrome browser on a system using ZRAM. This highlights the importance of re-evaluating the use of compression on sensitive data even if the application is only reachable via a remote interface

Cardiac power output accurately reflects external cardiac work over a wide range of inotropic states in pigs

BACKGROUND: Cardiac power output (CPO), derived from the product of cardiac output and mean aortic pressure, is an important yet underexploited parameter for hemodynamic monitoring of critically ill patients in the intensive-care unit (ICU). The conductance catheter-derived pressure-volume loop area reflects left ventricular stroke work (LV SW). Dividing LV SW by time, a measure of LV SW min- 1 is obtained sharing the same unit as CPO (W). We aimed to validate CPO as a marker of LV SW min- 1 under various inotropic states. METHODS: We retrospectively analysed data obtained from experimental studies of the hemodynamic impact of mild hypothermia and hyperthermia on acute heart failure. Fifty-nine anaesthetized and mechanically ventilated closed-chest Landrace pigs (68 ± 1 kg) were instrumented with Swan-Ganz and LV pressure-volume catheters. Data were obtained at body temperatures of 33.0 °C, 38.0 °C and 40.5 °C; before and after: resuscitation, myocardial infarction, endotoxemia, sevoflurane-induced myocardial depression and beta-adrenergic stimulation. We plotted LVSW min- 1 against CPO by linear regression analysis, as well as against the following classical indices of LV function and work: LV ejection fraction (LV EF), rate-pressure product (RPP), triple product (TP), LV maximum pressure (LVPmax) and maximal rate of rise of LVP (LV dP/dtmax). RESULTS: CPO showed the best correlation with LV SW min- 1 (r2 = 0.89; p < 0.05) while LV EF did not correlate at all (r2 = 0.01; p = 0.259). Further parameters correlated moderately with LV SW min- 1 (LVPmax r2 = 0.47, RPP r2 = 0.67; and TP r2 = 0.54). LV dP/dtmax correlated worst with LV SW min- 1 (r2 = 0.28). CONCLUSION: CPO reflects external cardiac work over a wide range of inotropic states. These data further support the use of CPO to monitor inotropic interventions in the ICU

Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels

Differential Power Analysis (DPA) measures single-bit differences between data values used in computer systems by statistical analysis of power traces. In this paper, we show that the mere co-location of data values, e.g., attacker and victim data in the same buffers and caches, leads to power leakage in modern CPUs that depends on a combination of both values, resulting in a novel attack, Collide+Power. We systematically analyze the power leakage of the CPU's memory hierarchy to derive precise leakage models enabling practical end-to-end attacks. These attacks can be conducted in software with any signal related to power consumption, e.g., power consumption interfaces or throttling-induced timing variations. Leakage due to throttling requires 133.3 times more samples than direct power measurements. We develop a novel differential measurement technique amplifying the exploitable leakage by a factor of 8.778 on average, compared to a straightforward DPA approach. We demonstrate that Collide+Power leaks single-bit differences from the CPU's memory hierarchy with fewer than 23000 measurements. Collide+Power varies attacker-controlled data in our end-to-end DPA attacks. We present a Meltdown-style attack, leaking from attacker-chosen memory locations, and a faster MDS-style attack, which leaks 4.82 bit/h. Collide+Power is a generic attack applicable to any modern CPU, arbitrary memory locations, and victim applications and data. However, the Meltdown-style attack is not yet practical, as it is limited by the state of the art of prefetching victim data into the cache, leading to an unrealistic real-world attack runtime with throttling of more than a year for a single bit. Given the different variants and potentially more practical prefetching methods, we consider Collide+Power a relevant threat that is challenging to mitigate

First passage and first hitting times of Lévy flights and Lévy walks

Abstract For both Lévy flight and Lévy walk search processes we analyse the full distribution of first-passage and first-hitting (or first-arrival) times. These are, respectively, the times when the particle moves across a point at some given distance from its initial position for the first time, or when it lands at a given point for the first time. For Lévy motions with their propensity for long relocation events and thus the possibility to jump across a given point in space without actually hitting it (‘leapovers’), these two definitions lead to significantly different results. We study the first-passage and first-hitting time distributions as functions of the Lévy stable index, highlighting the different behaviour for the cases when the first absolute moment of the jump length distribution is finite or infinite. In particular we examine the limits of short and long times. Our results will find their application in the mathematical modelling of random search processes as well as computer algorithms

Specfuscator: Evaluating Branch Removal as a Spectre Mitigation

Attacks exploiting speculative execution, known as Spectre attacks, have gained substantial attention in the scientific community and in industry with a broad range of defense techniques proposed. In particular, in-software defenses for commodity systems attempt to leave the program structure as is, but defuse every potential Spectre gadget by, e.g., stopping the speculation, or limiting value ranges. While these mitigations disrupt the program flow on every conditional branch, they still contain every single conditional branch instruction. In this paper, we show that one dimension of Spectre mitigations has been overlooked entirely. We explore a novel principled Spectre mitigation that sits at the other end of the scale: the absence of conditional and indirect branches. Our mitigation is based on automatically linearizing the program flow through a special compiler pass, eliminating all conditional and indirect branches. We show that our Spectre mitigation has very clear security guarantees. We explore the feasibility of this unorthodox approach and evaluate its performance in comparison to the more conservative approaches presented so far. We observe that the performance overhead can be low, e.g., 5 %, for certain use cases, being on-par with state-of-the-art mitigations, but very high for other use cases, e.g., and overhead factor of 1000. Our results demonstrate the feasibility of Spectre defenses that eliminate branches and indicate good performance-security trade-offs for Spectre defenses can be achieved by sticking to neither of the extremes

Rapid Prototyping for Microarchitectural Attacks

In recent years, microarchitectural attacks have been demonstrated to be a powerful attack class. However, as our empirical analysis shows, there are numerous implementation challenges that hinder discovery and subsequent mitigation of these vulnerabilities. In this paper, we examine the attack development process, the features and usability of existing tools, and the real-world challenges faced by practitioners. We propose a novel approach to microarchitectural attack development, based on rapid prototyping, and present two open-source software frameworks, libtea and SCFirefox, that improve upon state-of-the-art tooling to facilitate rapid prototyping of attacks. libtea demonstrates that native code attacks can be abstracted sufficiently to permit cross-platform implementations while retaining fine-grained control of microarchitectural behavior. We evaluate its effectiveness by developing proof-of-concept Foreshadow and LVI attacks. Our LVI prototype runs on x86-64 and ARMv8-A, and is the first public demonstration of LVI on ARM. SCFirefox is the first tool for browser-based microarchitectural attack development, providing the functionality of libtea in JavaScript. This functionality can then be used to iteratively port a prototype to unmodified browsers. We demonstrate this process by prototyping the first browser-based ZombieLoad attack and deriving a vanilla JavaScript and WebAssembly PoC running in an unmodified recent version of Firefox. We discuss how libtea and SCFirefox contribute to the security landscape by providing attack researchers and defenders with frameworks to prototype attacks and assess their feasibility