November 2024
·
4 Reads
Communications of the ACM
Side-channel attacks, such as Spectre, rely on properties of modern CPUs that permit discovery of microarchitectural state via timing of various operations. The Weird Machine concept is an increasingly popular model for characterization of execution that emerges from side-effects of conventional computing constructs. In this work we introduce Microarchitectural Weird Machines ( μ WMs): code constructions that allow performing computation through the means of side effects and conflicts between microarchitectual entities such as branch predictors and caches. The results of such computations are observed as timing variations in the execution of instructions that interact with these side effects. We demonstrate how μ WMs can be used as a powerful obfuscation engine where computation operates using events unobservable to conventional anti-obfuscation tools based on emulation, debugging, static and dynamic analysis techniques. We present a practical example in which we use a μ WM to obfuscate malware code such that its passive operation is invisible to an observer with full power to view the architectural state of the system until the code receives a trigger. When the trigger is received the malware decrypts and executes its payload. To show the effectiveness of obfuscation we demonstrate its use in the concealment and subsequent execution of a payload that creates a reverse shell. In the full version of this work we also demonstrate a payload that exfiltrates a shadow password file. We then demonstrate the generality of μ WMs by showing that they can be used to reliably perform non-trivial computation by implementing a SHA-1 hash function.