Forgot your password?
typodupeerror
Security Hardware

Research Inches Toward Processor-Specific Malware 155

Posted by samzenpus
from the acquiring-new-targets dept.
chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."
This discussion has been archived. No new comments can be posted.

Research Inches Toward Processor-Specific Malware

Comments Filter:
  • by cosm (1072588)
    We need an Al Gore of receding corporate monopolies!
    • Re: (Score:3, Funny)

      by MrEricSir (398214)

      You mean the Department of Justice?

      • Re: (Score:3, Insightful)

        by davester666 (731373)

        The department of justice no longer does what you think it does.

        It switched over the last decade or two from the department that does justice for you, to the department that does justice TO you.

        • by Obyron (615547)
          Oh really? So you'd rather go back to the halcyon days of J. Edgar Hoover when everybody's rights were respected and no one ever got spied on by the Justice Department?
  • After this report 57 IT representatives quit their job in order to become store clerks.
  • at least at the start of this next frontier how about testing for the chip profiling software. It's one thing to be able to "detect subtle differences" in floating point operations but another to do it while also trying to avoid detection while you're doing it.
    • by WrongSizeGlass (838941) on Wednesday November 10, 2010 @10:33PM (#34192808)
      Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?
      • by gl4ss (559668) on Thursday November 11, 2010 @06:17AM (#34194632) Homepage Journal

        it's just fud. early stage fud. from france.

        you know, research for the sake of research for the sake of getting more money to do more research.

        besides than that : have they not heard of cpuid? -DDD the hardest part of this attack definetely wouldn't be figuring out which cpu the computer has.

        so they're tackling the EASIEST part of this, just figuring out which cpu the running host has. they would still have to find application specific holes to get their fingerprinting code to actually run on the target systems. on top of that their fingerprinting depends on you getting to run native code on the target system, after that I suppose the aim is to raise privilidges of the running process to actually do a hack however that would still be very os/app specific.

        the whole effort seems quite absurd, except from academia point of view which is to just suck in money while doing nothing.

      • Read the errata sheet from any recent Intel or AMD chip. Some things are relatively trivial, some are not. For example, there was a flaw with the P4's hyperthreading implementation that allowed one thread to access the other thread's cache. If one thread was in ring 0, and the other in ring 3, the thread in ring 3 could use this to elevate itself to ring 0. There's a more subtle flaw with the cache controller on the Core 2 Duo series, which, again, has the potential to allow privilege elevation.
    • by grcumb (781340)

      at least at the start of this next frontier how about testing for the chip profiling software.

      As others have said already: cat /proc/cpuinfo

      Okay, seriously: I know you mean more than that. If an application really wants to take advantage of shortcoming within a given processor type, it will necessarily have to interact with it. Problem is, it can do so in one of any number of ways. It could even infect other software and use its activity as cover to inject the tests necessary to characterise the processor's weaknesses.

      It's one thing to be able to "detect subtle differences" in floating point operations but another to do it while also trying to avoid detection....

      See above.

      But why bother attacking the processor if you've already won your way o

  • by zill (1690130) on Wednesday November 10, 2010 @09:13PM (#34192366)
    if( 4195835*3145727/3145727 != 4195835 ){
    cpu = "Intel Pentium";
    }
    • Re: (Score:3, Insightful)

      by Mitchell314 (1576581)
      4195835*3145727/3145727 == 4195835.00000001
      • Re: (Score:3, Informative)

        by wvmarle (1070040)

        This depends apparently on your programming language. I know the .00000001 has to do with decimal to binary conversion which introduces this kind of errors. Anyway I just tried this in Python, and got a different result:
        >>> 4195835*3145727/3145727
        4195835L
        >>> 4195835*3145727/3145727 == 4195835
        True
        >>> 4195835*3145727/3145727 == 4195835.00000001
        False
        >>>

    • by gl4ss (559668)

      well, that is essentially the whole basis for these researchers work. oh the academics.

      • by vidnet (580068)

        Indeed. TFA is about identifying processors, the bit about exploits is just an attention grabber.

  • by Anonymous Coward

    but...

    where actually is the attack vector if you don't target any software platform at all?

  • It's really bad we have only two and a half CPU architectures in any wide use: armel and i386/amd64 -- and even worse, all smartphones use the former and big machines the latter. Using a different arch gives you extra security (by greatly reducing the amount of existing shellcode) while adding basically no issues whatsoever -- any reasonable server OS is fully portable, and having no Adobe Flash is a blessing not a curse.

    Too bad, you can forget about performance-to-price, and availability is worse than aby

    • In your house, maybe.

      In the server room, PowerPC is still very popular. In fact it's the only choice if you want the best straight-up single core performance.

      "any reasonable server OS is fully portable" That's not true because AIX is a perfectly reasonable server OS and it's only on PowerPC.

      • Re:Huh? (Score:4, Insightful)

        by danlip (737336) on Wednesday November 10, 2010 @09:33PM (#34192506)

        Sorry, but I've used AIX and it is not a perfectly reasonable OS.

        • Re:Huh? (Score:5, Insightful)

          by FranTaylor (164577) on Wednesday November 10, 2010 @09:36PM (#34192538)

          Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.

          • That is pretty much how I treat all my servers: Install what I need and leave it alone. Most problems are caused by finger trouble, so the first thing I disable on a Linux system is the Auto-Update ^WScrewup system. A Linux machine can run for 3 to 7 years non stop till the hardware fails.
      • Not only in servers, but most vehicles have a several PowerPC chips in them for the ECU and other ancillary units.

        • Re: (Score:3, Informative)

          by Narishma (822073)

          And even in your house PPC isn't dead. All current generation consoles use PPC processors.

      • by Bert64 (520050)

        And as the post pointed out, you can forget about performance-to-price and are PPC servers available from anyone other than IBM?
        It is extremely rare that i see an AIX box these days, and those few companies who do have them usually have many more x86 systems.

    • by jonwil (467024) on Wednesday November 10, 2010 @10:23PM (#34192758)

      Plenty of CPU architectures out there.
      ARM is out there in embedded devices.
      PowerPC is still popular in servers (and in games consoles)
      Plenty of things out there using MIPS including the Playstation Portable and all kinds of home routers

      And if you are talking really embedded devices, PIC, AVR and others are still going strong.
      Even oldschool archtectures like the Zilog Z80 and Motorola 68000 are still going strong in many areas.

      • by h4rr4r (612664)

        You forgot SPARC.

      • by KiloByte (825081)

        ARM is out there in embedded devices.

        Which I specifically named as one of the two-and-a-half architectures flourishing.

        PowerPC is still popular in servers

        I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

        Plenty of things out there using MIPS including the Playstation Portable

        I haven't seen a single one of these, but it's a thing from 2004 that has a tiny fraction of what any low-end smartphone can do

        and all kinds of home routers

        These used to be MIPS-based in 1990s and early 2000s, yeah. Since then, all new ones seem to be migrating to ARM.

        • by Anubis350 (772791)

          PowerPC is still popular in servers

          I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

          Server-side, I'm pretty sure IBM counts [wikipedia.org] as a major vendor [wikipedia.org]. Also the PS3, XBox360, and Wii all use some variant of PPC, as the GP noted. So btw do a great deal of embedded chips manufactured by such bit players (no pun intended) as, oh, say Motorola (well, Freescale now). A lot of set-top boxes and such use PPC.

        • >I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

          IBM isn't mainstream enough ?

        • I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

          Good thing all the hardware manufacturers ship the parts back from Asia and Mexico for you then...

  • Isn't it still far easier to specialize malware for specific softwares rather than trying to heuristically determining the hardware being used and then trying to exploit that?

    Also, how protected is the type of the processor and the other hardware used in a machine? I would imagine that exposing this information (such that your PC has a GPGPU) to software might help the software work better. To me, it seems that this gain easily outweigh the risks involved.

    • Re: (Score:3, Insightful)

      by DigiShaman (671371)

      Current software exploits are based on specific OS, Apps, and/or a combination of the two. Add in different versions and quick patching can put out the malware fires rather quickly. With hardware, there's less permutations and revisions in comparison to software.

      While it's possible to patch hardware flaws with firmware and microcode updates, it's not something that happens automatically by the end user. In theory, running malware at the hardware level opens up a huge potential homogeneous field to play in.

    • It's pretty hard to issue a patch for a hardware flaw.
      • by h4rr4r (612664)

        No it is not. We do it all the time, what do you think microcode is?

        • Microcode is what instructions from the architectural instruction set are translated into before being executed on a processor. Essentially, it's a set of specific signals to the muxes, demuxes, and various components (ALUs, register bank, L1 cache, branching unit, etc.). Microcode, unto itself, is not a patch to a hardware flaw, it's just a means of making a processor work.

          What you're talking about is "writable microcode" or a "writable control store" which is when the code to microcode translation proce

  • by spywhere (824072) on Wednesday November 10, 2010 @09:20PM (#34192428)
    "Windows/Office/IE monoculture is disappearing faster than equatorial glaciers..."
    Do you actually work in corporate IT? Windows XP and IE6/7 dominate. Apple has little hope of taking hold in anything bigger than the art department at Comcast, and Linux is what the geekiest artist-type there uses at home.

    I'm not advocating Windows... I'm simply pointing out that they are not going anywhere.
    • Re: (Score:3, Insightful)

      by Un pobre guey (593801)
      They can always dream, can't they?
    • by Eskarel (565631)

      Not to mention that Android and iOS are part of the smart phone segment where there never was a Windows/Office/IE monoculture.

      • by Grishnakh (216268)

        Exactly. The Windows/Office monoculture hasn't gone anywhere, but the computing field itself has expanded a lot. Now, people do computing in many more places than just their desktop, thanks to small mobile devices, so a giant new market has opened up, and in that market, MS is a bit player. They've had their own offerings in the mobile device arena for quite a while, but it's never been very popular, and now iOS and Android are growing by leaps and bounds while MS's mobile offerings continue to languish.

    • by DrgnDancer (137700) on Wednesday November 10, 2010 @10:01PM (#34192640) Homepage

      I dunno. I was a Linux Systems Administrator for a fortune 50 company. I'm now a Linux Systems administrator for the Federal Government. In both cases we also had limited use of Macs too. You didn't see that 10 years ago. I'll grant you "Faster than equatorial glaciers" may be hyperbole, but the monoculture is disappearing (Windows isn't disappearing by any means, just the monoculture).

      To a certain extent it's also somewhat of a moot point anyway. If people are using Macs or Linux at home that's still impacting malware authors. In fact it's impacting them worse in some respects. They count on the unpatched boxes in ma and pa's bedroom for a botnet vector. Smartphones are also a growing presence on the 'Net. They're not hugely important *yet* but at the rate they're going they will be.

      So yeah, for the time being you can still feel safe that 9/10 clients are Windows (which is still down a lot from 9.7/10). Smart criminals, just like smart companies, look ahead though. If trends continue as they are, 10 years from now it might be 7/10 clients (With the rest split between Macs, some Linux, and lots of mobile) . 10 years after that? Who knows?

    • With the discontinuation of their Xservs they've quite clearly said "We don't really care about the enterprise market." Can't say I'm surprised, consumer electronics is where they've been making tons of money. However it does mean that any growth potential they had in business markets is likely to dry up. That just means the market will continue to be solidly MS for now.

      • Re: (Score:3, Interesting)

        by h4rr4r (612664)

        The enterprise market for servers has never been solidly MS. The Xserve was not a popular product, no one wanted to pay apple prices to run a unix. if you want to do that you could have alway bought a Sun box. The rest of the enterprise wanted to run linux on commodity hardware.

      • Re: (Score:3, Informative)

        by wvmarle (1070040)

        Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.

        A server has to sit in a corner, fit nicely so square (or for bigger setups: rackable) is preferred. Most of them don't have a monitor attached so a GUI is also unwanted.

        Then what reason is there to pay an Apple price for a server?

        Microsoft has a similar problem: their strong point is also the user interface, as that's what Windows is about after all. Wind

        • by CAIMLAS (41445)

          Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.

          Strongly disagree on the second part: case design is very important on a server. It's almost as important as the hardware in the machine and the external interfaces (say, SAS, IPMI or Infiniband).

          I'm pretty sure the Xserve had none of those interfaces, and the internal RAID controller was somewhat lackluster at that. From what I've seen of them, I'd rather have a modern Dell or HP server - the hardware is better.

          • by wvmarle (1070040)

            With case design I was talking about prettiness and looks, not sturdiness or easy to build in. Consumers buying a case to put in their living room or IT people buying a case to put in a comms cupboard or server room have totally different requirements on case design.

    • by sheehaje (240093)

      How many phones is Microsoft on? I'm sure that cuts into the 9.5 out of 10 percentages over computing platforms quite a bit. Phones aren't phones anymore, they are full blown computers.

      Also, I know a lot of local governments, state governments are starting not extend their enterprise agreements with Microsoft.

      I work for a sizable county government and we are moving off of Exchange/Outlook next year in favor of Zimbra. We are a 2007 shop now and were thinking of migrating to 2010, but won't. Microsoft is

  • by by (1706743) (1706744) on Wednesday November 10, 2010 @09:32PM (#34192502)
    From TFS:

    Malware targeting one or more of those processors would work regardless of what OS or applications were installed.

    Ok...but how are you planning on executing that? You can write a piece of code that exploits some chip vulnerability, and compile it for Windows -- but it still gives you no advantage over just writing something which targets Windows in the first place.

    And if you're capable of running arbitrary machine code on the host -- which is sort of what I take this article to suggest -- then you've got way bigger fish to fry in the security department...

    • by antifoidulus (807088) on Wednesday November 10, 2010 @09:45PM (#34192570) Homepage Journal
      Actually the biggest threat would be to VMs running on some big iron machine. If you and I are both running on a VM and I can exploit a CPU bug that allows me to break out of my sandbox then your data is in trouble even if you didn't let anyone else execute code in your VM.
      • I had the same thought as the grand-parent poster, but the parent post is definitely correct. It's quite common for a lot of smaller web sites to run on VPS's. If you can hack or rent one VPS and use this to execute code which compromises the physical machine, that means that you can take over everyone else's VPS that is ever executed on that same machine. If you're trying to get malicious code onto a lot of web sites (which they are), that would be a very good way to do it. Plus, who knows what else mi

    • Re: (Score:3, Insightful)

      by phantomfive (622387)
      Not only that, when was the last time you heard of an exploit that attacked a chip? I can remember hearing about a vulnerability six years ago or so, but it was hard to exploit. Such an exploit would be nice, but I don't think they happen very often.
    • Peak windows. (Score:5, Insightful)

      by mevets (322601) on Wednesday November 10, 2010 @11:28PM (#34193026)

      My guess is the AV companies are sensing that 'peak windows' has passed, and are manufacturing a new market.
      The reason to run AV software on other platforms is to avoid inadvertently forwarding viruses to Windows users. Not a compelling story.

  • Catch 22 much ??? (Score:3, Insightful)

    by Zero__Kelvin (151819) on Wednesday November 10, 2010 @09:33PM (#34192512) Homepage

    "Malware targeting one or more of those processors would work regardless of what OS or applications were installed. "

    This is complete bullshit. First, you have to get your code to execute on my hardware, which you aren't about to do unless you compromise my OS. If you can't get your assembly code to run on the CPU in Ring 0 on the Intel Platform, for example, your processor specific malware, no matter how clever, is useless. If you can do so, you have already compromised my OS, so your code is useless.

    • Re: (Score:3, Insightful)

      by h4rr4r (612664)

      Not quite. If I am only in one VM and I want to break out then this sort of thing might be quite useful. If I had already exploited the host, then yes it would be a waste of time.

      • "If I am only in one VM"

        I already said that you need to have already compromised my OS. The fact that it runs in a VM is completely immaterial. If you have compromised my paravirtualized OS, you have compromised my OS, but again you have a catch 22. We can both agree that if you have already compromised my OS, then you can continue to compromise my OS.

        • by h4rr4r (612664)

          This lets me get further. I can now get a shot at the host from inside a vm.

          I do of course agree you need a way into the hardware to begin with.

          • I just re-read what I originally wrote, and I realized that I was attempting to imply that it was useless for compromising a machine in an OS independent manner . I can see how you thought I meant that it had no use at all under any circumstance, but we agree that as a means of accomplishing privilege escalation rather than breaking down the front door it has a use. Also, I was discussing malware rather than interactive system cracking, the latter which - almost by definition - involves knowledge of the
      • by CAIMLAS (41445)

        Certainly - this would be a very effective dispersal method, particularly if you're running a VM cluster. Break out of the 'jail' through a Windows driver or bug in the VM management interface API, and you've gained privileged access on a clustered VM host. Depending on which VM it is, and which member of a cluster, it's quite possible you've got open administrative access on the entire cluster.

        That's, what, 10, 15, 30 physical servers with gobs of RAM and CPU? That alone is terrifying, but consider that th

    • by Darinbob (1142669)
      My guess is that the article and summary are just a bit too vague and misleading. You could have an interpreted script or bytecode do the work, it wouldn't care what the processor was, and as for the OS it'll probably just assume something that has the script interpreter builtin or in the browser. Ie, Java, Javascript, .net, etc. Then it figures out what browser you have, what CPU type and maybe model, and a really good guess of the OS.

      The processor privilege and ring 0 thing is a bit off. The whole poi
      • "The whole point of malware is figuring out how to get the processor privilege it needs."

        That is not the whole point of most malware. It cares about getting application level privileges running in user space, most often in an interpreted environment. If you are trying to do so in an OS independent way the security landscape changes drastically. The only way to accomplish that is with Assembly Language. Therefore the "processor privilege and Ring 0 thing" is, as Marisa Tomei said in "My Cousin Vinny" dead

  • CPUID registers ? (Score:3, Insightful)

    by NemoinSpace (1118137) on Wednesday November 10, 2010 @09:35PM (#34192522) Homepage Journal
    seems a lot easier to me for the majority of cases. a little ASM goes a long way. When in doubt, ASK!
    ok, now you can list all the architectures that don't specifically use CPUID, But they all (even PLC's) report what they are.
    • by Darinbob (1142669)
      CPUID is an Intel x86 specific thing. Other CPU types do things differently, and they certainly don't run the same machine code. I can think of several CPUs that have no sort of identifier register. What about being able to tell if the device has an ARM9, AVR, PPC 603, etc?
  • Just like on the Pentiums http://en.wikipedia.org/wiki/F00f [wikipedia.org]
  • by Un pobre guey (593801) on Wednesday November 10, 2010 @09:47PM (#34192582) Homepage
    So is the Ukrainian Mob giving out academic research grants these days? Not such a bad idea from their end.
  • This kind of thing would be handy to have for ordinary software, especially code that depends on floating point performance and routines that can optionally take advantage of processor-specific features (or route around misfeatures). The interface would still have to deal with the local OS, but the underlying libraries could be written without recourse to platform-specific code to identify the hardware -- especially since some operating systems either don't make that information available to apps or do so i

  • The researchers claim to be working on a tool, dubbed Proc_Scope that will use specific numerical expressions to identify the processor type, and to be working on an algorithm that can help identify a specific processor.

    That all sounds quite involved and somewhat fragile.

    Or you could just use the CPUID [wikipedia.org] instruction. Its been around since the original pentium.

    • by Microlith (54737)

      Assuming you're using a Pentium-class x86 platform. ARM requires something entirely different.

    • by jrumney (197329)
      Presumably Proc_Scope will run in a cross platform VM (eg Java) that allows them to start with no assumptions about the target platform at all.
  • It's true! He just forgot to mention *which* equator he was referring to. I believe in this case, it would be the equator of Uranus.

  • by junglebeast (1497399) on Wednesday November 10, 2010 @11:38PM (#34193080)

    There is no cross-platform instruction to call the CPUID assembly instruction...so you can only use CPUID if you can run native code on the computer, and if youcan do that, you've already broken in so you don't need it.

    Now imagine that you are running some generic code like javascript...which has a limited instruction set and is possibly even being run in a browser based sandbox. If you can use simple floating point arithmetic to detect the processor type, and then you know that this particular processor has a flaw such that if you evaluate: "44.5 / 222.3 + 1" then the following benign string literal in javascript gets interpreted as native binary code which executes outside of the "sandbox" imposed by the limitations of the language...do you get what I'm saying?

    • by wvmarle (1070040) on Thursday November 11, 2010 @01:09AM (#34193544)

      Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.

      Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.

    • by gl4ss (559668)

      then you're attacking/diagnosing the javascript vm. not very app agnostic at all as is hyped on article. they're calling diagnosing the floating point implementation as a 'malware attack' which is still pretty far from it. there's a dozen other better more reliable ways to find out if the browser is running on an iphone 3g or not.

      the name 'proc_scope' could even be intentionally chosen to make it hard to google. on top of that, the published paper

  • '...professor specific malware?

    I've had to sit through my share of boring lectures, but isn't this carrying things a bit far?

    • Good news everyone!

      I'm selling affordable viagra and replica wristwatches on my shady Asian-domain website! Also anyone who wants to see some cute dancing bunnies and/or pornography should meet me in the alley out back!

  • by Anonymous Coward

    ESIEA is "École Supérieure d'Informatique, Électronique, Automatique".
    With "supérieure", not "superiore" (which is, maybe, Italian?). Please also note the usage of the accents on some of the letters (even the capitals, as allowed in French, even if some of the French people do not know their usage (!))

    Merci.

    (A verbatim translation of ESIEA would give something like "High School for Computer Science, Electronic and Control Engineering", however, an "École Supérieure" in

  • This paper is really about how it is still possible to fingerprint CPUs, even without using the non-privileged CPUID instruction.

    First of all, they state that using CPUID might trigger behavioral malware scanners/detectors.

    Well, guess what: More or less every single program out there contains at least one CPUID instance somewhere in the runtime library code, some of them in order to avoid known bugs (like the Pentium FDIV case), and some in order to determine which forms of SIMD instructions are available (

Good salesmen and good repairmen will never go hungry. -- R.E. Schenk

Working...