Reverse-engineered 80386 microcode reveals 40-year-old IO permission flaw

A team of hardware researchers has fully disassembled the microcode ROM of Intel’s 80386, a 94,720-bit black box that had resisted analysis for decades. Working from high-resolution die images supplied by Ken Shirriff, contributors including Daniel Balsom and Smartest Blob combined image processing, neural networks, and manual analysis to extract a clean binary, then pieced together the μ-op structure by cross-referencing instruction behavior, tracing on-die logic, and decoding the chip’s PLAs. The result maps all 215 microcode entry points and confirms that, unlike modern CPUs, the 386 is always executing microcode — every instruction routes through the ROM.

The project also surfaces what appears to be a long-undiscovered hardware bug. On a 4-byte IO port access, the microcode checks the IO permission bitmap for only the first three byte addresses. A user-mode process granted access to a range ending exactly at its permitted boundary could potentially have a 4-byte read or write spill one byte into a hardware register the OS intended to keep restricted. The author hasn’t verified the behavior on physical silicon, and it may vary by stepping, but if confirmed it would be a privilege-escalation primitive sitting unnoticed in ubiquitous hardware for over forty years.

Beyond the security finding, the disassembly is a useful artifact for computer-history work: it shows how Intel achieved per-cycle speedups over the 8086 largely by offloading work from microcode into dedicated hardware blocks (multiply/divide units, the barrel shifter, the protection test unit), with much of the remaining microcode acting as glue that configures those accelerators rather than implementing algorithms directly.