BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Backdoor in the Core - Altering the Intel x86 Instru ction Set\n at Runtime\n When: Friday\, Aug 11\, 12:30 - 13:15 PDT\n Where: Caesars Forum - Forum - 130-134 - Track 3 - [1]Map\n Speakers:Al exander Dalsgaard Krog\,Alexander Skovsende\n\n SpeakerBio:Alexander Dal sgaard Krog \, Vulnerability Researcher at\n Vectorize\n Alexander Dal sgaard Krog is a Vulnerability Researcher at Vectorize\n with a focus on the low level\, close to the hardware\, and this talk\n will be no exce ption. He has a passion for binary exploitation and\n together with his prior team at Lyrebirds discovered the critical bug\n Cable Haunt\, affe cting millions of devices with a vulnerability\n allowing remote code ex ecution. Both him and his co-speaker Alexander\n Skovsende are also heav ily invested in CTF and have played a big role\n in putting the Danish t eam Kalmarunionen on top of the scoreboard in\n many CTFs.\n Twitter: [2]@alexanderkrog\n\n SpeakerBio:Alexander Skovsende \, Grad Student at Technical University\n of Denmark\n No BIO available\n\n Description :\n In this work\, we present the novel results of our research on Intel \n CPU microcode. Building upon prior research on Intel Goldmont CPUs\, we\n have reverse-engineered the implementations of complex x86\n inst ructions\, leading to the discovery of hidden microcode which\n serves t o prevent the persistence of any changes made. Using this\n knowledge\, we were able to patch those discovered sections\, allowing\n us to make persistent microcode changes from userspace on Linux. We\n have develope d and improved microcode tracing tools\, giving us deeper\n insight into Intel Atom microcode than was previously possible\, by\n allowing more dynamic analysis of the ROM.\n\n Along with this presentation\, we provi de a C library for making\n microcode changes and documentation on the r everse-engineered\n microcode.\n\n We show that vendor updates to the microcode\, which cannot be verified\n by the user\, impose a security r isk by demonstrating how a Linux\n system can be compromised through a b ackdoor within a CPU core's\n microcode.\n\n REFERENCES:\n Intel TXE POC:\n [3]https://github.com/chip-red-pill/IntelTXE-PoC Exploit used to gain\n Red Unlock.\n\n uCodeDisam\n [4]https://github.com/chi p-red-pill/uCodeDisasm First research\n (to the best of our knowle dge) allowing for dumping microcode\n ROM as well as a publicly av ailable disassembler for Intel's\n microcode.\n\n Undocumented x 86 instructions to control the CPU at the\n micro-architecture level in modern Intel processors: [5]https://github.com/chip-red-pill/udbgInstr\n [6]https://github.com/chip-red-pill/udbgInstr/blob/main/paper/undocumente d_x86_insts_for_uarch_control.pdf\n From the research above\, two undocu mented instructions intended for\n debug perpuse at Intel were found. Th is layed the groundwork for us to\n experiment and test the behavior of microcode operations.\n\n Custom Processing Unit:\n [7]https://github. com/pietroborrello/CustomProcessingUnit Custom\n Processing Unit is the first dynamic analysis framework able to hook\,\n patch and trace microc ode from a UEFI application\n\n '\n\n 1. #CaesarsForumBR\n 2. https: //twitter.com/alexanderkrog\n 3. https://github.com/chip-red-pill/IntelT XE-PoC\n 4. https://github.com/chip-red-pill/uCodeDisasm\n 5. https:// github.com/chip-red-pill/udbgInstr\n 6. https://github.com/chip-red-pill /udbgInstr/blob/main/paper/undocumented_x86_insts_for_uarch_control.pdf\n 7. https://github.com/pietroborrello/CustomProcessingUnit\n\n\n DTEND:20230811T201500Z DTSTART:20230811T193000Z LOCATION:DC - Caesars Forum - Forum - 130-134 - Track 3 SUMMARY:Backdoor in the Core - Altering the Intel x86 Instruction Set at Ru ntime END:VEVENT END:VCALENDAR