What are Weird Machines?
The expression "weird machines" was first used in
the RSS
2009 talk. It referred to state-of-the-art exploitation as finding
and programming an execution model (a machine, such as a virtual
automaton) within the target via crafted inputs. It was soon extended
to other methods of reliably or probabilistically influencing the
target's state. A compressed version of that original talk was given at the
Chaos Computing Congress 27c3
[slides], [video].
The concept was further elaborated in
Exploitation and State Machines by Thomas Dullien / Halvar Flake at Infiltrate 2011,
Heap Exploitation
Abstraction by Example by Census Labs at OWASP 2012, and
others. A historical sketch can be found in
From Buffer Overflows to "Weird Machines" by Bratus et al.
Effort is underway to produce formal descriptions of weird machine
classes in various computing environments. Thomas Dullien's 2017
paper Weird
machines, exploitability, and provable unexploitability is the
most notable recent development (see Formalisms below).
The LangSec effort is aimed
at describing and eliminating broad classes of input-related bugs and associated weird machines.
Beginnings of formalism
- Weird machines, exploitability, and provable unexploitability,
Thomas Dullien, IEEE Transactions on Emerging Topics in Computing, December 2017,
[PDF]
(also compare with "Spectre is here to stay" below)
- Exploitation as Code Reuse: On the Need of Formalization, Sergey Bratus, Anna Shubina,
Information Technology, vol. 59, no. 2, p. 93, 2017,
[PDF]
Recent related work
- ExSpectre: Hiding Malware in Speculative Execution, Jack Wampler, Ian Martiny, Eric Wustrow, NDSS 2019,
[paper]. The authors note that their results extend research in "weird machines".
- Spectre is here to stay: An analysis of side-channels and speculative execution,
Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest,
[paper]. The authors introduce a mathematical meta-model that explains side-channels in simulations and CPUs, which appears to be directly comparable with the weird machine approach.
- Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector,
Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, IEEE Security and Privacy 2016,
[paper]. The authors demonstrate that Windows 8.1-10 built-in memory deduplication feature combined with RowHammer yields a powerful weird machine.
- Framing Signals - A Return to Portable Shellcode,
Erik Bosman, Herbert Bos, IEEE Security and Privacy 2014,
[paper],
[wikipedia].
The authors show that Unix signal handling mechanisms can be generically programmed
with fake signal frames to initiate returns from signals that the kernel never really
delivered.
Original Papers
- "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata, Shapiro et al., USENIX WOOT'13
[paper],
[slides],
[video],
[mp3].
- The Page-Fault Weird Machine: Lessons in Instruction-less Computation, Bangert et al., USENIX WOOT'13
[paper],
[video],
[mp3].
- The Weird Machines in Proof-Carrying Code, Julien Vanegue, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014,
[paper].
- Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code, Oakley & Bratus, USENIX WOOT'11
[paper],
[video],
[slides],
[mp3].
Historical overviews
- Exploit Programming: from Buffer Overflows to Weird Machines and Theory of Computation,
Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, Anna Shubina, USENIX ;login: 2011
[PDF]
- The Halting Problems of Internet Insecurity, Len Sassaman, Meredith L. Patterson, Sergey Bratus, Anna Shubina, USENIX ;login: 2011
[PDF]
Strange & radiant machines
(exploits that borrow existing computation in unexpected ways)
PHY layer
- Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios, Goodspeed et al., USENIX WOOT'11
[paper],
[blog],
[video] -- borrows simple
machines in digital radio PHY layer.
- Phantom Boundaries and Cross-layer Illusions in 802.15.4 Digital Radio, Travis Goodspeed, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014,
[paper].
- Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface, Barisani et al. BlackHat USA
[paper]
[slides] -- includes packet-in-packet for 802.3/Ethernet
See also
BabylonPHY.org,
DemystiPHY.org.
Embedded Systems
- Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware,
Samuel J. Tan, Sergey Bratus, Travis Goodspeed, ACSAC 2014
[PDF]
Higher network layers
- BGP: Using Routers to Build Logic Circuits: How Powerful is BGP?, Marco Chiesa et al., 2013,
[paper];
Computing with BGP: from Routing Configurations to Turing Machines, Marco Chiesa et al., 2012,
[paper]
Intra-OS machines
Other papers on x86
Games
Other Lists