Domain Registration

Researchers hide malware in benign apps with the help of speculative execution

  • February 26, 2019
ExSpectre

A team of academics from the University of Colorado Boulder (UCB) has found a way to hide malware operations by leveraging the process of “speculative execution,” the same CPU feature where the Meltdown and Spectre vulnerabilities were discovered last year.

The speculative execution technique is a performance-boosting feature of modern processors where the CPU runs computations in advance (speculative execution threads) and then selects the execution thread that an application needs, discarding the other speculative execution threads and their data.

The Meltdown and Spectre vulnerabilities allow hackers to retrieve data from these speculative execution threads before the data is cleared from the CPU cache memory.

Over the past year, security researchers have identified and publicized numerous and different methods of retrieving data from speculative execution operations [1, 2, 3, 4, 5, 6].

But in research presented this week at the NDSS 2019 security conference, UCB academics showed that speculative execution could be used for other than data theft, revealing that speculative execution threads can serve as a secret place to hide malicious commands.

The technique, which they named ExSpectre, implies the creation of benign application binaries that victims install on their systems, thinking they are safe, and which, indeed, appear to be safe when scanned with security software apps.

But in reality, these binaries can be configured (after receiving an external trigger –either user/network input or another app running on the system) to launch well orchestrated speculative execution threads that manipulate the benign app into executing malicious operations.

“We show this using the OpenSSL library as a benign trigger program in Section V-A, activating a malicious payload program when an adversary repeatedly connects to the infected OpenSSL server using a TLS connection with a specific cipher suite,” UCB researchers said.

In other examples, researchers say they also used the ExSpectre technique to decrypt encrypted memory and even manipulate apps to open a local reverse shell to an attacker-controlled location and allow it to run commands on the victim machine.

Because of the way it works, ExSpectre-class malware is currently undetectable.

“Using [ExSpectre], critical portions of a malicious program’s computation can be shielded from view, such that even a debugger following an instruction-level trace of the program cannot tell how its results were computed,” the UCB research team said.

“This technique defeats existing static and dynamic analysis, making it especially difficult for malware analysts to determine what a binary will do,” they added.

Stopping attacks with malware coded to use the ExSpectre technique isn’t possible at the moment, researchers said, at least at the software level.

“Ultimately, silicon and microarchitecture patches will be needed to secure CPUs against this kind of malware,” they said, echoing the conclusion of a similar research paper authored by Google researchers, who also concluded that the Spectre flaw could never be eradicated at the software level, and a new generation of CPU hardware may be needed.

More details about the UCB research are available in the whitepaper entitled “ExSpectre: Hiding Malware in Speculative Execution.”
















Related cybersecurity news coverage:

Article source: https://www.zdnet.com/article/researchers-hide-malware-in-benign-apps-with-the-help-of-speculative-execution/#ftag=RSSbaffb68

Related News

Search

Get best offer

Booking.com
%d bloggers like this: