What are Weird Machines?
The expression "weird machines" was first used in
2009 talk. It referred to state-of-the-art exploitation as finding
and programming an execution model (a machine, such as a virtual
automaton) within the target via crafted inputs. It was soon extended
to other methods of reliably or probabilistically influencing the
target's state. A compressed version of that original talk was given at the
Chaos Computing Congress 27c3
The concept was further elaborated in
Exploitation and State Machines by Thomas Dullien / Halvar Flake at Infiltrate 2011,
Abstraction by Example by Census Labs at OWASP 2012, and
others. A historical sketch can be found in
From Buffer Overflows to "Weird Machines" by Bratus et al.
Effort is underway to produce formal descriptions of weird machine classes in various
computing environments. The LangSec effort is aimed
at describing and eliminating broad classes of input-related bugs and associated weird machines.
- "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata, Shapiro et al., USENIX WOOT'13
- The Page-Fault Weird Machine: Lessons in Instruction-less Computation, Bangert et al., USENIX WOOT'13
- The Weird Machines in Proof-Carrying Code, Julien Vanegue, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014,
- Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code, Oakley & Bratus, USENIX WOOT'11
Strange & radiant machines:
(exploits that borrow existing computation in unexpected ways)
- Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios, Goodspeed et al., USENIX WOOT'11
[video] -- borrows simple
machines in digital radio PHY layer.
- Phantom Boundaries and Cross-layer Illusions in 802.15.4 Digital Radio, Travis Goodspeed, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014,
- Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface, Barisani et al. BlackHat USA
[slides] -- includes packet-in-packet for 802.3/Ethernet
Higher network layers:
- BGP: Using Routers to Build Logic Circuits: How Powerful is BGP?, Marco Chiesa et al., 2013,
Computing with BGP: from Routing Configurations to Turing Machines, Marco Chiesa et al., 2012,
Other papers on x86