ExSpectre: Hiding Malware in Speculative Execution

—Recently, the Spectre and Meltdown attacks revealed serious vulnerabilities in modern CPU designs, allowing an attacker to exfiltrate data from sensitive programs. These vulnerabilities take advantage of speculative execution to coerce a processor to perform computation that would otherwise not occur, leaking the resulting information via side channels to an attacker. In this paper, we extend these ideas in a different direction, and leverage speculative execution in order to hide malware from both static and dynamic analysis. Using this technique, critical portions of a malicious program’s computation can be shielded from view, such that even a debugger following an instruction-level trace of the program cannot tell how its results were computed. We introduce ExSpectre , which compiles arbitrary malicious code into a seemingly-benign payload binary. When a separate trigger program runs on the same machine, it mistrains the CPU’s branch predictor, causing the payload program to speculatively execute its malicious payload, which communicates speculative results back to the rest of the payload program to change its real-world behavior.

• Publication year

  2019

• Venue

  Network and Distributed System Security Symposium

• Publication date

  Unknown publication date

• Fields of study

  Computer Science

• Identifiers
  DOI 10.14722/ndss.2019.23409
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Drive-by Key-Extraction Cache Attacks from Portable Code

  2018cited by this paper
• Speculative Buffer Overflows: Attacks and Defenses

  2018influential reference
• Speculose: Analyzing the Security Implications of Speculative Execution in CPUs

  2018cited by this paper
• Spectre Attacks: Exploiting Speculative Execution

  2018influential reference
• SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution

  2018cited by this paper
• Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution

  2018cited by this paper
• NetSpectre: Read Arbitrary Memory over Network

  2018cited by this paper
• BranchScope: A New Side-Channel Attack on Directional Branch Predictor

  2018cited by this paper
• Meltdown: Reading Kernel Memory from User Space

  2018cited by this paper
• Angr - The Next Generation of Binary Analysis

  2017cited by this paper
• The undecidability of aliasing

  2016cited by this paper
• Understanding and Mitigating Covert Channels Through Branch Predictors

  2016cited by this paper
• On the capacity of thermal covert channels in multicores

  2016cited by this paper
• Jump over ASLR: Attacking branch predictors to bypass ASLR

  2016cited by this paper
• Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing

  2016cited by this paper
• Driller: Augmenting Fuzzing Through Selective Symbolic Execution

  2016cited by this paper
• ROPInjector : Using Return Oriented Programming for Polymorphism and Antivirus Evasion

  2015cited by this paper
• Covert channels through branch predictors: a feasibility study

  2015cited by this paper
• EXPLOITING PROCESSOR SIDE CHANNELS TO ENABLE CROSS VM MALICIOUS CODE EXECUTION

  2015cited by this paper
• SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers

  2015cited by this paper
• Thermal Covert Channels on Multi-core Platforms

  2015cited by this paper
• BareCloud: Bare-metal Analysis-based Evasive Malware Detection

  2014cited by this paper
• One packer to rule them all Empirical identification , comparison and circumvention of current Antivirus detection techniques

  2014cited by this paper
• FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack

  2014cited by this paper
• The Page-Fault Weird Machine: Lessons in Instruction-less Computation

  2013cited by this paper
• Abusing File Processing in Malware Detectors for Fun and Profit

  2012cited by this paper
• A survey on automated dynamic malware-analysis techniques and tools

  2012cited by this paper
• Cross-VM side channels and their use to extract private keys

  2012cited by this paper
• Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud

  2012cited by this paper
• Exploit Programming From Buffer Overflows to “Weird Machines” and Theory of Computation

  2011cited by this paper
• Detecting Environment-Sensitive Malware

  2011cited by this paper
• BareBox: efficient malware analysis on bare-metal

  2011cited by this paper
• All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)

  2010cited by this paper
• Efficient Detection of Split Personalities in Malware

  2010cited by this paper
• PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion

  2009cited by this paper
• A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators

  2009cited by this paper
• A Study of the Packer Problem and Its Solutions

  2008cited by this paper
• The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)

  2007cited by this paper
• Exploring Multiple Execution Paths for Malware Analysis

  2007cited by this paper
• Predicting Secret Keys Via Branch Prediction

  2007cited by this paper
• Cache Attacks and Countermeasures: The Case of AES

  2006cited by this paper
• Covert and Side Channels Due to Processor Architecture

  2006cited by this paper
• CACHE MISSING FOR FUN AND PROFIT

  2005cited by this paper
• Smashing the stack for fun and prot

  1996cited by this paper
• Smashing The Stack For Fun And Profit

  1996cited by this paper
• The universal turing machine: a half-century survey

  1996cited by this paper
• Undecidability of static analysis

  1992cited by this paper
• Computing the Busy Beaver Function

  1987cited by this paper
• A note on the confinement problem

  1973cited by this paper
• On Computable Numbers, with an Application to the Entscheidungsproblem.

  1937cited by this paper

• SSMR: Statically Detecting Speculation Safe Memory Regions to Mitigate Transient Execution Attacks

  2026cites this paper
• WeMu: Effective and Scalable Emulation of Microarchitectural Weird Machines

  2026cites this paper
• A Survey of Side-Channel Attacks on Branch Prediction Units

  2025cites this paper
• Game Theoretic Approach Toward Detection of Input‐Driven Evasive Malware in the IoT

  2024cites this paper
• SNDMI: Spyware network traffic detection method based on inducement operations

  2024cites this paper
• Weird Machines in Package Managers: A Case Study of Input Language Complexity and Emergent Execution in Software Systems

  2024cites this paper
• Bending microarchitectural weird machines towards practicality

  2024cites this paper
• A Survey of Side-Channel Attacks in Context of Cache - Taxonomies, Analysis and Mitigation

  2023influential citation
• The ghost is the machine: Weird machines in transient execution

  2023cites this paper
• This is How You Lose the Transient Execution War

  2023cites this paper
• Parent process termination: an adversarial technique for persistent malware

  2023cites this paper
• TALUS: Reinforcing TEE Confidentiality with Cryptographic Coprocessors (Technical Report)

  2023cites this paper
• Transient-Execution Attacks: A Computer Architect Perspective

  2023cites this paper
• ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture

  2022cites this paper
• Attack detection based on machine learning algorithms for different variants of Spectre attacks and different Meltdown attack implementations

  2022cites this paper
• MOTIF: A Malware Reference Dataset with Ground Truth Family Labels

  2022cites this paper
• MOTIF: A Large Malware Reference Dataset with Ground Truth Family Labels

  2021cites this paper
• Work In Progress: Discovering Emergent Computation Across Abstraction Boundaries

  2021cites this paper
• Recurring verification of interaction authenticity within bluetooth networks

  2021cites this paper
• Survey of CPU Cache-Based Side-Channel Attacks: Systematic Analysis, Security Models, and Countermeasures

  2021influential citation
• Computing with time: microarchitectural weird machines

  2021cites this paper
• Static Analysis of PE files Using Neural Network Techniques for a Pocket Tool

  2021cites this paper
• Streamline: a fast, flushless cache covert-channel attack by enabling asynchronous collusion

  2021cites this paper
• SpectreRewind: Leaking Secrets to Past Instructions

  2020cites this paper
• PerSpectron: Detecting Invariant Footprints of Microarchitectural Attacks with Perceptron

  2020cites this paper
• Differential Analysis and Fingerprinting of ZombieLoads on Block Ciphers

  2020cites this paper
• LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection

  2020influential citation
• Speculative Interference Attacks: Breaking Invisible Speculation Schemes Extended

  2020cites this paper
• Exploring Branch Predictors for Constructing Transient Execution Trojans

  2020influential citation
• SpectreRewind: A Framework for Leaking Secrets to Past Instructions

  2020cites this paper
• Real time Detection of Spectre and Meltdown Attacks Using Machine Learning

  2020cites this paper
• Speculative interference attacks: breaking invisible speculation schemes

  2020cites this paper
• Trustworthy Wireless Personal Area Networks

  2019cites this paper
• Weird Machines as Insecure Compilation

  2019cites this paper
• CleanupSpec: An "Undo" Approach to Safe Speculation

  2019cites this paper
• Bayesian Game Theoretic Model for Evasive AI Malware Detection in IoT

  year unknowncites this paper
• Game Theoretic Security Analysis against Input-Driven Evasive Malware in the IoT

  year unknowncites this paper
• This paper is included in the Proceedings of the 33rd USENIX Security Symposium.

  year unknowncites this paper