Computing with time: microarchitectural weird machines

Side-channel attacks such as Spectre rely on properties of modern CPUs that permit discovery of microarchitectural state via timing of various operations. The Weird Machine concept is an increasingly popular model for characterization of emergent execution that arises from side-effects of conventional computing constructs. In this work we introduce Microarchitectural Weird Machines (µWM): code constructions that allow performing computation through the means of side effects and conflicts between microarchitectual entities such as branch predictors and caches. The results of such computations are observed as timing variations. We demonstrate how µWMs can be used as a powerful obfuscation engine where computation operates based on events unobservable to conventional anti-obfuscation tools based on emulation, debugging, static and dynamic analysis techniques. We demonstrate that µWMs can be used to reliably perform arbitrary computation by implementing a SHA-1 hash function. We then present a practical example in which we use a µWM to obfuscate malware code such that its passive operation is invisible to an observer with full power to view the architectural state of the system until the code receives a trigger. When the trigger is received the malware decrypts and executes its payload. To show the effectiveness of obfuscation we demonstrate its use in the concealment and subsequent execution of a payload that exfiltrates a shadow password file, and a payload that creates a reverse shell.

[1]  Yu Guo,et al.  An open framework for foundational proof-carrying code , 2007, TLDI '07.

[2]  Stefan Katzenbeisser,et al.  Protecting Software through Obfuscation , 2016, ACM Comput. Surv..

[3]  Sahin Albayrak,et al.  Static Analysis of Executables for Collaborative Malware Detection on Android , 2009, 2009 IEEE International Conference on Communications.

[4]  Andrew W. Appel,et al.  Machine Instruction Syntax and Semantics in Higher Order Logic , 2000, CADE.

[5]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[6]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[7]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[8]  Daniel Gruss,et al.  ZombieLoad: Cross-Privilege-Boundary Data Sampling , 2019, CCS.

[9]  Engin Kirda,et al.  Speculator: a tool to analyze speculative execution attacks and mitigations , 2019, ACSAC.

[10]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[11]  Sanjay Kumar Jena,et al.  A code obfuscation technique to prevent reverse engineering , 2017, 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET).

[12]  Prabhat Mishra,et al.  Pre-silicon security verification and validation: A formal perspective , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[13]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[14]  Ruby B. Lee,et al.  CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds , 2016, RAID.

[15]  Guanhua Wang,et al.  oo7: Low-overhead Defense against Spectre Attacks via Program Analysis , 2018 .

[16]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[17]  Dogan Ulus,et al.  First-order temporal logic monitoring with BDDs , 2017, Formal Methods in System Design.

[18]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[19]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[20]  Marco Guarnieri,et al.  Spectector: Principled Detection of Speculative Information Flows , 2018, 2020 IEEE Symposium on Security and Privacy (SP).

[21]  Sergey Bratus,et al.  Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code , 2011, WOOT.

[22]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[23]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[24]  Christopher Domas Breaking the x86 ISA , 2017 .

[25]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[26]  Thomas Dullien,et al.  Weird Machines, Exploitability, and Provable Unexploitability , 2020, IEEE Transactions on Emerging Topics in Computing.

[27]  Toon Verwaest,et al.  Spectre is here to stay: An analysis of side-channels and speculative execution , 2019, ArXiv.

[28]  Inria Paris-Rocquencourt,et al.  The CompCert C verified compiler , 2015 .

[29]  Jakub Szefer,et al.  Leaking Information Through Cache LRU States , 2019, 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[30]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[31]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[32]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[33]  Jean-Christophe Filliâtre,et al.  Formal Verification of Floating-Point Programs , 2007, 18th IEEE Symposium on Computer Arithmetic (ARITH '07).

[34]  Stefanos Kaxiras,et al.  Efficient Invisible Speculative Execution through Selective Delay and Value Prediction , 2019, 2019 ACM/IEEE 46th Annual International Symposium on Computer Architecture (ISCA).

[35]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[36]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[37]  Nael B. Abu-Ghazaleh,et al.  SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation , 2018, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[38]  Mingwei Zhang,et al.  Control Flow Integrity for COTS Binaries , 2013, USENIX Security Symposium.

[39]  Sergey Bratus,et al.  The Page-Fault Weird Machine: Lessons in Instruction-less Computation , 2013, WOOT.

[40]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[41]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[42]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[43]  Bülent Yener,et al.  A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web , 2017, ROOTS.

[44]  Eric Wustrow,et al.  ExSpectre: Hiding Malware in Speculative Execution , 2019, NDSS.

[45]  Nael B. Abu-Ghazaleh,et al.  PerSpectron: Detecting Invariant Footprints of Microarchitectural Attacks with Perceptron , 2020, 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[46]  Tulika Mitra,et al.  oo7: Low-overhead Defense against Spectre Attacks via Binary Analysis , 2018, ArXiv.

[47]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[48]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[49]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[50]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[51]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[52]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[53]  Jan Olaf Blech,et al.  Verification of PLC Properties Based on Formal Semantics in Coq , 2011, SEFM.

[54]  Jakub Szefer,et al.  Survey of Microarchitectural Side and Covert Channels, Attacks, and Defenses , 2018, Journal of Hardware and Systems Security.

[55]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[56]  Nael B. Abu-Ghazaleh,et al.  Jump over ASLR: Attacking branch predictors to bypass ASLR , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[57]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[58]  Angelos D. Keromytis,et al.  Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization , 2012, 2012 IEEE Symposium on Security and Privacy.

[59]  Frank Piessens,et al.  Fallout: Reading Kernel Writes From User Space , 2019, ArXiv.

[60]  Tianlong Yu,et al.  BUZZ: Testing Context-Dependent Policies in Stateful Networks , 2016, NSDI.

[61]  Sergey Bratus,et al.  "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata , 2013, WOOT.

[62]  Yinqian Zhang,et al.  SPEECHMINER: A Framework for Investigating and Measuring Speculative Execution Vulnerabilities , 2019, NDSS.

[63]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[64]  Martin Schwarzl,et al.  NetSpectre: Read Arbitrary Memory over Network , 2018, ESORICS.