What are Weird Machines?
The expression "weird machines" was first used in my invited talk at RSS
2009. It referred to state-of-the-art exploitation as finding
and programming an execution model (a machine, such as a virtual
automaton) within the target via crafted inputs. It was soon extended
to other methods of reliably or probabilistically influencing the
target's state. A compressed version of that original talk was given at the
Chaos Computing Congress 27c3
[slides], [video].
The concept was further elaborated in
Exploitation and State Machines by Thomas Dullien / Halvar Flake at Infiltrate 2011,
Heap Exploitation
Abstraction by Example by Census Labs at OWASP 2012, and
others. A historical sketch can be found in
From Buffer Overflows to "Weird Machines" by Bratus et al.
Effort is underway to produce formal descriptions of weird machine
classes in various computing environments. Thomas Dullien's 2017
paper Weird
machines, exploitability, and provable unexploitability is the
most notable recent development (see Formalisms below).
The LangSec effort is aimed
at describing and eliminating broad classes of input-related bugs and associated weird machines.
Beginnings of formalism
- Weird machines, exploitability, and provable unexploitability,
Thomas Dullien, IEEE Transactions on Emerging Topics in Computing, December 2017,
[PDF]
(also compare with "Spectre is here to stay" below)
- Exploitation as Code Reuse: On the Need of Formalization, Sergey Bratus, Anna Shubina,
Information Technology, vol. 59, no. 2, p. 93, 2017,
[PDF]
- Weird Machines as Insecure Compilation,
Jennifer Paykin, Eric Mertens, Mark Tullsen, Luke Maurer, Benoît Razet, Alexander Bakst, Scott Moore,
[arxiv.org]. See also
Project SEEC at Galois, Inc.
- Adversarial Logic, Julien Vanegue, [PDF], [slides], 2022
Recent related work
- Computing with time: microarchitectural weird machines,
Dmitry Evtyushkin, Thomas Benjamin, Jesse Elwell, Jeffrey A. Eitel, Angelo Sapello, Abhrajit Ghosh,
ASPLOS 2021,
[PDF]. The authors demonstrated that microarchitectural state could be used to construct virtual logic gates and circuits to carry out non-trivial computations entirely within the CPU transient space. They won a Distinguished paper award at ASPLOS.
- A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution by
Ian Beer & Samuel Groß of Google Project Zero, 2021,
[blog]
explains the construction of an almost pure example of a weird machine used in an actual exploit.
- Cross-Language Attacks by
Samuel Mergendahl, Nathan Burow & Hamed Okhravi, NDSS 2022,
[paper]. A groundbreaking in-depth discussion of how weird machines emerge at the internal boundaries of complex logical components.
- Spectre is here to stay: An analysis of side-channels and speculative execution,
Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest,
[paper]. The authors introduce a mathematical meta-model that explains side-channels in simulations and CPUs, which appears to be directly comparable with the weird machine approach.
- ExSpectre: Hiding Malware in Speculative Execution, Jack Wampler, Ian Martiny, Eric Wustrow, NDSS 2019,
[paper]. The authors note that their results extend research in "weird machines".
- Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector,
Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, IEEE Security and Privacy 2016,
[paper]. The authors demonstrate that Windows 8.1-10 built-in memory deduplication feature combined with RowHammer yields a powerful weird machine.
- Framing Signals - A Return to Portable Shellcode,
Erik Bosman, Herbert Bos, IEEE Security and Privacy 2014,
[paper],
[wikipedia].
The authors show that Unix signal handling mechanisms can be generically programmed
with fake signal frames to initiate returns from signals that the kernel never really
delivered.
Original Papers
- "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata, Shapiro et al., USENIX WOOT'13
[paper],
[slides],
[video],
[mp3].
- The Page-Fault Weird Machine: Lessons in Instruction-less Computation, Bangert et al., USENIX WOOT'13
[paper],
[video],
[mp3].
- The Weird Machines in Proof-Carrying Code, Julien Vanegue, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014,
[paper].
- Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code, Oakley & Bratus, USENIX WOOT'11
[paper],
[video],
[slides],
[mp3].
Historical overviews
- Exploit Programming: from Buffer Overflows to Weird Machines and Theory of Computation,
Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, Anna Shubina, USENIX ;login: 2011
[PDF]
- The Halting Problems of Internet Insecurity, Len Sassaman, Meredith L. Patterson, Sergey Bratus, Anna Shubina, USENIX ;login: 2011
[PDF]
Strange & radiant machines
(exploits that borrow existing computation in unexpected ways)
PHY layer
- Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios, Goodspeed et al., USENIX WOOT'11
[paper],
[blog],
[video] -- borrows simple
machines in digital radio PHY layer.
- Phantom Boundaries and Cross-layer Illusions in 802.15.4 Digital Radio, Travis Goodspeed, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014,
[paper].
- Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface, Barisani et al. BlackHat USA
[paper]
[slides] -- includes packet-in-packet for 802.3/Ethernet
See also
BabylonPHY.org,
DemystiPHY.org.
Embedded Systems
- Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware,
Samuel J. Tan, Sergey Bratus, Travis Goodspeed, ACSAC 2014
[PDF]
Higher network layers
- BGP: Using Routers to Build Logic Circuits: How Powerful is BGP?, Marco Chiesa et al., 2013,
[paper];
- Computing with BGP: from Routing Configurations to Turing Machines, Marco Chiesa et al., 2012,
[paper]
Intra-OS machines
Other papers on x86
Games
Other Lists