Research Inches Toward Processor-Specific Malware

chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."

Phew i'm good.

Glad no one targets my WinChip CPU for anything.

Re:Phew i'm good.

[bhcompy]

Yea, no malware for my Cyrix either

Re:Phew i'm good.

[MichaelSmith]

My atmel is safe.

Re:Phew i'm good.

Yeah, cuz "cat /proc/cpupinfo" is so frickin' hard to do.

Security through obscurity FTW!

Re:Phew i'm good.

Seing as a WinChip is slow enough that running cat /proc/cpuinfo is so slow...

Re:Phew i'm good.

[arivanov]

Exactly, while CPUID and its equivalents are usually privileged operations their results are not.

Most OSes out there will spill the beans on the platform including CPU, PCI devices, USB devices, etc to anyone. Some of that info is even handed out freely to anyone the system talks to. There is also a whole bunch of network protocols which disclose some info about the systems involved - http (Agent string), UpNP and discovery protocols like Randevous, CDP, you name it.

Re:Phew i'm good.

[TheRaven64]

Exactly, while CPUID and its equivalents are usually privileged operations their results are not.

CPUID is not a privileged operation. Any userspace program can run it. You can see for yourself:

$ cat cpuid.c && gcc cpuid.c && ./a.out
#include <stdio.h>
#include <stdint.h>
#include <string.h>

typedef __attribute__((transparent_union)) union
{
uint32_t r[3];
char string[12];
} cpuid_t;

int main(void)
{
cpuid_t cpu;
__asm __volatile(
"CPUID"
: "=b" (cpu.r[0]), "=c" (cpu.r[2]), "=d" (cpu.r[1])
: "a" (0));
printf("CPU ID is: %.12s\n", cpu.string);
return 0;
}
CPU ID is: GenuineIntel

Change the value in the input register (eax) to something other than 0 to get more information than the name. You can also read some MSRs that tell you more about the CPU, also from ring 3.

The thing that makes this interesting is that it works inside a VM. For example, if you are a Xen HVM guest, the CPU ID string will be XenVMMXenVMM because the hypervisor traps the CPUID instruction. If you're running untrusted code in a VM, the VM may be lying to the guest OS about what kind of CPU it's using. Given that some bugs (e.g. some of the cache-related errata in Intel's Core 2 series) potentially allow you to escape from the VM, this is quite important for malware.

Software Warming

[cosm]

We need an Al Gore of receding corporate monopolies!

Re:Software Warming

[MrEricSir]

You mean the Department of Justice?

Re:Software Warming

[davester666]

The department of justice no longer does what you think it does.

It switched over the last decade or two from the department that does justice for you, to the department that does justice TO you.

Re:Software Warming

[Obyron]

Oh really? So you'd rather go back to the halcyon days of J. Edgar Hoover when everybody's rights were respected and no one ever got spied on by the Justice Department?

It guys

[Octopuscabbage]

After this report 57 IT representatives quit their job in order to become store clerks.

Re:It guys

After this report 57 IT representatives quit their job in order to become store clerks.

They should go door-to-door selling magazines. I bet they would make way more money than they did at their previous respective jobs.

Re:It guys

[mldi]

After this report 57 IT representatives quit their job in order to become store clerks.

They should go door-to-door selling magazines. I bet they would make way more money than they did at their previous respective jobs.

What am I gonna do with 40 subscriptions to Vibe?!

Ok, maybe this is too simple but

[justsomecomputerguy]

at least at the start of this next frontier how about testing for the chip profiling software. It's one thing to be able to "detect subtle differences" in floating point operations but another to do it while also trying to avoid detection while you're doing it.

Re:Ok, maybe this is too simple but

[WrongSizeGlass]

Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?

Re:Ok, maybe this is too simple but

[macs4all]

Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?

Exactly what I was thinking.

Correct me if I'm wrong, but doesn't ALL malware exploit vulnerabilities in an application or an OS? So, as you say, unless the malware carries its own network and likely filesystem drivers (and then WHICH filesystem, WHICH NIC?), WTF can it really DO?

Re:Ok, maybe this is too simple but

[hairyfeet]

Not to mention it is totally nuts from a malware writer's POV. You have roughly 93% of the business and home desktops running WinOS, with a good portion of those still running the "Hey, let's all run as admin everybody!" XP, and with the huge amounts of home users now on fast connections with NO clue as to whether they are up to date or even if their AV works, jumping through all those hoops to base your malware on a specific CPU would not only be silly it would be purposely limiting your target.

If everyone wants to know what the big targets of the future is gonna be, let this old PC repair guy fill you in: On the home front it'll be Adobe everything, thanks to them not working with MSFT to have updates to their software pushed through Windows Updates so it is ALWAYS out of date, drive by malware courtesy of social sites like FaceBook, JavaScript malware o' the day pushed by the above, and on the mobile side I'm expecting a huge iOS and Android bug any day now, even though with the shitty USA phone networks you won't be getting as much as with a cable or DSL connection, simply because all the malware guys want to go "I did it! Yep, it was me!", and finally don't forget the EVER popular "ZOMG! U Got teh Viruz!!! Run thiz and turn off your broken AV pleasz!" fake AV crap that still spreads like the clap.

So there you go. While some researcher my think the "next wave" will be some uber super hacker shit, I'm willing to bet the pickings are just too easy the way things are for most malware guys to care. Maybe when 2014 rolls around and folks have to either buy new machines or upgrade away from XP will we see things change, as UAC, ASLR, and DEP does make it harder for malware along with WoW on x64, but right now there are still hundreds of millions on XP, and if you add in the ones that will happily turn off their AV just to see the dancing bunnies or will run "special codecs" to see teh prons, well that is a hell of a lot of easy pickings. Remember folks, criminals are just like any other predator and are inherently lazy. If they can nail lots of prey without hardly any work than that is what they WILL do, and working on these machines 6 days a week I can tell you there is a LOT of easy prey out there. No "super uber CPU specific hacks" required.

Re:Ok, maybe this is too simple but

[stilesalaska]

But, Won't something like Apparmor, work? Hmm YES! Linux Has the updates! Ms has the problem Not updating! Yes Java is apparmor Flash not so but Both Firefox and Chrome are! And lots more, M$ has come a way but is still not there! Don't give me the crap about Market share! They only look at ome! Not Download install right now it is about 14 to 16%. And growing! Don't think other ways!

Re:Ok, maybe this is too simple but

[hairyfeet]

Uhhh...is ANY of that supposed to be English, or is it like a bad FOSS troll meme generator I haven't heard about? If not you might want to get back on your meds dude, as that little rant of yours reads like someone on meth with ADHD.

Re:Ok, maybe this is too simple but

[jimicus]

Word is that a lot of modern malware is starting to check the OS and not do anything that would trigger a UAC alert under Vista or Win7.

Which makes a lot of sense - AFAIK you can still establish a TCP connection and ship out the contents of the user's home directory with little fear of detection.

Re:Ok, maybe this is too simple but

[gl4ss]

it's just fud. early stage fud. from france.

you know, research for the sake of research for the sake of getting more money to do more research.

besides than that : have they not heard of cpuid? -DDD the hardest part of this attack definetely wouldn't be figuring out which cpu the computer has.

so they're tackling the EASIEST part of this, just figuring out which cpu the running host has. they would still have to find application specific holes to get their fingerprinting code to actually run on the target systems. on top of that their fingerprinting depends on you getting to run native code on the target system, after that I suppose the aim is to raise privilidges of the running process to actually do a hack however that would still be very os/app specific.

the whole effort seems quite absurd, except from academia point of view which is to just suck in money while doing nothing.

Re:Ok, maybe this is too simple but

[grcumb]

at least at the start of this next frontier how about testing for the chip profiling software.

As others have said already: cat /proc/cpuinfo

Okay, seriously: I know you mean more than that. If an application really wants to take advantage of shortcoming within a given processor type, it will necessarily have to interact with it. Problem is, it can do so in one of any number of ways. It could even infect other software and use its activity as cover to inject the tests necessary to characterise the processor's weaknesses.

It's one thing to be able to "detect subtle differences" in floating point operations but another to do it while also trying to avoid detection....

See above.

But why bother attacking the processor if you've already won your way onto the machine and infected other software? Back in 2007, Adi Shamir outlined a way to use errors in math routines to crack private keys. My write-up on it is here. Put most simply, if you know there is a math flaw in a particular kind of processor, then you can exploit that by injecting ‘poisoned’ values into the key decryption process. By watching what happens to that known value, you can infer enough about the key itself that you can, with a little more math, quickly break the private key.

This is not particularly useful for botnet-style attacks that spread themselves indiscriminately around using lowest common denominator exploits. It is useful for the kind of focused attack we've seen recently, in which people target specific individuals in order to steal sensitive data.

Re:Ok, maybe this is too simple but

[hairyfeet]

Citation please? Because honestly with ASLR, DEP, and WoW I just don't see how malware can do much without triggering UAC or setting off the AV or both. They can't write to any of the important directories, nor can they add themselves to startup or change the memory or files of another app. Considering the whole point of most malware is to add the PC to a botnet having a machine that didn't even survive reboot or could read/write many files doesn't sound very useful to me, espcially when there is lots of XP machines still out there.

Re:Ok, maybe this is too simple but

[jimicus]

It's rumour, take it with as much or as little salt as you think it needs. But a quick google for malware UAC shows:

http://www.zdnet.com/blog/security/windows-7s-default-uac-bypassed-by-8-out-of-10-malware-samples/4825

http://www.theregister.co.uk/2009/02/04/windows_uac_flaw/

And IIRC there was a piece of malware that was signed using a genuine, valid certificate that was issued to Realtek. Looks like I do RC:

http://news.softpedia.com/news/Signed-Malware-Used-Valid-Realtek-Certificate-147942.shtml

  - this would walk all over the protection offered by ASLR and DEP because it wouldn't need to be injected into another running process.

Having said all that, I never for one minute believed the death of XP would mean the end of malware. It's become a full-blown industry in its own right these days, and a lot of money is involved. Those who do it aren't going to let a bunch of acronyms that make their job a little harder until such time as they've put whatever functionality they need to work around it into a library any more than burglars all gave up and started going straight with the advent of modern locks.

Re:Ok, maybe this is too simple but

[L4t3r4lu5]

Capitalisation

Re:Ok, maybe this is too simple but

[TheRaven64]

Read the errata sheet from any recent Intel or AMD chip. Some things are relatively trivial, some are not. For example, there was a flaw with the P4's hyperthreading implementation that allowed one thread to access the other thread's cache. If one thread was in ring 0, and the other in ring 3, the thread in ring 3 could use this to elevate itself to ring 0. There's a more subtle flaw with the cache controller on the Core 2 Duo series, which, again, has the potential to allow privilege elevation.

Re:Ok, maybe this is too simple but

[thoromyr]

This sounds like some "researcher" trying to justify themselves. You see it a lot in the security field (and presumably others) and it seems to stem from a need to establish credentials. So people will say the dumbest things, just to be saying something different, or feel a need to modify accepted and logical security principals (you can transfer, mitigate or accept risk; all attempts to add additional categories really fall under one of the three, but if you can blather loud and long enough then you can "advance the field" by convincing others that you have something new).

Where malware is *really* going is OS agnostic. Whether it is a java-based bot (yes, java *does* provide crossplatform apps when you don't intentionally cripple it), something done in perl (misses windows, but catches virtually every other OS), or a javascript/web-based system.

Although vulnerabilities are useful they aren't critical -- a lot can be done simply through presentation to the user and having them as "witting dups", ("You mean I *wasn't* supposed to authorize installation of a new "codec" to watch that video?") but the majority of in-use exploits are against third party apps/plugins such as Adobe Reader, Adobe Flash and Sun/Oracle Java. Occasionally I track down the initial infection, and the one I did this on earlier this week was a Java exploit with three items downloaded (providing between them downloader and web-based command/control capabilities). Antivirus coverage was pathetic (something like 6/43 at virus total). User had no idea anything had happened. And all of this was done within the user's limited account. Maybe a better sandboxing of crappy applications would help, but until we have usable sandboxing (it must *really* sandbox the applications and still allow for what is being sandboxed to be usable and effective at what the user is trying to do with it) there's no need for malware writers to advance beyond current methods.

Current malware is very successful without any need to try and tie to specific hardware.

Re:Ok, maybe this is too simple but

IMO, in the next couple years, these will be the biggest malware vectors:

* Windows XP machines. These users are typically 'stupid', and the machines refuse to die. It's been EOL'd, and MS is sure to decrease it's attention to it.
* Stupid users in general, from things like Antivirus 2010, which are insidious in their infection methods. Nothing about W7 or Vista will prevent these from doing their dirty work.
* Symantec. It's a false sense of security - like a blind gatekeeper.
* Like you said: Adobe and Javascript. With JS engines getting better, there will be a lot of JS stuff running in the browser, hidden from the user's view.
Mobile devices? We'll see a lot of sleeper malware in that department: things which are unobtrusive but harvest personal data. And by 'personal data' I mean everything from the calls you're making to your use habits, applications installed, and personal information.

Re:Ok, maybe this is too simple but

[hairyfeet]

Oh don't get me wrong, I don't for a second think Win 7 is some "magic bullet" that will stop malware, it is just in my experience Windows 7 makes it more of a PEBKAC problem than a "oops you opened the wrong webpage" problem. I have NO doubt as long as there is money to be made in malware somebody will be finding kinks in the armor, I simply think the more layers of armor they have to get through the better. I have seen WinXP literally get completely pwned just by opening the wrong page in IE. Hopefully MSFT isn't sitting back and is learning from their past mistakes. I think ASLR, DEP, SXS, and WoW are good signs someone high up is taking security seriously, but expecting malware to just die is simply delusional.

But thanks for the links, they make for some interesting reading.

Obligatory intel bashing

[zill]

if( 4195835*3145727/3145727 != 4195835 ){
cpu = "Intel Pentium";
}

Re:Obligatory intel bashing

[Mitchell314]

4195835*3145727/3145727 == 4195835.00000001

Re:Obligatory intel bashing

4195835*3145727/3145727 == 4195835.00000001

True!

Re:Obligatory intel bashing

[wvmarle]

This depends apparently on your programming language. I know the .00000001 has to do with decimal to binary conversion which introduces this kind of errors. Anyway I just tried this in Python, and got a different result:
>>> 4195835*3145727/3145727
4195835L
>>> 4195835*3145727/3145727 == 4195835
True
>>> 4195835*3145727/3145727 == 4195835.00000001
False
>>>

Re:Obligatory intel bashing

I have to respond this anonymously because I moderated the comment Insightful after someone else had modded it Redundant. I had to mod insightful because it is correct. The parent said "if (4195835*3145727/3145727 != 4195835) {}" as a joke. I assume that this parent's meant "if (4195835*3145727/3145727 == 4195835.00000001) {}" as a joke as well and it's sort of correct. If one of those literals was a double (and in C or C++ and probably most other languages) you really shouldn't compare like 4195835*3145727/3145727 != 4195835. I.e. if the statement was if (4195835.0*3145727/3145727 != 4195835) or even (4195835F*3145727/3145727 != 4195835) then that's a bit silly to do. So I had to assume that Mitchell314 was suggesting this, hence the insightful -- because that could be processor dependant as well as compiler/OS dependant" Thanks, I will log back in now :)

Re:Obligatory intel bashing

[gl4ss]

well, that is essentially the whole basis for these researchers work. oh the academics.

Re:Obligatory intel bashing

[vidnet]

Indeed. TFA is about identifying processors, the bit about exploits is just an attention grabber.

Re:Obligatory intel bashing

Anyway I just tried this in Python, and got a different result

And they say Python is just a toy language!

Re:Obligatory intel bashing

pythons using ints not floats I presume.

sure sounds interesting

but...

where actually is the attack vector if you don't target any software platform at all?

Re:sure sounds interesting

[Mashiki]

The firmware.

Sparc, MIPS, PowerPC, ... are practically dead

[KiloByte]

It's really bad we have only two and a half CPU architectures in any wide use: armel and i386/amd64 -- and even worse, all smartphones use the former and big machines the latter. Using a different arch gives you extra security (by greatly reducing the amount of existing shellcode) while adding basically no issues whatsoever -- any reasonable server OS is fully portable, and having no Adobe Flash is a blessing not a curse.

Too bad, you can forget about performance-to-price, and availability is worse than abysmal.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[jonwil]

Plenty of CPU architectures out there.
ARM is out there in embedded devices.
PowerPC is still popular in servers (and in games consoles)
Plenty of things out there using MIPS including the Playstation Portable and all kinds of home routers

And if you are talking really embedded devices, PIC, AVR and others are still going strong.
Even oldschool archtectures like the Zilog Z80 and Motorola 68000 are still going strong in many areas.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[h4rr4r]

You forgot SPARC.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[forkazoo]

You forgot SPARC.

The handful of people who haven't are doing their best.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[gstrickler]

And when you're looking for hardware specific hacks, each new microarchitecture is likely to behave differently, so each new microarchitecture is functionally a new architecture.

ARM: ARMv7 := ARMv6 := ARMv5, etc.

Intel: Sandy Bridge := Nehalem := Merom, etc.

repeat for AMD, PPC, MIPS, Cell, etc.

Even different process sizes, different steppings, and different variants within a microarchitecture may behave differently, although that's less likely.

Hacking a CPU isn't trivial. The payoff is that attacking hardware flaws may bypass OS security

Re:Sparc, MIPS, PowerPC, ... are practically dead

[KiloByte]

ARM is out there in embedded devices.

Which I specifically named as one of the two-and-a-half architectures flourishing.

PowerPC is still popular in servers

I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

Plenty of things out there using MIPS including the Playstation Portable

I haven't seen a single one of these, but it's a thing from 2004 that has a tiny fraction of what any low-end smartphone can do

and all kinds of home routers

These used to be MIPS-based in 1990s and early 2000s, yeah. Since then, all new ones seem to be migrating to ARM.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[Anubis350]

PowerPC is still popular in servers

I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

Server-side, I'm pretty sure IBM counts as a major vendor. Also the PS3, XBox360, and Wii all use some variant of PPC, as the GP noted. So btw do a great deal of embedded chips manufactured by such bit players (no pun intended) as, oh, say Motorola (well, Freescale now). A lot of set-top boxes and such use PPC.

Re:Sparc, MIPS, PowerPC, ... are practically dead

[silentcoder]

>I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

IBM isn't mainstream enough ?

Re:Sparc, MIPS, PowerPC, ... are practically dead

[GameboyRMH]

I looked around, and there's not a single semi-mainstream vendor which sells those -- and I'm not going to order stuff from overseas.

Good thing all the hardware manufacturers ship the parts back from Asia and Mexico for you then...

Relax!

[jflo]

With stories like this, I always like to refer to the book of Star Trek Voyager for wisdom. Ensin Kim: "Why does everyone say 'relax' when they're about to do something terrible?"

Why hardware specific?

[Musically_ut]

Isn't it still far easier to specialize malware for specific softwares rather than trying to heuristically determining the hardware being used and then trying to exploit that?

Also, how protected is the type of the processor and the other hardware used in a machine? I would imagine that exposing this information (such that your PC has a GPGPU) to software might help the software work better. To me, it seems that this gain easily outweigh the risks involved.

Re:Why hardware specific?

[DigiShaman]

Current software exploits are based on specific OS, Apps, and/or a combination of the two. Add in different versions and quick patching can put out the malware fires rather quickly. With hardware, there's less permutations and revisions in comparison to software.

While it's possible to patch hardware flaws with firmware and microcode updates, it's not something that happens automatically by the end user. In theory, running malware at the hardware level opens up a huge potential homogeneous field to play in.

Re:Why hardware specific?

[olsmeister]

It's pretty hard to issue a patch for a hardware flaw.

Re:Why hardware specific?

[h4rr4r]

No it is not. We do it all the time, what do you think microcode is?

Re:Why hardware specific?

Code written in very small font point?

Re:Why hardware specific?

[KeithIrwin]

Microcode is what instructions from the architectural instruction set are translated into before being executed on a processor. Essentially, it's a set of specific signals to the muxes, demuxes, and various components (ALUs, register bank, L1 cache, branching unit, etc.). Microcode, unto itself, is not a patch to a hardware flaw, it's just a means of making a processor work.

What you're talking about is "writable microcode" or a "writable control store" which is when the code to microcode translation process is controlled using a rewritable store of some sort rather than hard-wired, thus allowing limited patching of the translation process which can sometimes work around hardware flaws in a manner which is transparent to the applications running on the computer.

Re:Why hardware specific?

[Musically_ut]

If it has to exploit the hardware, the malware will need to have platform independent vector (!?!) which can get executed and, in turn, can run the hardware specific code on the systems. If it can get as far as executing machine code, then, umm .. I think it is still a software malware first.

Besides, which hardware platform is likely to bring in a divide bigger than the software divide we have?

Spread and large scale adoption of Hardware presumably is more difficult than software adoption.

Re:Why hardware specific?

Current software exploits are based on specific OS, Apps, and/or a combination of the two.

In other words, Windows and Windows applications. Got it.

Re:Why hardware specific?

[DigiShaman]

Well, CPU L2 or L3 cache can be quite large and more than adequate to store and run machine code. In theory at least. Also, modern NIC processors in servers are pretty intelligent too. The Broadcom NetExtreme series come to mind.

If I were to develop malware and a SPAM botnet, I would be coding for both the CPU and NIC to inject and/or communicate directly through its own TCP/IP stack out over the Internet.

Re:Why hardware specific?

I don't get it. Even if it is hardware specific, do they not have to know about the OS used, in order to inject code and exploit the flaw. How can it be OS independent ??

Re:Why hardware specific?

No it is not. We do it all the time, what do you think microcode is?

A software.

Re:Why hardware specific?

[symbolset]

They do try this among other things. TCP/IP offload engines on NICs are a ripe field seldom reported. With NICs that process packets it's conceivably possible to exploit the host without the OS giving permission for code to run with a corrupt packet. NICs with offload engines have their own primitive CPU and memory, DMA access to the system memory, and hardware interrupts to key system CPU actions. Pretty cutting edge stuff though. I haven't heard of anybody actually exploiting that end. That would be a bad one.

If you could corrupt a server TCP/IP offload NIC with a bad packet and get it to execute code in the NIC, you could conceivably compromise the server at the hardware level outside of the OS permissions system regardless of the OS. Scary stuff, that. It might work with smart TV's, teleconferencing systems, or similar gear. With Infiniband, frankly, it's done in one - but the bad guys aren't targeting HPC clusters yet I don't think, because that gear doesn't generally have access to do the things bad guys want to do (send mail mostly) and the people who herd those boxes are first rate. If Infiniband comes mainstream that could be an issue, and that's looking more likely with iSCSI over infiniband for SSD storage SANs gaining traction in the market. It's hard to pass up 250k IOPs in a 2U box like Whiptail has got if you need to do VDI on a budget and need end-user buy-in.

This is highly speculative. It would probably involve a disgruntled former high-level engineer, or a nation-state level cyber-intelligence effort. It might make a good fiction device. You can be sure that if I can think of it somebody's working on a dumbed down toolkit for it that your kids could use as a game.

As for malware injecting own-source packets, that's how it's generally done. It's called a "raw socket." Steve Gibson has been campaigning against them being available to user apps for a decade or more - to the point that maybe he's lost his edge. Raw sockets are how you forge the return IP address when you're pulling a Joe Job. Not that I would know anything about that. But malware that's running on the system has generally "got root," downloaded its toolkit and will be interacting with the NIC on a hardware level without the operating sytem's permission anyway. You don't need to have a TCP/IP stack to lay some forged packets on the NIC because your app isn't expecting packets back, doesn't need to handle sessions and whatnot. The OS tells you how to access the NIC at the hardware level and helpfully gets out of the way.

Re:Why hardware specific?

It's pretty hard to issue a patch for a hardware flaw.

In the industry we call them things "Firmware updates".

I hate to ask, but...

[spywhere]

"Windows/Office/IE monoculture is disappearing faster than equatorial glaciers..."
Do you actually work in corporate IT? Windows XP and IE6/7 dominate. Apple has little hope of taking hold in anything bigger than the art department at Comcast, and Linux is what the geekiest artist-type there uses at home.

I'm not advocating Windows... I'm simply pointing out that they are not going anywhere.

Re:I hate to ask, but...

[Un+pobre+guey]

They can always dream, can't they?

Re:I hate to ask, but...

[Eskarel]

Not to mention that Android and iOS are part of the smart phone segment where there never was a Windows/Office/IE monoculture.

Re:I hate to ask, but...

[DrgnDancer]

I dunno. I was a Linux Systems Administrator for a fortune 50 company. I'm now a Linux Systems administrator for the Federal Government. In both cases we also had limited use of Macs too. You didn't see that 10 years ago. I'll grant you "Faster than equatorial glaciers" may be hyperbole, but the monoculture is disappearing (Windows isn't disappearing by any means, just the monoculture).

To a certain extent it's also somewhat of a moot point anyway. If people are using Macs or Linux at home that's still impacting malware authors. In fact it's impacting them worse in some respects. They count on the unpatched boxes in ma and pa's bedroom for a botnet vector. Smartphones are also a growing presence on the 'Net. They're not hugely important *yet* but at the rate they're going they will be.

So yeah, for the time being you can still feel safe that 9/10 clients are Windows (which is still down a lot from 9.7/10). Smart criminals, just like smart companies, look ahead though. If trends continue as they are, 10 years from now it might be 7/10 clients (With the rest split between Macs, some Linux, and lots of mobile) . 10 years after that? Who knows?

Re:I hate to ask, but...

[sheehaje]

How many phones is Microsoft on? I'm sure that cuts into the 9.5 out of 10 percentages over computing platforms quite a bit. Phones aren't phones anymore, they are full blown computers.

Also, I know a lot of local governments, state governments are starting not extend their enterprise agreements with Microsoft.

I work for a sizable county government and we are moving off of Exchange/Outlook next year in favor of Zimbra. We are a 2007 shop now and were thinking of migrating to 2010, but won't. Microsoft is demanding Windows 2008 Enterprise to do things like Exchange replication, which more than triples our licensing cots. There is much talk of Microsoft ending Public Folder support after the 2010 version of Exchange in favor of full blown Sharepoint... A lot of money for government agencies now feeling big budget cuts.

We are also moving to OpenOffice (or should I say LibreOffice) for departments that didn't go Access crazy next year. After looking at how our users were using MS Office, we determined 90% of our users don't use it for much more than simple word processing. About 10% of those also used Excel.

A lot of this is being driven by the economy and the fact that we face set backs. But with this in mind, we also don't think we loose any functionality with these alternatives.

I know Windows/Office/IE is still embedded in a lot of the business culture, but there are plenty of places it isn't a "requirement" anymore, and it actually makes sense to replace it.

Re:I hate to ask, but...

[Grishnakh]

Exactly. The Windows/Office monoculture hasn't gone anywhere, but the computing field itself has expanded a lot. Now, people do computing in many more places than just their desktop, thanks to small mobile devices, so a giant new market has opened up, and in that market, MS is a bit player. They've had their own offerings in the mobile device arena for quite a while, but it's never been very popular, and now iOS and Android are growing by leaps and bounds while MS's mobile offerings continue to languish.

On desktops and laptops, however (esp. corporate ones), Windows/Office/IE/Outlook are still king, though in many places they're still using ancient XP with little plans to upgrade to 7. So people are generally using MS's products because they have to, not because they want to.

Re:I hate to ask, but...

[rifles+only]

Perhaps the idea is that crimminals start believing the myth that Apple is really gaining ground outside the college campuses of the US...

Huh?

[FranTaylor]

In your house, maybe.

In the server room, PowerPC is still very popular. In fact it's the only choice if you want the best straight-up single core performance.

"any reasonable server OS is fully portable" That's not true because AIX is a perfectly reasonable server OS and it's only on PowerPC.

Re:Huh?

[danlip]

Sorry, but I've used AIX and it is not a perfectly reasonable OS.

Re:Huh?

[FranTaylor]

Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.

Re:Huh?

[pullmyfinger]

Please elaborate on your poor experience. I've managed AIX deployments since v3 came with support for the Power platform and I've only seen steady improvement over the years. Like any Unix distro, it has its quirks (but AIX at least documents it!).

Re:Huh?

You seem like one of the guys who hate on UNIX because it doesn't ship with a GNU userland like Linux does, or something even more superficial along those lines.

If you DID take the pragmatist stance and just learn to write portable shell code, put up with things as old as Perl 5.6, deal with post-installed free software, etc, you CAN leave the OS alone and move on to more important things, like the application running on it for example.

But hey, maybe your business just can't survive without GNU tar or the latest ls flag, or whatever.

Re:Huh?

Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.

Actually, "you" don't use AIX at all..your dedicated IBM representative "deploys the end-to-end AIX solutions framework" on your behalf

Re:Huh?

[the_humeister]

Not only in servers, but most vehicles have a several PowerPC chips in them for the ECU and other ancillary units.

Re:Huh?

[flyingfsck]

That is pretty much how I treat all my servers: Install what I need and leave it alone. Most problems are caused by finger trouble, so the first thing I disable on a Linux system is the Auto-Update ^WScrewup system. A Linux machine can run for 3 to 7 years non stop till the hardware fails.

Re:Huh?

[Bert64]

And as the post pointed out, you can forget about performance-to-price and are PPC servers available from anyone other than IBM?
It is extremely rare that i see an AIX box these days, and those few companies who do have them usually have many more x86 systems.

Re:Huh?

That is pretty much how I treat all my servers: Install what I need and leave it alone.

It's nice when it's that simple but it won't stay that way forever. Configurability and maintainability are features, not bugs. If something comes up that your ability to predict the future didn't perfectly account for, you'll appreciate this.

Most problems are caused by finger trouble, so the first thing I disable on a Linux system is the Auto-Update ^WScrewup system.

Really? I didn't disable anything to solve that problem... I just learned how to touch-type...

A Linux machine can run for 3 to 7 years non stop till the hardware fails.

Yeah because updating to fix exploitable bugs is for losers. You did mention servers. Servers implies clients and that means there are attack vectors. It's a good idea not to leave known vulnerabilities in place.

Re:Huh?

[Narishma]

And even in your house PPC isn't dead. All current generation consoles use PPC processors.

Um...

[pinkwarhol]

Glad to hear someone's working on this...

Am I missing something?

[by+(1706743)]

From TFS:

Malware targeting one or more of those processors would work regardless of what OS or applications were installed.

Ok...but how are you planning on executing that? You can write a piece of code that exploits some chip vulnerability, and compile it for Windows -- but it still gives you no advantage over just writing something which targets Windows in the first place.

And if you're capable of running arbitrary machine code on the host -- which is sort of what I take this article to suggest -- then you've got way bigger fish to fry in the security department...

Re:Am I missing something?

Apple patented something that involves forcing adverts on the iPhone calling it a feature, seems to me this is basically the same thing but called malware.

Re:Am I missing something?

[antifoidulus]

Actually the biggest threat would be to VMs running on some big iron machine. If you and I are both running on a VM and I can exploit a CPU bug that allows me to break out of my sandbox then your data is in trouble even if you didn't let anyone else execute code in your VM.

Re:Am I missing something?

[phantomfive]

Not only that, when was the last time you heard of an exploit that attacked a chip? I can remember hearing about a vulnerability six years ago or so, but it was hard to exploit. Such an exploit would be nice, but I don't think they happen very often.

Re:Am I missing something?

[KeithIrwin]

I had the same thought as the grand-parent poster, but the parent post is definitely correct. It's quite common for a lot of smaller web sites to run on VPS's. If you can hack or rent one VPS and use this to execute code which compromises the physical machine, that means that you can take over everyone else's VPS that is ever executed on that same machine. If you're trying to get malicious code onto a lot of web sites (which they are), that would be a very good way to do it. Plus, who knows what else might be living on the same machine in a different VM.

Re:Am I missing something?

[thoromyr]

You *still* have to run the exploit code in some context. The set of instructions don't just magic themselves into the CPU. Where it would have some utility would be with a hosting company. You get a hosting account, compile code to break out of the hosted environment, and have fun playing with everyone else's data. The nature of the attack will depend on how the hosting company isolates client environments. Another example would be a company that (foolishly, IMO) relied on VMs to separate financial applications from general office work.

But in all probability you are talking about fairly targeted attacks. The bulk of malware these days is client-based and is working very well for the bad guys. I don't remember the district and my google-fu isn't up to snuff to find it again, but current per-instance loses are in the millions. This is less, but an older example: http://www.eschoolnews.com/2009/10/01/computer-virus-steals-325k-from-district/ Two-factor is no cure-all either, as the larger losses have been against such systems (due to implementation details two-factor may allow transactions for a window of time rather than a single, identified transaction which allows a compromised system to piggy-back on approved transactions).

Catch 22 much ???

[Zero__Kelvin]

"Malware targeting one or more of those processors would work regardless of what OS or applications were installed. "

This is complete bullshit. First, you have to get your code to execute on my hardware, which you aren't about to do unless you compromise my OS. If you can't get your assembly code to run on the CPU in Ring 0 on the Intel Platform, for example, your processor specific malware, no matter how clever, is useless. If you can do so, you have already compromised my OS, so your code is useless.

Re:Catch 22 much ???

[h4rr4r]

Not quite. If I am only in one VM and I want to break out then this sort of thing might be quite useful. If I had already exploited the host, then yes it would be a waste of time.

Re:Catch 22 much ???

[Zero__Kelvin]

"If I am only in one VM"

I already said that you need to have already compromised my OS. The fact that it runs in a VM is completely immaterial. If you have compromised my paravirtualized OS, you have compromised my OS, but again you have a catch 22. We can both agree that if you have already compromised my OS, then you can continue to compromise my OS.

Re:Catch 22 much ???

[h4rr4r]

This lets me get further. I can now get a shot at the host from inside a vm.

I do of course agree you need a way into the hardware to begin with.

Re:Catch 22 much ???

[Darinbob]

My guess is that the article and summary are just a bit too vague and misleading. You could have an interpreted script or bytecode do the work, it wouldn't care what the processor was, and as for the OS it'll probably just assume something that has the script interpreter builtin or in the browser. Ie, Java, Javascript, .net, etc. Then it figures out what browser you have, what CPU type and maybe model, and a really good guess of the OS.

The processor privilege and ring 0 thing is a bit off. The whole point of malware is figuring out how to get the processor privilege it needs. Some malware can do major damage without ever having the highest processor privilege (you don't need privilege to erase all your personal files or upload an address book). If it does want higher privilege, the first step is often being able to run any arbitrary machine code at any privilege level, and then it's got the crowbar into the system and just needs to start prying to get in further. Getting to ring 0 is the goal, not the starting condition.

Processor specific malware can be very useful. It'll know that your processor has broken security features, or that double exceptions aren't recoverable, or all sorts of ideas gleaned from the errata. It knows which x86 models have bugs and which ones don't.

Re:Catch 22 much ???

[Zero__Kelvin]

"The whole point of malware is figuring out how to get the processor privilege it needs."

That is not the whole point of most malware. It cares about getting application level privileges running in user space, most often in an interpreted environment. If you are trying to do so in an OS independent way the security landscape changes drastically. The only way to accomplish that is with Assembly Language. Therefore the "processor privilege and Ring 0 thing" is, as Marisa Tomei said in "My Cousin Vinny" dead on balls accurate. We can certainly agree that for OS dependent code, knowing the processor might help.

Re:Catch 22 much ???

[Zero__Kelvin]

I just re-read what I originally wrote, and I realized that I was attempting to imply that it was useless for compromising a machine in an OS independent manner . I can see how you thought I meant that it had no use at all under any circumstance, but we agree that as a means of accomplishing privilege escalation rather than breaking down the front door it has a use. Also, I was discussing malware rather than interactive system cracking, the latter which - almost by definition - involves knowledge of the target OS. In the malware scenario, the malware needs to have OS knowledge to get the initial privilege in order to escalate, thereby making the malware not OS independent.

Re:Catch 22 much ???

[CAIMLAS]

Certainly - this would be a very effective dispersal method, particularly if you're running a VM cluster. Break out of the 'jail' through a Windows driver or bug in the VM management interface API, and you've gained privileged access on a clustered VM host. Depending on which VM it is, and which member of a cluster, it's quite possible you've got open administrative access on the entire cluster.

That's, what, 10, 15, 30 physical servers with gobs of RAM and CPU? That alone is terrifying, but consider that they'd then be able to infect the individual Windows instances on those machines, and you've got a significant problem. Each of those VMs may be on their own 1q VLANs with other facilities, allowing for significant transit and dispersal.

The road to profit.

Step 1: Fingerprint CPU
Step 2: ????
Step 3: Profit!

(workable exploits against the CPU are far more rare than attacks against applications)

Re:The road to profit.

[h4rr4r]

Step 1. cat /proc/cpu
Step 2. NO STEP TWO, you are done.

Re:The road to profit.

[arth1]

Except that by adding the requirement of "cat /proc/cpu", you're back to being OS-specific, which defeats the premise of TFA.

CPUID registers ?

[NemoinSpace]

seems a lot easier to me for the majority of cases. a little ASM goes a long way. When in doubt, ASK!
ok, now you can list all the architectures that don't specifically use CPUID, But they all (even PLC's) report what they are.

Re:CPUID registers ?

[Darinbob]

CPUID is an Intel x86 specific thing. Other CPU types do things differently, and they certainly don't run the same machine code. I can think of several CPUs that have no sort of identifier register. What about being able to tell if the device has an ARM9, AVR, PPC 603, etc?

CPU Microcode is the next malware frontier

[BKCat]

The Holy Grail of malware would be to modify the microcode on the CPU. Once they can do that, they *own* the machine

Re:CPU Microcode is the next malware frontier

[AuMatar]

To be useful, you'd need a microcode memory big enough to fit a decent program (doubtful), and do so without breaking the integrity of the machine (almost impossible) as well as have a chip that has writable microcode caches (does anything do this, other than maybe transmeta)? Number 2 is a biggie- malware that breaks the CPU will quickly get the machine offline and RMAed. If you aren't online, you aren't doing anything useful for the malware. The trick for malware is to do what you want, while appearing as if you didn't even exist to the user.

Re:CPU Microcode is the next malware frontier

Intel processors have supported microcode upload for quite a while, since Pentium3 or whenever. AMD added support at some point during the Athlon64/Phenom line. [IIRC]

Upload is only temporary though, it doesn't 're-flash' the chip (I think the micro is hard-wired) but merely replaces the active cache so a power cycle (reset) will flush it.

The obvious thing to do with a microcode program is just to add new instructions on the unused opcodes but that's easier said than done. Alternatively, you can modify the existing instructions to remove the security tests so the instructions don't check if you are in kernel mode or not before doing an IO op or something. Ultimately though, good luck figuring out the microcode language; I'm not saying it can't be done but the language changes [by definition] with every CPU revision, Sandy Bridge is different from Nehalem (i7, i5, i3) is different from Core2 is different from Pentium4, etc.

Re:CPU Microcode is the next malware frontier

[AuMatar]

You also have the problem of a very limited space in the microcode. You won't fit an email sender in there. You're unlikely to fit anything that can send network data, since it would have to do so at a below OS level and manipulate hardware. The likelihood of doing anything useful, even if you were told how to store the data there, is low to none.

Re:CPU Microcode is the next malware frontier

[maxwell+demon]

I think you wouldn't put your actual malware there. You would just put enough there to avoid your actual malware to be restricted and/or detected. Maybe add an "escalate priviledge" instruction. Or maybe instruct the processor to replace the destination address of certain jumps (e.g. the timer interrupt) to another memory address, so your malware can run without letting a trace of it running (except for traces the malware itself leaves, of course).

f00f bug

[bl8n8r]

Just like on the Pentiums http://en.wikipedia.org/wiki/F00f

Who sponsored the research?

[Un+pobre+guey]

So is the Ukrainian Mob giving out academic research grants these days? Not such a bad idea from their end.

Re:Who sponsored the research?

Perhaps they will have a section at the NDC for some nice distributed CUDA password breaking, eventually. A suitable title would be "All your bank account are belong to us"

Not just useful for malware

[Angst+Badger]

This kind of thing would be handy to have for ordinary software, especially code that depends on floating point performance and routines that can optionally take advantage of processor-specific features (or route around misfeatures). The interface would still have to deal with the local OS, but the underlying libraries could be written without recourse to platform-specific code to identify the hardware -- especially since some operating systems either don't make that information available to apps or do so incorrectly.

i call bullshit

First all intel cpus can get the cpu and stepping number easily. So why would you need to profile floating point ops.

Second, in order to send a network packet you need to comunitate with the os device driver, the os will likely crash if you bypass the os and talk to the network card directly, so how is this virus software supost to be os agnostic.

Lastly the memory maps and perifs of arm (or other) microcontrollers are very different. If you try to write to read only memory, an exception occures and it jumps to the exception vector.

I don't get it

[Johnno74]

The researchers claim to be working on a tool, dubbed Proc_Scope that will use specific numerical expressions to identify the processor type, and to be working on an algorithm that can help identify a specific processor.

That all sounds quite involved and somewhat fragile.

Or you could just use the CPUID instruction. Its been around since the original pentium.

Re:I don't get it

[Microlith]

Assuming you're using a Pentium-class x86 platform. ARM requires something entirely different.

Re:I don't get it

[jrumney]

Presumably Proc_Scope will run in a cross platform VM (eg Java) that allows them to start with no assumptions about the target platform at all.

Do it from Javascript

You know, assuming Javascript engines in web browsers use the FPU to do floating point math operations, you could roughly categorize what hardware visitors to your website use.

And/or you could run a JS benchmark, and on the server side have baseline benchmark results for different web browsers and web browser versions on known hardware configurations - and then use that to deduce the user's clock speed. That is assuming that they aren't running anything else at the same time, but 99% of the time desktop systems are idle. You could do a run of 5 benchmarks over a period of say 30 seconds and throw out the outliers.

Of course you could combine this with the kind of stuff Panopticlick does, like detect the screen size, time zone, flash variables etc. For extra evil points, combine it with Samy Kamkar's evercookie.

Re:Do it from Javascript

[T-Bone-T]

I'm not sure how it would appear to others but my Core i3 frequently clocks down to save electricity.

Re:Do it from Javascript

[arth1]

I'm not sure how it would appear to others but my Core i3 frequently clocks down to save electricity.

While your premise is correct, your conclusion is not. Downclocking wasn't added to CPUs to save electricity, but to reduce temperature. Saving electricity is a side effect.

Re:Do it from Javascript

[drsmithy]

While your premise is correct, your conclusion is not. Downclocking wasn't added to CPUs to save electricity, but to reduce temperature. Saving electricity is a side effect.

Downclocking was first added to mobile CPUs, and you can rest assured it was to save electricity (= battery).

Apple has even less hope now

[Sycraft-fu]

With the discontinuation of their Xservs they've quite clearly said "We don't really care about the enterprise market." Can't say I'm surprised, consumer electronics is where they've been making tons of money. However it does mean that any growth potential they had in business markets is likely to dry up. That just means the market will continue to be solidly MS for now.

Re:Apple has even less hope now

[h4rr4r]

The enterprise market for servers has never been solidly MS. The Xserve was not a popular product, no one wanted to pay apple prices to run a unix. if you want to do that you could have alway bought a Sun box. The rest of the enterprise wanted to run linux on commodity hardware.

Re:Apple has even less hope now

[wvmarle]

Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.

A server has to sit in a corner, fit nicely so square (or for bigger setups: rackable) is preferred. Most of them don't have a monitor attached so a GUI is also unwanted.

Then what reason is there to pay an Apple price for a server?

Microsoft has a similar problem: their strong point is also the user interface, as that's what Windows is about after all. Windows is a desktop oriented OS, with server capabilities tacked on to it.

Re:Apple has even less hope now

[CAIMLAS]

Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.

Strongly disagree on the second part: case design is very important on a server. It's almost as important as the hardware in the machine and the external interfaces (say, SAS, IPMI or Infiniband).

I'm pretty sure the Xserve had none of those interfaces, and the internal RAID controller was somewhat lackluster at that. From what I've seen of them, I'd rather have a modern Dell or HP server - the hardware is better.

Re:Apple has even less hope now

[wvmarle]

With case design I was talking about prettiness and looks, not sturdiness or easy to build in. Consumers buying a case to put in their living room or IT people buying a case to put in a comms cupboard or server room have totally different requirements on case design.

"Faster than equitorial glaciers". . .

[JSBiff]

It's true! He just forgot to mention *which* equator he was referring to. I believe in this case, it would be the equator of Uranus.

you know those WTF? moments that come out of Japan

... AIX is like that.

absurd

Platform independent malware is simply not reasonable. Different strains can be written for different systems but one piece of code to rule them all is probably a form of thought masturbation for this author, welcome to the reality.

The problems with the initial execution aside (anyone already running code on ur box can plant any strain they want anyway). The routines in malware will always be platform specific, and in some case version specific, even application specific. How can you go about harvesting information if you don't have a clue where to look? Functions need to be hooked and there is no universal function to hook for getting CCs or SSNs.

I suppose you could interact directly with the network card, but then you're going to need to build your own network stack and drivers for each of the most common types of NICs.

Re:absurd

[robot256]

Platform independent malware is simply not reasonable. Different strains can be written for different systems

Exactly. Just like how dogs don't get lyme disease and birds don't get swine flu, or something like that. Writing a virus that could mutate to port itself to a different system, however, would be truly amazing.

also

there is the possiblity of making it impossible for someone without say specialised JAG hardware to reflash the firmware, so once its compromised it cant be uncompromised. then there are the couterfiet bits of hardware with could be designed with backdoors that also lead to hardware that cannot be uncompromised, even if it goes into a super dormant state.

there are ways of communicating stenographically using timing delays in typing or network packets, so its actually starting to get pretty difficult to clean your system. not like removing a hdd and sticking it into a dock of a clean machine and wiping mbr+whole drive etc.

Peak windows.

[mevets]

My guess is the AV companies are sensing that 'peak windows' has passed, and are manufacturing a new market.
The reason to run AV software on other platforms is to avoid inadvertently forwarding viruses to Windows users. Not a compelling story.

I think I can explain the real threat here...

[junglebeast]

There is no cross-platform instruction to call the CPUID assembly instruction...so you can only use CPUID if you can run native code on the computer, and if youcan do that, you've already broken in so you don't need it.

Now imagine that you are running some generic code like javascript...which has a limited instruction set and is possibly even being run in a browser based sandbox. If you can use simple floating point arithmetic to detect the processor type, and then you know that this particular processor has a flaw such that if you evaluate: "44.5 / 222.3 + 1" then the following benign string literal in javascript gets interpreted as native binary code which executes outside of the "sandbox" imposed by the limitations of the language...do you get what I'm saying?

Re:I think I can explain the real threat here...

[wvmarle]

Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.

Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.

Re:I think I can explain the real threat here...

[maxwell+demon]

Maybe an attack using a cross-platform browser hole which allows to execute machine code, but to know which machine code to run the exploit needs to know the processor (because x86 machine code on an ARM most probably will just crash).

Re:I think I can explain the real threat here...

[gl4ss]

then you're attacking/diagnosing the javascript vm. not very app agnostic at all as is hyped on article. they're calling diagnosing the floating point implementation as a 'malware attack' which is still pretty far from it. there's a dozen other better more reliable ways to find out if the browser is running on an iphone 3g or not.

the name 'proc_scope' could even be intentionally chosen to make it hard to google. on top of that, the published paper

Did anyone else read this as

[Snufu]

'...professor specific malware?

I've had to sit through my share of boring lectures, but isn't this carrying things a bit far?

Re:Did anyone else read this as

[GameboyRMH]

Good news everyone!

I'm selling affordable viagra and replica wristwatches on my shady Asian-domain website! Also anyone who wants to see some cute dancing bunnies and/or pornography should meet me in the alley out back!

So now the French are helping the malware authors?

[gstrickler]

This type of research doesn't appear to have any legitimate uses, it appears that it will only be useful to the malware authors.

AIX

At least they named it right. They just spelled it wrong. It SHOULD be aches.

Government funded malware?

[currently_awake]

Why is an official government department working to help malware authors? If it's for hacking terrorists then it should be classified and hidden. Is this one of those weird french things where everything is backwards?

Alright...

[SirThe]

...so you can probably determine the processor type by having someone visit a webpage, but wouldn't infecting someone involve, oh, I don't know, taking advantage of software flaws? At which point you've already got your malware inside. Also, what the hell are you going to do to with processor (or other hardware) specific malware? Sure, you can infect the drivers or firmware or whatever, but how is this different from any other vector of attack? Maybe I'm missing the point?

Oh really?

You don't install security patches? You're a real dare-devil, living on the edge like that...

Re:Oh really?

[jimicus]

First thing you learn when you get out of your mother's basement is that a large chunk of security is risk assessment.

Okay, so a bug has been found in (obscure library). What systems have that library installed? Do they need it installed in the first place? What services do those systems carry? How much risk is the business exposed to by this bug? Can we make a quick, painless configuration change rather than upgrade a library and go through our entire testing process to check it doesn't break anything - a long, painful and arduous process?

More often than not, by the time you've gone through all those questions you find that actually, the bug isn't as bad as all that and you can more-or-less immunise yourself to any impact it may have without having to install the patch. This is why it's really big news when something big (like the Debian SSH debacle a couple of years ago) is found.

Re:Oh really?

First thing you learn when you get out of your mother's basement is that a large chunk of security is risk assessment.

Yes, anyone who disagrees with you or has a different set of priorities is a basement dweller. Of course, why didn't we all see that before? When you get on your high horse like that it makes us all very eager to believe you too.

More often than not, by the time you've gone through all those questions you find that actually, the bug isn't as bad as all that and you can more-or-less immunise yourself to any impact it may have without having to install the patch.

Whether it is a fix or a workaround or merely an assessment of vulnerability, you do admit then that you're doing something other than "install the applications and leave it alone". Good. That wasn't too hard.

It's like pulling teeth to get some people to acknowledge the obvious.

Re:So now the French are helping the malware autho

[maxwell+demon]

I think the ad industry will also be interested in fingerprinting ... not for starting exploits, but for more effective tracking.

ESIEA is not "Superiore" but "Supérieure"

ESIEA is "École Supérieure d'Informatique, Électronique, Automatique".
With "supérieure", not "superiore" (which is, maybe, Italian?). Please also note the usage of the accents on some of the letters (even the capitals, as allowed in French, even if some of the French people do not know their usage (!))

  Merci.

(A verbatim translation of ESIEA would give something like "High School for Computer Science, Electronic and Control Engineering", however, an "École Supérieure" in France is more like a college in the US, not an high school.)

Yes But

I agree Apple's strong point is UX and design of hardware aesthetics...

In the server world that's not applicable at all - still, OS X is more than just a pretty face, Darwin is a far more suitable server OS than windows... Server capabilities aren't crudley adhocked on, it was build for it - just like it's BSD roots.

Even so it still seems pretty pointless to pay for when Linux or BSD is free and better established as a solid reliable choice... I'm pretty ignorant of the server world but my understanding is that it's more about service than product as far as OS go.. i.e. Redhat, Sun... so i guess the only reason for apple to ever push it's OS into that market would be to provide competing services.

Re:So now the French are helping the malware autho

[gstrickler]

You may be correct, but I don't consider that a legitimate use any more than EverCookie is legitimate. The ad industry can track too much already, they don't need any more capability.

Erm...

"lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer"

cat /proc/cpuinfo, anyone?

Stupid but fun research

[Terje+Mathisen]

This paper is really about how it is still possible to fingerprint CPUs, even without using the non-privileged CPUID instruction.

First of all, they state that using CPUID might trigger behavioral malware scanners/detectors.

Well, guess what: More or less every single program out there contains at least one CPUID instance somewhere in the runtime library code, some of them in order to avoid known bugs (like the Pentium FDIV case), and some in order to determine which forms of SIMD instructions are available (x87 vs SSE, scalar vs MMX/SSE/SSE2/SSE3/SSSE3/SSE4 etc.

Secondly, before CPUID turned up around the 486/Pentium changeover we used exactly the same kind of fingerprinting code to determine cpu versions: 8088/8086/80186/80286/386/486.

Some of them were based on known bugs (i.e. an 808x would not disable interrupts for the instruction following a segment register load), some on the handling of undocumented opcode sequences, like an ascii arithmetic instruction with the decimal constant replaced by another value, and some on the varying length of the instruction prefetch buffer.

Finally, the specific example they use early on (calculating square roots) is totally broken: Square root is one of the core functions in IEEE 754 arithmetic, which means that every single cpu has to generate the same result for all possible inputs, said result being the exact answer rounded correctly according to the current rounding mode and final precision (float/double).

The somewhat better example later in their paper uses trancendental functions, which is a much better choice since they do tend to change between processor families and sometimes even between different versions from the same vendor.

Terje