This Week In Security: ClamAV, The AMD Leak, And The Unencrypted Power Grid

January 24, 2025 by Jonathan Bennett 10 Comments

Cisco’s ClamAV has a heap-based buffer overflow in its OLE2 file scanning. That’s a big deal, because ClamAV is used to scan file attachments on incoming emails. All it takes to trigger the vulnerability is to send a malicious file through an email system that uses ClamAV.

The exact vulnerability is a string termination check that can fail to trigger, leading to a buffer over-read. That’s a lot better than a buffer overflow while writing to memory. That detail is why this vulnerability is strictly a Denial of Service problem. The memory read results in process termination, presumably a segfault for reading protected memory. There are Proof of Concepts (PoCs) available, but so far no reports of the vulnerability being used in the wild.
Continue reading “This Week In Security: ClamAV, The AMD Leak, And The Unencrypted Power Grid” →

Custom Microcode Compiler, Made In Google Sheets

July 7, 2024 by Donald Papp 12 Comments

When homebrewing a CPU, one has to deal with microcode. Microcode is the low-level nuts and bolts of how, precisely, a CPU executes instructions (like opcodes) and performs functions such as updating the cycle counter or handling interrupt requests. To make this task easier, [Bob Alexander] created a microcode compiler built in Google Sheets to help with his own homebrew work, but it’s flexible and configurable enough to be useful to others, as well.

A CPU’s microcode usually lives in read-only memory, and writing the microcode is only one step in the journey. [Bob]’s tool compiles his microcode into files that can be burned into memory (multiple EEPROM chips, in [Bob]’s case) or used as a Verilog program in the case of implementing the CPU in an FPGA. It’s configurable enough to be adapted for other homebrew CPU projects, though one would of course have to re-write the microcode portion.

A read-only version of the spreadsheet makes for some fun browsing, and if it piques your interest enough to get a copy of your own complete with the compiler script, you can do that here. It uses Google Sheets, and writes the output files into one’s Google Drive.

This kind of low-level project really highlights the finer points of just how the hard work of digital computing gets done. A good example is the Gigatron which implemented a RISC CPU using only microcode, memory, and logic gates in the late 70s. We’ve even seen custom microcode used to aid complex debugging.

NEC V20 - Konstantin Lanzet, CC BY-SA 3.0 via Wikimedia Commons

Intel V. NEC : The Case Of The V20’s Microcode

November 7, 2023 by Maya Posch 18 Comments

Back in the last century, Intel saw itself faced with a need to have ‘second source’ suppliers of its 8088 and 8086 processors, which saw NEC being roped in to be one of those alternative suppliers to keep Intel’s customers happy with the μPD 8086 and μPD 8088 offerings. Yet rather than using the Intel provided design files, NEC reverse-engineered the Intel CPUs, which led to Intel suing NEC over copying the microcode that forms an integral part of the x86 architecture. In a recent The Chip Letter entry by [Babbage] this case is covered in detail.

Although this lawsuit was cleared up, and NEC licensed the microcode from Intel, this didn’t stop NEC from creating their 8086 and 8088 compatible CPUs in the form of the V30 and V20 respectively. Although these were pin- and ISA-compatible, the internal microcode was distinct from the Intel microcode due to the different internal microarchitecture. In addition the V20 and V30 also had a special 8080 mode, that provided partial compatibility with Z80 software.

Long story short, Intel sued NEC with accusations of copyright infringement of the microcode, which led to years of legal battle, which both set many precedents about what is copyrightable about microcode, and ultimately cleared NEC to keep selling the V20 and V30. Unfortunately by then the 1990s had already arrived, and sales of the NEC chips had not been brisk due to the legal issues while Intel’s new 80386 CPU had taken the market by storm. This left NEC’s x86-compatible CPUs legacy mostly in the form of legal precedents, instead of the technological achievements it had hoped for, and set the tone for the computer market of the 1990s.

Thanks to [Stephen Walters] for the tip.

8086 Multiply Algorithm Gets Reverse Engineered

March 16, 2023 by Lewin Day 10 Comments

The 8086 has been around since 1978, so it’s pretty well understood. As the namesake of the prevalent x86 architecture, it’s often studied by those looking to learn more about microprocessors in general. To this end, [Ken Shirriff] set about reverse engineering the 8086’s multiplication algorithm.

[Ken]’s efforts were achieved by using die photos of the 8086 chip. Taken under a microscope, they can be used to map out the various functional blocks of the microprocessor. The multiplication algorithm can be nutted out by looking at the arithmetic/logic unit, or ALU. However, it’s also important to understand the role that microcode plays, too. Even as far back as 1978, designers were using microcode to simplify the control logic used in microprocessors.

[Ken] breaks down his investigation into manageable chunks, exploring how the chip achieves both 8-bit and 16-bit multiplication in detail. He covers how the numbers make their way through various instructions and registers to come out with the right result in the end.

It’s a fun look at what’s going on at the ground level in a chip that’s been around since before the personal computer revolution. For any budding chip designers, it’s a great academic exercise to follow along at home. If you’ve been doing your own digging deep into CPU architectures, don’t hesitate to drop us a line!

Down The Intel Microcode Rabbit Hole

July 19, 2022 by Al Williams 13 Comments

The aptly-named [chip-red-pill] team is offering you a chance to go down the Intel rabbit hole. If you learned how to build CPUs back in the 1970s, you would learn that your instruction decoder would, for example, note a register to register move and then light up one register to write to a common bus and another register to read from the common bus. These days, it isn’t that simple. In addition to compiling to an underlying instruction set, processors rarely encode instructions in hardware anymore. Instead, each instruction has microcode that causes the right things to happen at the right time. But Intel encrypts their microcode. Of course, what can be encrypted can also be decrypted.

Using vulnerabilities, you can activate an undocumented debugging mode called red unlock. This allows a microcode dump and the decryption keys are inside. The team did a paper for OffensiveCon22 on this technique and you can see a video about it, below.

Continue reading “Down The Intel Microcode Rabbit Hole” →

Customisable Micro-Coded Controller Helps With In-Circuit Debugging

December 30, 2021 by Dave Rowntree No comments

Over on Hackaday.io, [Zoltan Pekic] has been busy building a stack of tools for assisting with verifying and debugging retro computing applications. He presents his take on using Intel hex files for customised in-circuit testing, which is based upon simple microcoded sequencers, which are generated automatically from a high level description.

The idea is that it is very useful to be able to use an FPGA development board to emulate the memory bus component of the CPU, allowing direct memory access for design validation purposes. This approach will also allow the production of a test rig to perform board level verification. The microcode compiler (MCC) generates all the VHDL, and support files needed to target a Xilinx FPGA based dev board, but is generic enough to enable targeting other platforms with a little adaptation.

Another interesting use case enables in-circuit tracing of buggy memory accesses, with the microcode sequencer decoding the accesses and dumping the relevant information out to either a serial port, or even direct to an embedded VGA controller, hardware allowing.

This automated approach to generating customisable microcoded hardware is a very nice trick to have in your bag, and even if it only helps in certain circumstances, [Zoltan] notes that it at least serves as an interesting example of the architecture of computers from history, if not much else.

Source for the example 8085 project can be found on the project GitHub, and the toolchain source can found here also.

For an interesting practical use of microding to implement emulations of historical hardware, checkout this neat switchable reproduction calculator project.

Undocumented X86 Instructions Allow Microcode Access

March 26, 2021 by Al Williams 19 Comments

For an old CPU, finding all the valid instructions wasn’t very hard. You simply tried them all. Sure, really old CPUs might make it hard to tell what the instruction did, but once CPUs got illegal instruction traps, you could quickly just scan possible op codes and see what didn’t throw an exception. Modern processors, though, are quite another thing. For example, you might run a random instruction that locks up the machine or miss an instruction that would have been valid but the CPU is in the wrong mode. [Can Bölük] has a novel solution: By speculatively executing the target instruction and then monitoring the microcode sequencer, he can determine if the CPU is decoding an instruction even if it refuses to execute it.

Some unknown instructions may have power for good or evil, such as the recently announced undocumented instructions that can apparently rewrite the microcode. We expect to see a post soon on how to reprogram your Intel processor to run as a 6502 natively.

Continue reading “Undocumented X86 Instructions Allow Microcode Access” →