Micro-architectural attacks are arguably the most dangerous and difficult of all forms of systems compromise to detect. Micro-architectural attacks leverage flaws in the chip hardware design of computer components. These kinds of flaws are largely outside of the operating system’s ability to be detected or to fix with patches or anti-malware software.
Many devices that are vulnerable to micro-architectural attacks do not run traditional operating systems. Examples of some very vulnerable systems include: embedded systems such as industrial control systems in power plants, electronic surveillance/alarms and the tsunami of “Internet of Things” devices now hitting the marketplace.
Spectre and Meltdown are two well-known recent examples of micro-architectural attacks that leverage flaws in hardware design. Because these attacks operate at such a low level in the systems, they can be impossible to detect by operating systems or software running higher in the processing chain.
A new proof of concept presented at the IEEE International Symposium was developed by UT-Austin professors and students and may provide a defense against these attacks. The research was funded by the National Science Foundation and Lockheed Martin.
The proof of concept demonstration showed that by analyzing patterns in power use and frequency, the presence of functioning micro-architectural attacks could be detected. The detectors could be built into new systems or built into batteries, power supplies or hardware-attached devices for existing systems.
These kinds of detection algorithms are currently used to watch for the behavior of traditional malware and are in some products that “sandbox” untrusted code. What is unique about this proof of concept is that it can detect malware that sandboxes cannot. Modern malware now often has the ability to detect if it has been put in a virtual machine or sandbox and if so, it goes dormant to evade the sandbox. Because the systems developed in the proof of concept are at lower levels in the hardware, they are also nearly undetectable. In other words, the research may have developed an invisible sandbox.
Just as malware at the level of the operating system tries to evade detection by sandboxes, micro-architectural malware may attempt to avoid power-sensing algorithms. The researchers assuming that this would be the next step in the malware arms race investigated the issue. They determined that if micro-architectural malware tried to conceal its own power signatures, the effort would hinder its functionality by as much as 97 percent.
This new research comes in the nick of time as evil hackers are increasingly going after these low level systems which control highly critical infrastructure. Hardware infrastructure is often difficult and expensive to update or replace so a mechanism as versatile as this proof-of-concept demonstrates there could be highly effective and efficient solutions.
For more reports and analysis of cutting edge security research please check this blog series regularly or contact us about building a relationship with a trusted security advisor.