The Page-Fault Weird Machine: Lessons in Instruction-less Computation

Trust Analysis, i.e. determining that a system will not execute some class of computations, typically assumes that all computation is captured by an instruction trace. We show that powerful computation on ×86 processors is possible without executing any CPU instructions. We demonstrate a Turing-complete execution environment driven solely by the IA32 architecture's interrupt handling and memory translation tables, in which the processor is trapped in a series of page faults and double faults, without ever successfully dispatching any instructions. The "hard-wired" logic of handling these faults is used to perform arithmetic and logic primitives, as well as memory reads and writes. This mechanism can also perform branches and loops if the memory is set up and mapped just right. We discuss the lessons of this execution model for future trustworthy architectures.

[1]  Len Sassaman,et al.  Towards a Theory of Computer Insecurity: a Formal Language-Theoretic Approach , 2011 .

[2]  Marco Ramilli,et al.  Return-Oriented Programming , 2012, IEEE Security & Privacy.

[3]  Jörg Schwenk,et al.  Scriptless attacks: stealing the pie without touching the sill , 2012, CCS.

[4]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[5]  Locreate: An Anagram for Relocate , 2007 .

[6]  Ralf-Philipp Weinmann,et al.  A Framework for Automated Architecture-Independent Gadget Search , 2010, WOOT.

[7]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[8]  Sergey Bratus,et al.  Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation , 2011, login Usenix Mag..

[9]  Sergey Bratus,et al.  "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata , 2013, WOOT.

[10]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[11]  Sergey Bratus,et al.  Dartmouth Computer Science Technical Report TR2011-680 (Draft version) Exploiting the Hard-Working DWARF: Trojans with no Native Executable Code , 2011 .

[12]  Yan Wang,et al.  A Library for Processing Ad hoc Data in Haskell - Embedding a Data Description Language , 2008, IFL.

[13]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[14]  Andreas Bogk,et al.  A domain-specific language for manipulation of binary data in Dylan , 2007, ILC.