Computing with time: microarchitectural weird machines
- 17 April 2021
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
Abstract
Side-channel attacks such as Spectre rely on properties of modern CPUs that permit discovery of microarchitectural state via timing of various operations. The Weird Machine concept is an increasingly popular model for characterization of emergent execution that arises from side-effects of conventional computing constructs. In this work we introduce Microarchitectural Weird Machines (µWM): code constructions that allow performing computation through the means of side effects and conflicts between microarchitectual entities such as branch predictors and caches. The results of such computations are observed as timing variations. We demonstrate how µWMs can be used as a powerful obfuscation engine where computation operates based on events unobservable to conventional anti-obfuscation tools based on emulation, debugging, static and dynamic analysis techniques. We demonstrate that µWMs can be used to reliably perform arbitrary computation by implementing a SHA-1 hash function. We then present a practical example in which we use a µWM to obfuscate malware code such that its passive operation is invisible to an observer with full power to view the architectural state of the system until the code receives a trigger. When the trigger is received the malware decrypts and executes its payload. To show the effectiveness of obfuscation we demonstrate its use in the concealment and subsequent execution of a payload that exfiltrates a shadow password file, and a payload that creates a reverse shell.Keywords
Funding Information
- DARPA (HR0011-20-C-0039)
This publication has 41 references indexed in Scilit:
- Pre-silicon security verification and validationPublished by Association for Computing Machinery (ACM) ,2015
- TaintDroidACM Transactions on Computer Systems, 2014
- “Andromaly”: a behavioral malware detection framework for android devicesJournal of Intelligent Information Systems, 2011
- Verification of PLC Properties Based on Formal Semantics in CoqLecture Notes in Computer Science, 2011
- Control-flow integrity principles, implementations, and applicationsACM Transactions on Information and System Security, 2009
- Formal verification of a realistic compilerCommunications of the ACM, 2009
- Semantics-aware malware detectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- Obfuscation of executable code to improve resistance to static disassemblyPublished by Association for Computing Machinery (ACM) ,2003
- Machine Instruction Syntax and Semantics in Higher Order LogicLecture Notes in Computer Science, 2000
- Symbolic model checking: 1020 States and beyondInformation and Computation, 1992