On the Design and Misuse of Microcoded (Embedded) Processors - A Cautionary Note

Today’s microprocessors often rely on microcode updates to address issues such as security or functional patches. Unfortunately, microcode update flexibility opens up new attack vectors through malicious microcode alterations. Such attacks share many features with hardware Trojans and have similar devastating consequences for system security. However, due to microcode’s opaque nature, little is known in the open literature about the capabilities and limitations of microcode Trojans. We introduce the design of a microcoded RISC-V processor architecture together with a microcode development and evaluation environment. Even though microcode typically has almost complete control of the processor hardware, the design of meaningful microcode Trojans is not straightforward. This somewhat counter-intuitive insight is due to the lack of information at the hardware level about the semantics of executed software. In three security case studies we demonstrate how to overcome these issues and give insights on how to design meaningful microcode Trojans that undermine system security. To foster future research and applications, we publicly release our implementation and evaluation platform1.

[1]  Mario Werner,et al.  Protecting RISC-V Processors against Physical Attacks , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[2]  Christof Paar,et al.  An Exploratory Analysis of Microcode as a Building Block for System Defenses , 2018, CCS.

[3]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[4]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[5]  Satish Narayanasamy,et al.  Patching Processor Design Errors with Programmable Hardware , 2007, IEEE Micro.

[6]  Welch Bl THE GENERALIZATION OF ‘STUDENT'S’ PROBLEM WHEN SEVERAL DIFFERENT POPULATION VARLANCES ARE INVOLVED , 1947 .

[7]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[8]  Christof Paar,et al.  Hardware reverse engineering: Overview and open challenges , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[9]  Swarup Bhunia,et al.  Towards Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme , 2008, 2008 Design, Automation and Test in Europe.

[10]  Florian Mendel,et al.  Protecting against Statistical Ineffective Fault Attacks , 2019, IACR Cryptol. ePrint Arch..

[11]  Christof Paar,et al.  HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion , 2019, IEEE Transactions on Dependable and Secure Computing.

[12]  Milo M. K. Martin,et al.  Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically , 2010, 2010 IEEE Symposium on Security and Privacy.

[13]  Christof Paar,et al.  Understanding Cryptography: A Textbook for Students and Practitioners , 2009 .

[14]  M. Smotherman,et al.  A Brief History of Microprogramming , 2005 .

[15]  Christof Paar,et al.  Reverse Engineering x86 Processor Microcode , 2019, USENIX Security Symposium.

[16]  Lisa Cranton Heller,et al.  Millicode in an IBM zSeries processor , 2004, IBM J. Res. Dev..

[17]  Farinaz Koushanfar,et al.  A Survey of Hardware Trojan Taxonomy and Detection , 2010, IEEE Design & Test of Computers.

[18]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[19]  Satish Narayanasamy,et al.  Patching Processor Design Errors , 2006, 2006 International Conference on Computer Design.

[20]  Michael Steil,et al.  Mistakes Microsoft Made in the Xbox Security System , 2022 .

[21]  Christof Paar,et al.  FPGA Trojans Through Detecting and Weakening of Cryptographic Primitives , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[22]  Ko Stoffelen,et al.  Efficient Cryptography on the RISC-V Architecture , 2019, IACR Cryptol. ePrint Arch..

[23]  Daming Dominic Chen,et al.  Security Analysis of x86 Processor Microcode , 2014 .