ExSpectre: Hiding Malware in Speculative Execution

Recently, the Spectre and Meltdown attacks revealed serious vulnerabilities in modern CPU designs, allowingan attacker to exfiltrate data from sensitive programs. Thesevulnerabilities take advantage of speculative execution to coercea processor to perform computation that would otherwise notoccur, leaking the resulting information via side channels to anattacker.In this paper, we extend these ideas in a different direction,and leverage speculative execution in order to hide malware fromboth static and dynamic analysis. Using this technique, criticalportions of a malicious program’s computation can be shieldedfrom view, such that even a debugger following an instruction-level trace of the program cannot tell how its results werecomputed.We introduce ExSpectre, which compiles arbitrary maliciouscode into a seemingly-benign payload binary. When a separatetrigger program runs on the same machine, it mistrains the CPU’sbranch predictor, causing the payload program to speculativelyexecute its malicious payload, which communicates speculativeresults back to the rest of the payload program to change itsreal-world behavior.We study the extent and types of execution that can beperformed speculatively, and demonstrate several computationsthat can be performed covertly. In particular, within speculative execution we are able to decrypt memory using AES-NIinstructions at over 11 kbps. Building on this, we decrypt andinterpret a custom virtual machine language to perform arbitrarycomputation and system calls in the real world. We demonstratethis with a proof-of-concept dial back shell, which takes onlya few milliseconds to execute after the trigger is issued. Wealso show how our corresponding trigger program can be a pre-existing benign application already running on the system, anddemonstrate this concept with OpenSSL driven remotely by theattacker as a trigger program.ExSpectre demonstrates a new kind of malware that evadesexisting reverse engineering and binary analysis techniques. Because its true functionality is contained in seemingly unreachabledead code, and its control flow driven externally by potentiallyany other program running at the same time, ExSpectre poses anovel threat to state-of-the-art malware analysis techniques.