SoylentNews is people
SoylentNews
Co-authored by three computer science boffins from the University of Colorado, Boulder in the US – Jack Wampler, Ian Martiny, and Eric Wustrow – the paper, "ExSpectre: Hiding Malware in Speculative Execution," describes a way to compile malicious code into a seemingly innocuous payload binary, so it can be executed through speculative execution without detection.
Speculative execution is a technique in modern processors that's used to improve performance, alongside out-of-order execution and branch prediction. CPUs will speculate about future instructions and execute them, keeping the results and saving time if they've guessed the program path correctly and discarding them if not.
[...] The Boulder-based boffins have devised a way in which a payload program and a trigger program can interact to perform concealed calculations. The payload and trigger program would be installed through commonly used attack vectors (e.g. trojan code, a remote exploit, or phishing) and need to run on the same CPU. The trigger program can also take the form of special input to the payload or a resident application that interacts with the payload program.
"When a separate trigger program runs on the same machine, it mistrains the CPU’s branch predictor, causing the payload program to speculatively execute its malicious payload, which communicates speculative results back to the rest of the payload program to change its real-world behavior," the paper explains.
The result is stealth malware. It defies detection through current reverse engineering techniques because it executes in a transient environment not accessible to static or dynamic analysis used by most current security engines. Even if the trigger program is detected and removed the payload code will remain operating.
There are limits to this technique, however. Among other constraints, the malicious code can only consist of somewhere between one hundred and two hundred instructions. And the rate at which data can be obtained isn't particularly speedy: the researchers devised a speculative primitive that could decrypt 1KB of data and exfiltrate it at a rate of 5.38 Kbps, assuming 20 redundant iterations to ensure data correctness.
(Score: 2) by FatPhil on Thursday February 28 2019, @12:19PM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Informative) by Anonymous Coward on Thursday February 28 2019, @02:05PM (1 child)
The point is that you can run the malware that "doesn't run". That is, even if you single-step the code, you'll never see the malware execute, and static analysis as well as coverage tools will tell you that this code is never executed. Basically, the CPU executes it (through speculative execution), then notices that it should not have so, and undoes all effects — except those of the other process watching the execution via Spectre.
Note that being able to run code on the same machine does not imply that you can normally run code in the same security context. Think for example of several virtual machines on the same server. You normally shouldn't be able to peek into what another VM does on the same physical machine, but with Spectre you might if both get scheduled on the same core.
You still need to get the stealthy malware into the security context you're attacking, of course, but the point, as I understand it, is that this stealthy malware may defeat security checks because from the software's point of view, it never runs.
(Score: 0) by Anonymous Coward on Thursday February 28 2019, @03:12PM
"coverage tools will tell you that this code is never executed". can we improve Flops/Watt with it? i guess since nothing says it's running it also doesn't draw electricity? ^_^