Emerging Technology from the arXiv

A View from Emerging Technology from the arXiv

New Class of Malware Attacks Specific Chips

Computer scientists reveal malware that attacks specific processors rather than the operating system that runs on them.

  • November 10, 2010

Computer malware is insidious and dangerous but there are well known limits to the kinds of attacks that it can be used to mount. One of the most obvious is that the malware has to be targeted at a weakness in a specific operating system.

So there’s no shortage of malware targeting the Windows operating system, for example, but this is easy enough to avoid by using a Mac.

But Anthony Desnos and friends at the Ecole Superiore d’Informatique, Electronique, Automatique (ESIEA) in Paris say it ought to be possible to make malware much more insidious. Today, they show how to create malware that targets a specific processor rather than the operating system that runs on it. That kind of attack is much harder to protect against.

The first step in such an undertaking is to work out how to identify a processor, a task that is by no means straightforward but not impossible.

One clue comes from a bug in Intel’s P5 chip back in 1994 that caused it to make floating point errors in various calculations. A simple way to discover whether anybody is using such a chip would be to carry out a calculation that the P5 is known to screw up.

Desnos and co point out that all chips have mathematical limitations that are determined by the standards they use for encoding numbers and carrying out floating point arithmetic. Some of these are well known.

For example, many processors use the IEEE P754 standard for 32-bit number formats and basic mathematical operations. Here, the first bit represents the sign of the number, the next 8 bits represent the exponent and the final 23 bits represent the mantissa.

(One way to represent a number is to write down its digits and then indicate where the decimal point should go. So the number 123.45 can be written as 12345 x 10^-2. 12345 is the mantissa and -2 is the exponent. )

This standard has various known limitations. Consider, for example, the expression:

F(X,Y) = (1682XY^4 + 3X^3 + 29XY^2 - 2X^5 + 832)/107751

When X = 192119201 and Y = 35675640, the answer is 1783. But a processor using the IEEE P754 standard will calcalute that F(X,Y) = −7.18056 x 10^20. A dead give away.

The problem for Desnos and co is to find a set of floating point calculations like this that can uniquely identify any processor.

And they’ve gone some way to finding them using tasks such as calculating sin(10^10 pi) for various different numerical values of pi. They can’t yet spot specific processors but they can use this technique to identify families of them (see table above). It’s then just a question of running some code that does the damage.

Desnos and co say this kind of approach would allow much more specific cyberattacks than are possible today. “If such an approach is possible, this would enable far more precise and targeted attacks, at a finer level in a large network of heterogeneous machines but with generic malware,” they say.

That’s a worrying new addition to the armoury of malice. Highly targeted cyber attacks have obvious value, as demonstrated recently by the Stuxnet worm aimed at computer systems used to control industrial machines and apparently targeted at Iran and China.

The only question now is how long till we see processor-dependent malware in the wild.

Ref: arxiv.org/abs/1011.1638: Processor-Dependent Malware… And Codes

Get stories like this before anyone else with First Look.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.