TY - GEN
T1 - ReInstruct
T2 - 3rd Workshop on Kernel Isolation, Safety and Verification, KISV 2025
AU - Wang, Yubo
AU - Nikolaev, Ruslan
AU - Ravindran, Binoy
N1 - Publisher Copyright:
© 2025 Copyright held by the owner/author(s).
PY - 2025/10/13
Y1 - 2025/10/13
N2 - Historically, the microcode layer has been a proprietary technology which is tightly controlled by the CPU vendors. The microcode layer enables a great flexibility for translating ISA-visible instructions into internal hardware micro-operations. In x86-64, many system-level instructions are microcoded, which enables a great untapped opportunity for OS developers, who want to experiment with future ISA extensions. Recent research work has identified hidden CPU instructions, which are enabled via a firmware exploit, and also partially reverse-engineered and decrypted Intel Goldmont microcode. We go a step further and design an experimental framework for Linux, which allows to transparently modify existing microcoded instructions directly from an OS at runtime. We show how microcode alterations can be used to defeat normal root-privilege isolation in Linux almost without any trace. We also show our new approach which relies on ISA modification via microcode patching to improve performance of commonly-used lightweight Linux system calls. Our approach, effectively, adjusts the CPU ISA to better serve a specific OS kernel and applications, an idea which has been out of reach for commodity hardware previously.
AB - Historically, the microcode layer has been a proprietary technology which is tightly controlled by the CPU vendors. The microcode layer enables a great flexibility for translating ISA-visible instructions into internal hardware micro-operations. In x86-64, many system-level instructions are microcoded, which enables a great untapped opportunity for OS developers, who want to experiment with future ISA extensions. Recent research work has identified hidden CPU instructions, which are enabled via a firmware exploit, and also partially reverse-engineered and decrypted Intel Goldmont microcode. We go a step further and design an experimental framework for Linux, which allows to transparently modify existing microcoded instructions directly from an OS at runtime. We show how microcode alterations can be used to defeat normal root-privilege isolation in Linux almost without any trace. We also show our new approach which relies on ISA modification via microcode patching to improve performance of commonly-used lightweight Linux system calls. Our approach, effectively, adjusts the CPU ISA to better serve a specific OS kernel and applications, an idea which has been out of reach for commodity hardware previously.
UR - https://www.scopus.com/pages/publications/105020379551
UR - https://www.scopus.com/pages/publications/105020379551#tab=citedBy
U2 - 10.1145/3765889.3767043
DO - 10.1145/3765889.3767043
M3 - Conference contribution
AN - SCOPUS:105020379551
T3 - KISV 2025 - Proceedings of the 3rd Workshop on Kernel Isolation, Safety and Verification, Part of: SOSP 2025
SP - 10
EP - 16
BT - KISV 2025 - Proceedings of the 3rd Workshop on Kernel Isolation, Safety and Verification, Part of
PB - Association for Computing Machinery, Inc
Y2 - 13 October 2025 through 16 October 2025
ER -