No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A High Efficiency and Accuracy Method for x86 Undocumented Instruction Detection and Classification
Abstract
Processors are important parts of a computer and have been believed to be secure for a long time. In recent years researches show that processors are, on the contrary, full of undocumented instructions which are caused by design flaws or intentionally hidden by manufacturers. Undocumented instructions can be detected using fuzzing technology. But currently existing methods have low efficiency and accuracy. Furthermore, to analyze the function of detected instructions, a classification method is necessary to reduce the large amount of detected undocumented instructions. Therefore, this paper introduces a high-efficiency instruction searching and classification method by applying instruction format analysis. Results show that our method can successfully find 10 times of the amount of detected undocumented instructions using existing tool with just 30% of executing time. Also, after classifying the large quantity of the detection results, the amount can be reduced to less than 10000 instructions which is a reasonable amount for further research.
... UISfuzz improves the mining efficiency by 5.57 times and reduces the memory overhead by 18.46 times compared to Sandsifter. The instruction search method named HEAM [27] proposed by Jiatong Wu et al. reduces its search time to 30% compared with the Sandsifter. They also proposed a classification method based on the instruction format to identify the actual function of undocumented instructions. ...
As recently studied, the undocumented instructions in embedded processors that may cause catastrophic results for devices have become one of the main threats to system security. To tackle this issue, in this paper, we propose an undocumented instruction mining tool for digital signal processors named DSPUIM that can find out the undocumented instructions from the frequently used Digital Signal Processors (DSP) in network information systems. First, we analyzed the characteristics of the DSP instruction format to compress the instruction search space and improve the instruction search speed. Second, according to the public instruction set of DSPs, we built an instruction disassembly framework that helped us to identify all the undefined instructions. Finally, by testing the executability of undefined instructions automatically, we obtained the undocumented instructions for target DSPs. To demonstrate the effectiveness of our tool, we applied it on ten DSP processors of Texas Instruments (TI) and mined 335 undocumented instructions from them within 5 min. Some undocumented instructions have malicious functions, such as changing registers and denial of service, posing a security threat to the network devices using DSPs.
... RPL is gaining much traction in industrial applications since it meets most of the fundamental criteria and, with the existing enhancements, can be used to create a versatile, reliable, and scalable routing solution. GTM-RPL improves RPL's performance by allowing 11 Wireless Communications and Mobile Computing it to handle mobile nodes and optimize throughput, making it a viable option for industrial uses [184]. ...
IPv6 routing protocol for low-power and lossy networks (RPL) has been developed as a routing agent in low-power and lossy networks (LLN), where nodes’ resource constraint nature is challenging. This protocol operates at the network layer and can create routing and optimally distribute routing information between nodes. RPL is a low-power, high-throughput IPv6 routing protocol that uses distance vectors. Each sensor-to-wire network router has a collection of fixed parents and a preferred parent on the path to the Destination-oriented directed acyclic graph (DODAG) graph’s root in steady-state. Each router part of the graph sends DODAG information object (DIO) control messages and specifies its rank within the graph, indicating its position within the network relative to the root. When a node receives a DIO message, it determines its network rank, which must be higher than all its parents’ rank, and then continues sending DIO messages using the trickle timer. As a result, DODAG begins at the root and eventually extends to encompass the whole network. This paper is the first review to study intrusion detection systems in the RPL protocol based on machine learning (ML) techniques to the best of our knowledge. The complexity of the new attack models identified for RPL and the efficiency of ML in intelligent and collaborative threats detection, and the issues of deploying ML in challenging LLN environments underscore the importance of research in this area. The analysis is done using research sources of “Google Scholar,” “Crossref,” “Scopus,” and “Web of Science” resources. The evaluations are assessed for studies from 2016 to 2021. The results are illustrated with tables and figures.
With the rapid development of network security and the frequent appearance of CPU vulnera-bilities, CPU security have gradually raised great attention and become a crucial issue in the computer field. Undocumented instructions, as one of the important threats to system security, is an important entry for CPU security research. Using fuzzing technology can automatically test the CPU instruction set and discover po-tential undocumented instructions, but the existing methods are of slow search speed and low accuracy. Therefore, this paper designs an efficient fuzzing method (UISFuzz) for undocumented instruction searching. This method has the following merits: (1) the instruction search speed is greatly improved by an automatic instruction format recognition, as the low efficient part of the known instruction format is skipped and there-fore the instruction search space is much narrowed; (2) the false positive rate is reduced by a recheck mech-anism based on the expert knowledge database to filter the wrongly found instructions; (3) the overhead of the method is decreased by optimizing the result analysis program, and the scope of the system is expanded, where more processors with lower performance are compatible. Typical CPU experimental results show that, the UISFuzz can successfully find undocumented instructions in the CPUs and simultaneously improve the time efficiency by 5 times compared with existing tools.
Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects.
Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side-channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim's process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, such as operating system process separation, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing and side-channel attacks. These attacks represent a serious threat to actual systems because vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices.
Although makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.
Malicious modification of hardware during design or fabrication has emerged as a major security concern. Such tampering (also referred to as Hardware Trojan) causes an integrated circuit (IC) to have altered functional behavior, potentially with disastrous consequences in safety-critical applications. Conventional design-time verification and post-manufacturing testing cannot be readily extended to detect hardware Trojans due to their stealthy nature, inordinately large number of possible instances and large variety in structure and operating mode. In this paper, we analyze the threat posed by hardware Trojans and the methods of deterring them. We present a Trojan taxonomy, models of Trojan operations and a review of the state-of-the-art Trojan prevention and detection techniques. Next, we discuss the major challenges associated with this security concern and future research needs to address them.
The current electronic-economy is booming, electronic-wallets, encrypted virtual-money, mobile payments, and other new generations of economic instruments are springing up. As the most important cornerstone, CPU is facing serious security challenges. And with the blowout of actual application requirements, the importance of CPU security testing is increasing. However, the actual security threats to computer systems are also becoming increasingly rampant (now attackers often use multiple different types of vulnerabilities to construct complex attack systems, not just a single attack chain). The traditional vulnerability detection model is not capable of comprehensive security assessment. We first proposed a comprehensive CPU Security Benchmark solution with high coverage for existing known vulnerabilities, including Undocumented Instructions detection, Control Flow Integrity test, Memory Errors detection, and Cache Side Channels detection, Out of Order and Speculative execution vulnerabilities (Meltdown and Spectre series) tests, and more. Our benchmark provides meaningful and constructive feedbacks for evading architecture/microarchitecture design flaws, system security (OS and libraries) software patches design, and user programming vulnerabilities tips. We hope that the work of this paper will promote the computer system security testing from the past scatter point and line mode (single specific vulnerability and attack chain testing) to coordinated and whole surface mode (multi-type vulnerabilities and attack network testing), thus creating a new research direction of the comprehensive and balanced CPU Security Benchmark. Our test suite will play an inspiring role in the comprehensive assessment of security in personal computer devices (PC/Mobile Phone) and large server clusters (Servers/Cloud), as well as the construction of more secure Block-Chain nodes (IOT), and many other practical applications.
In this paper, we present the security implications of x86 processor bugs or backdoors on operating systems and virtual machine
monitors. We will not try to determine whether the backdoor threat is realistic or not, but we will assume that a bug or a
backdoor exists and analyze the consequences on systems. We will show how it is possible for an attacker to implement a simple
and generic CPU backdoor in order—at some later point in time—to bypass mandatory security mechanisms with very limited initial
privileges. We will explain practical difficulties and show proof of concept schemes using a modified Qemu CPU emulator. Backdoors
studied in this paper are all usable from the software level without any physical access to the hardware.
TIS (test instruction set) is an instruction level technique for CPU core self-testing. This method is based on enhancing a CPU instruction set with test instructions. TIS replaces the NOP instruction that is available in most processors with test instructions so that online testing can be done with no performance penalty. This method can be applied to both offline and online (concurrent) testing of all types of processors (single-cycle, multi-cycle and pipelined). TIS is appropriate for pipelined architectures in which one or many NOP instructions (or stalls) are inserted between instructions that are data or control dependent. We have implemented this test method on a pipelined CPU core and several test programs for this pipelined CPU are used to illustrate the method. Also fault coverage results are presented to demonstrate the effectiveness of the TIS test technique.
A systematic evaluation of transient execution attacks and defenses
- C Canella
Real time detection of spectre and meltdown attacks using machine learning
- B A Ahmad
A performance evaluation of platform-independent methods to search for hidden instructions on RISC processors
- R Dofferhoff
CPU bugs, CPU backdoors and consequences on security
- L Duflot