Maxim Goryachy, Dmitry Sklyarov and Mark Ermolov

Chip Red Pill: How we Achieved the Arbitrary [micro]Code Execution inside Intel Atom CPUs


All the modern Intel CPUs have RISC-core inside the chip. The core implements abstraction layer that interprets user-visible instruction set to invisible hardware-internal RISC instructions. RISC core has maximum privileges accessing the data. The microcode program is built into chip, but the OS and UEFI may apply some patches – microcode updates. Unfortunately, they are encrypted and there is poor public information on how it is working. Due to this, there are no public researchers about internal structure of Intel CPU microcode. Now we found the way that you can use to get an access to it on public-available platform. In our talk, we are going to describe the structure of microcode for the Intel Atom platform, how our proof of concept works and hijacking user-visible x86 instruction. We will describe the approach how we did reverse engineering of microcode format and internal microarchitecture of Intel Atom

For the first time, we will detail the structure of Intel Microcode and how to get access to it in public available platforms.  We will describe the approach how we did reverse engineering of microcode format and internal structure of Intel Atom CPUs. We will talk about internal structure of Atom processor family, which will allow a better understanding of how modern Intel CPUs work. We will vividly show how, even without access to restricted documents, it is possible to "follow the breadcrumbs” to reconstruct the workings of hardware technologies. For the first time, we will demonstrate a number of interesting facts about how microcode works.


Maxim Goryachy is a system and embedded programmer and security researcher. He is interested in cryptography, virtualization technologies, reverse engineering, and hardware. He has given talks at many conferences, such as Black Hat, Confidence, Hack In The Box and Chaos Communication Congress.

Dmitry Sklyarov is Head of Reverse Engineering at Positive Technologies. He is Former Security Researcher at Elcomsoft and a lecturer at Moscow State Technical University. He researched the security of eBooks, authentication of digital photos and smartphone forensics. His work has been presented at many conferences, including Black Hat EU/UAE, Confidence, Troopers.

Mark Ermolov is a system programmer that is interested in security aspects of hardware, firmware, and low-level system software (bare-metal hypervisors, OSes cores, device drivers). He has had talks at Russian security conferences PHDaysIV and ZeroNigths and at 33c3 and HITB2017AMS. One of his previous researches was about internal structure of Microsoft PathGuard and ways to compromise it. Now, he is researching various hardware components of Intel platforms: PCH, IOSF, iGPU, and corresponding firmware.