New Class of Malware Attacks Specific Chips

Computer malware is insidious and dangerous but there are well known limits to the kinds of attacks that it can be used to mount. One of the most obvious is that the malware has to be targeted at a weakness in a specific operating system.

So there’s no shortage of malware targeting the Windows operating system, for example, but this is easy enough to avoid by using a Mac.

But Anthony Desnos and friends at the Ecole Superiore d’Informatique, Electronique, Automatique (ESIEA) in Paris say it ought to be possible to make malware much more insidious. Today, they show how to create malware that targets a specific processor rather than the operating system that runs on it. That kind of attack is much harder to protect against.

The first step in such an undertaking is to work out how to identify a processor, a task that is by no means straightforward but not impossible.

One clue comes from a bug in Intel’s P5 chip back in 1994 that caused it to make floating point errors in various calculations. A simple way to discover whether anybody is using such a chip would be to carry out a calculation that the P5 is known to screw up.

Desnos and co point out that all chips have mathematical limitations that are determined by the standards they use for encoding numbers and carrying out floating point arithmetic. Some of these are well known.

For example, many processors use the IEEE P754 standard for 32-bit number formats and basic mathematical operations. Here, the first bit represents the sign of the number, the next 8 bits represent the exponent and the final 23 bits represent the mantissa.

(One way to represent a number is to write down its digits and then indicate where the decimal point should go. So the number 123.45 can be written as 12345 x 10^-2. 12345 is the mantissa and -2 is the exponent. )

This standard has various known limitations. Consider, for example, the expression:

F(X,Y) = (1682XY^4 + 3X^3 + 29XY^2 - 2X^5 + 832)/107751

When X = 192119201 and Y = 35675640, the answer is 1783. But a processor using the IEEE P754 standard will calcalute that F(X,Y) = −7.18056 x 10^20. A dead give away.

The problem for Desnos and co is to find a set of floating point calculations like this that can uniquely identify any processor.

And they’ve gone some way to finding them using tasks such as calculating sin(10^10 pi) for various different numerical values of pi. They can’t yet spot specific processors but they can use this technique to identify families of them (see table above). It’s then just a question of running some code that does the damage.

Desnos and co say this kind of approach would allow much more specific cyberattacks than are possible today. “If such an approach is possible, this would enable far more precise and targeted attacks, at a finer level in a large network of heterogeneous machines but with generic malware,” they say.

That’s a worrying new addition to the armoury of malice. Highly targeted cyber attacks have obvious value, as demonstrated recently by the Stuxnet worm aimed at computer systems used to control industrial machines and apparently targeted at Iran and China.

The only question now is how long till we see processor-dependent malware in the wild.

Ref: arxiv.org/abs/1011.1638: Processor-Dependent Malware… And Codes