"It's really small…"
– Captain Obvious
"That thing that gets updates whenever Intel/AMD messes up."
pop [ebx]
can be implemented in microcode as
load tmp, [esp] store [ebx], tmp add esp, 4
"To err is human."
"8.9999163362: It's Close Enough, We Say So"
– S. Sadi Seferoglu
(But many more…)
(Note: this is for slightly older AMD CPUs)
"Come to the dark side. We have cookies."
– Darth Vader
How do we exploit this for lawful evil purposes?
div
div
Trojan/* The instrumented div instruction... */ if (eax == 0xA && ebx == 0xB) { eip += 1 } else { /* normal reg32 div */ }
; Pulling the trigger... mov eax, 0xA mov ebx, 0xB div ebx add eax, 0xcc909090 ;payload
; Leading to... mov eax, 0xA mov ebx, 0xB div ebx /* skip */ nop nop nop int3
If nation-state adversaries are not your problem, microcode Trojans are not going to be either.
– Me
Probably… Maybe… Hopefully
Two open evaluation microcoded RISC-V platforms
Short Term
"No it's not."
– Some sane person
Long Term
Questions?
(Better, check out: https://youtu.be/I6dQfnb3y0I)