Researchers hide malware in benign apps with the help of speculative execution

Speculative execution is the CPU optimization feature where the Meltdown and Spectre flaws were discovered last year.


A team of academics from the University of Colorado Boulder (UCB) has found a way to hide malware operations by leveraging the process of "speculative execution," the same CPU feature where the Meltdown and Spectre vulnerabilities were discovered last year.

The speculative execution technique is a performance-boosting feature of modern processors where the CPU runs computations in advance (speculative execution threads) and then selects the execution thread that an application needs, discarding the other speculative execution threads and their data.

The Meltdown and Spectre vulnerabilities allow hackers to retrieve data from these speculative execution threads before the data is cleared from the CPU cache memory.

Over the past year, security researchers have identified and publicized numerous and different methods of retrieving data from speculative execution operations [1, 2, 3, 4, 5, 6].

But in research presented this week at the NDSS 2019 security conference, UCB academics showed that speculative execution could be used for other than data theft, revealing that speculative execution threads can serve as a secret place to hide malicious commands.

The technique, which they named ExSpectre, implies the creation of benign application binaries that victims install on their systems, thinking they are safe, and which, indeed, appear to be safe when scanned with security software apps.

But in reality, these binaries can be configured (after receiving an external trigger --either user/network input or another app running on the system) to launch well orchestrated speculative execution threads that manipulate the benign app into executing malicious operations.

"We show this using the OpenSSL library as a benign trigger program in Section V-A, activating a malicious payload program when an adversary repeatedly connects to the infected OpenSSL server using a TLS connection with a specific cipher suite," UCB researchers said.

In other examples, researchers say they also used the ExSpectre technique to decrypt encrypted memory and even manipulate apps to open a local reverse shell to an attacker-controlled location and allow it to run commands on the victim machine.

"When I first saw this paper I,immediately thought that this is a very neat way to hide malware," said Daniel Gruss, one of the researchers who discovered the Meltdown and Spectre flaws, and who last month revealed a research paper with a similar idea of hiding malware inside a legitimate CPU feature --Intel's SGX enclaves.

"Very interesting idea," Gruss added. "It shows that speculative execution can be used in other malicious ways as well, so I would say that's even more important as it broadens our understanding of speculative execution and the fundamentally different types of malicious operations it allows."

Further, because of the way it works, ExSpectre-class malware is currently undetectable, according to the UCB researchers.

"Using [ExSpectre], critical portions of a malicious program's computation can be shielded from view, such that even a debugger following an instruction-level trace of the program cannot tell how its results were computed," the UCB research team said.

"This technique defeats existing static and dynamic analysis, making it especially difficult for malware analysts to determine what a binary will do," they added.

Stopping attacks with malware coded to use the ExSpectre technique isn't possible at the moment, researchers said, at least at the software level.

"Ultimately, silicon and microarchitecture patches will be needed to secure CPUs against this kind of malware," they said, echoing the conclusion of a similar research paper authored by Google researchers, who also concluded that the Spectre flaw could never be eradicated at the software level, and a new generation of CPU hardware may be needed.

More details about the UCB research are available in the whitepaper entitled "ExSpectre: Hiding Malware in Speculative Execution."

Related cybersecurity news coverage: