Research Inches Toward Processor-Specific Malware

chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."

sure sounds interesting

[Anonymous Coward]

but...

where actually is the attack vector if you don't target any software platform at all?

Re:Obligatory intel bashing

[Mitchell314]

4195835*3145727/3145727 == 4195835.00000001

Am I missing something?

[by (1706743)]

From TFS:

Malware targeting one or more of those processors would work regardless of what OS or applications were installed.

Ok...but how are you planning on executing that? You can write a piece of code that exploits some chip vulnerability, and compile it for Windows -- but it still gives you no advantage over just writing something which targets Windows in the first place.

And if you're capable of running arbitrary machine code on the host -- which is sort of what I take this article to suggest -- then you've got way bigger fish to fry in the security department...

Re:Huh?

[danlip]

Sorry, but I've used AIX and it is not a perfectly reasonable OS.

Catch 22 much ???

[Zero__Kelvin]

"Malware targeting one or more of those processors would work regardless of what OS or applications were installed. "

This is complete bullshit. First, you have to get your code to execute on my hardware, which you aren't about to do unless you compromise my OS. If you can't get your assembly code to run on the CPU in Ring 0 on the Intel Platform, for example, your processor specific malware, no matter how clever, is useless. If you can do so, you have already compromised my OS, so your code is useless.

CPUID registers ?

[NemoinSpace]

seems a lot easier to me for the majority of cases. a little ASM goes a long way. When in doubt, ASK!
ok, now you can list all the architectures that don't specifically use CPUID, But they all (even PLC's) report what they are.

Re:Huh?

[FranTaylor]

Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Am I missing something?

[antifoidulus]

Actually the biggest threat would be to VMs running on some big iron machine. If you and I are both running on a VM and I can exploit a CPU bug that allows me to break out of my sandbox then your data is in trouble even if you didn't let anyone else execute code in your VM.

Re:I hate to ask, but...

[Un pobre guey]

They can always dream, can't they?

Re:I hate to ask, but...

[DrgnDancer]

I dunno. I was a Linux Systems Administrator for a fortune 50 company. I'm now a Linux Systems administrator for the Federal Government. In both cases we also had limited use of Macs too. You didn't see that 10 years ago. I'll grant you "Faster than equatorial glaciers" may be hyperbole, but the monoculture is disappearing (Windows isn't disappearing by any means, just the monoculture).

To a certain extent it's also somewhat of a moot point anyway. If people are using Macs or Linux at home that's still impacting malware authors. In fact it's impacting them worse in some respects. They count on the unpatched boxes in ma and pa's bedroom for a botnet vector. Smartphones are also a growing presence on the 'Net. They're not hugely important *yet* but at the rate they're going they will be.

So yeah, for the time being you can still feel safe that 9/10 clients are Windows (which is still down a lot from 9.7/10). Smart criminals, just like smart companies, look ahead though. If trends continue as they are, 10 years from now it might be 7/10 clients (With the rest split between Macs, some Linux, and lots of mobile) . 10 years after that? Who knows?

Re:CPU Microcode is the next malware frontier

[AuMatar]

To be useful, you'd need a microcode memory big enough to fit a decent program (doubtful), and do so without breaking the integrity of the machine (almost impossible) as well as have a chip that has writable microcode caches (does anything do this, other than maybe transmeta)? Number 2 is a biggie- malware that breaks the CPU will quickly get the machine offline and RMAed. If you aren't online, you aren't doing anything useful for the malware. The trick for malware is to do what you want, while appearing as if you didn't even exist to the user.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[jonwil]

Plenty of CPU architectures out there.
ARM is out there in embedded devices.
PowerPC is still popular in servers (and in games consoles)
Plenty of things out there using MIPS including the Playstation Portable and all kinds of home routers

And if you are talking really embedded devices, PIC, AVR and others are still going strong.
Even oldschool archtectures like the Zilog Z80 and Motorola 68000 are still going strong in many areas.

Apple has even less hope now

[Sycraft-fu]

With the discontinuation of their Xservs they've quite clearly said "We don't really care about the enterprise market." Can't say I'm surprised, consumer electronics is where they've been making tons of money. However it does mean that any growth potential they had in business markets is likely to dry up. That just means the market will continue to be solidly MS for now.

Re:Ok, maybe this is too simple but

[WrongSizeGlass]

Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?

Re:Catch 22 much ???

[h4rr4r]

Not quite. If I am only in one VM and I want to break out then this sort of thing might be quite useful. If I had already exploited the host, then yes it would be a waste of time.

Re:Am I missing something?

[phantomfive]

Not only that, when was the last time you heard of an exploit that attacked a chip? I can remember hearing about a vulnerability six years ago or so, but it was hard to exploit. Such an exploit would be nice, but I don't think they happen very often.

Re:The road to profit.

[arth1]

Except that by adding the requirement of "cat /proc/cpu", you're back to being OS-specific, which defeats the premise of TFA.

Peak windows.

[mevets]

My guess is the AV companies are sensing that 'peak windows' has passed, and are manufacturing a new market.
The reason to run AV software on other platforms is to avoid inadvertently forwarding viruses to Windows users. Not a compelling story.

I think I can explain the real threat here...

[junglebeast]

There is no cross-platform instruction to call the CPUID assembly instruction...so you can only use CPUID if you can run native code on the computer, and if youcan do that, you've already broken in so you don't need it.

Now imagine that you are running some generic code like javascript...which has a limited instruction set and is possibly even being run in a browser based sandbox. If you can use simple floating point arithmetic to detect the processor type, and then you know that this particular processor has a flaw such that if you evaluate: "44.5 / 222.3 + 1" then the following benign string literal in javascript gets interpreted as native binary code which executes outside of the "sandbox" imposed by the limitations of the language...do you get what I'm saying?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Software Warming

[davester666]

The department of justice no longer does what you think it does.

It switched over the last decade or two from the department that does justice for you, to the department that does justice TO you.

Re:Ok, maybe this is too simple but

[gl4ss]

it's just fud. early stage fud. from france.

you know, research for the sake of research for the sake of getting more money to do more research.

besides than that : have they not heard of cpuid? -DDD the hardest part of this attack definetely wouldn't be figuring out which cpu the computer has.

so they're tackling the EASIEST part of this, just figuring out which cpu the running host has. they would still have to find application specific holes to get their fingerprinting code to actually run on the target systems. on top of that their fingerprinting depends on you getting to run native code on the target system, after that I suppose the aim is to raise privilidges of the running process to actually do a hack however that would still be very os/app specific.

the whole effort seems quite absurd, except from academia point of view which is to just suck in money while doing nothing.