ExSpectre: Hiding Malware in Speculative Execution

Recently, the Spectre and Meltdown attacks revealed serious vulnerabilities in modern CPU designs, allowing an attacker to exfiltrate data from sensitive programs. These vulnerabilities take advantage of speculative execution to coerce a processor to perform computation that would otherwise not occur, leaking the resulting information via side channels to an attacker. In this paper, we extend these ideas in a different direction, and leverage speculative execution in order to hide malware from both static and dynamic analysis. Using this technique, critical portions of a malicious program’s computation can be shielded from view, such that even a debugger following an instructionlevel trace of the program cannot tell how its results were computed. We introduce ExSpectre, which compiles arbitrary malicious code into a seemingly-benign payload binary. When a separate trigger program runs on the same machine, it mistrains the CPU’s branch predictor, causing the payload program to speculatively execute its malicious payload, which communicates speculative results back to the rest of the payload program to change its real-world behavior. We study the extent and types of execution that can be performed speculatively, and demonstrate several computations that can be performed covertly. In particular, within speculative execution we are able to decrypt memory using AES-NI instructions at over 11 kbps. Building on this, we decrypt and interpret a custom virtual machine language to perform arbitrary computation and system calls in the real world. We demonstrate this with a proof-of-concept dial back shell, which takes only a few milliseconds to execute after the trigger is issued. We also show how our corresponding trigger program can be a preexisting benign application already running on the system, and demonstrate this concept with OpenSSL driven remotely by the attacker as a trigger program. ExSpectre demonstrates a new kind of malware that evades existing reverse engineering and binary analysis techniques. Because its true functionality is contained in seemingly unreachable dead code, and its control flow driven externally by potentially any other program running at the same time, ExSpectre poses a novel threat to state-of-the-art malware analysis techniques.

[1]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[3]  Lothar Thiele,et al.  On the capacity of thermal covert channels in multicores , 2016, EuroSys.

[4]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[5]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[6]  Srdjan Capkun,et al.  Thermal Covert Channels on Multi-core Platforms , 2015, USENIX Security Symposium.

[7]  Tzi-cker Chiueh,et al.  A Study of the Packer Problem and Its Solutions , 2008, RAID.

[8]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[9]  Sergey Bratus,et al.  The Page-Fault Weird Machine: Lessons in Instruction-less Computation , 2013, WOOT.

[10]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[11]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[12]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[13]  Sophia M. D'Antoine EXPLOITING PROCESSOR SIDE CHANNELS TO ENABLE CROSS VM MALICIOUS CODE EXECUTION , 2015 .

[14]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[15]  Yuval Yarom,et al.  Drive-by Key-Extraction Cache Attacks from Portable Code , 2018, IACR Cryptol. ePrint Arch..

[16]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[17]  Christopher Krügel,et al.  BareBox: efficient malware analysis on bare-metal , 2011, ACSAC '11.

[18]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.

[19]  Zhiqiang Lin,et al.  Attacks : Leaking Enclave Secrets via Speculative Execution , 2018 .

[20]  Rolf Herken,et al.  The Universal Turing Machine: A Half-Century Survey , 1992 .

[21]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[24]  Farnam Jahanian,et al.  PolyPack: an automated online packing service for optimal antivirus evasion , 2009 .

[25]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[26]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[27]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[28]  Gregory J. Chaitin,et al.  Computing the Busy Beaver Function , 1987 .

[29]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[30]  C. Xenakis,et al.  ROPInjector : Using Return Oriented Programming for Polymorphism and Antivirus Evasion , 2015 .

[31]  Yan Shoshitaishvili,et al.  Angr - The Next Generation of Binary Analysis , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[32]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[33]  Nael B. Abu-Ghazaleh,et al.  Understanding and Mitigating Covert Channels Through Branch Predictors , 2016, ACM Trans. Archit. Code Optim..

[34]  Zhenyu Wu,et al.  Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud , 2012, USENIX Security Symposium.

[35]  Sergey Bratus,et al.  Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation , 2011, login Usenix Mag..

[36]  Carl A. Waldspurger,et al.  Speculative Buffer Overflows: Attacks and Defenses , 2018, ArXiv.

[37]  A. Mesbahi,et al.  One packer to rule them all Empirical identification , comparison and circumvention of current Antivirus detection techniques , 2014 .

[38]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[39]  Michael K. Reiter,et al.  Cross-VM side channels and their use to extract private keys , 2012, CCS.

[40]  Nael B. Abu-Ghazaleh,et al.  Covert channels through branch predictors: a feasibility study , 2015, HASP@ISCA.

[41]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[42]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[43]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[44]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[45]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[46]  Christian Rossow,et al.  Speculose: Analyzing the Security Implications of Speculative Execution in CPUs , 2018, ArXiv.

[47]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[48]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.