The processor changes its architecture for hacking


The researchers created a processor that uses encryption to modify its memory architecture at runtime, making it difficult for hackers to exploit memory-based vulnerabilities.

If the technology to create a “deformable” processor architecture is widely adopted, it may become more difficult to exploit memory leaks, inject code into processes, and various side channel attacks.

This research work called Morpheus is a set of architectural changes to the processor. They implement two kinds of protection: the randomization of processor elements that are essential for program execution and the regular encryption of these elements. This process is called ” agitation”. The first technique allows the processor to change its architecture, forcing an attacker to reverse engineer such changes before exploiting the vulnerability. The second technique changes the architecture fast enough to prevent an attacker from successfully reverse-engineering its execution.

Todd Austin, professor of electrical engineering and computer science at the University of Michigan and leader of the Morpheus project, said the new architecture can help interrupt the endless loop of vulnerability discovery and patching by reducing the usefulness of vulnerabilities.

“The vast majority of work in the field of computer science is’how do I find and fix vulnerabilities?'” he said. “We are on the other side. Our technology recognizes that exploits are different from vulnerabilities, so we asked,’What is the juicy bit that an attacker wants to access after discovering a vulnerability?”-That’s pointers, code, address space, Organization and all kinds of other things, these are what we encrypt. “

The multi-university team also includes members from Princeton University and the University of Texas at Austin, and is part of the Defense Advanced Research Projects Agency (DARPA) and its hardware and firmware system security integration (SSITH) program.From July to October last year, the SSITH team held a bug bounty contest-and Star wars The subject, called Finding a Vulnerability to Prevent Tampering (FETT)-allows nearly 600 hackers to fight various processor designs.

Every platform must implement the open source processor instruction set RISC-V when running software with known vulnerabilities. The red team composed of government and free hackers does not have to look for vulnerabilities, but finds ways to exploit known vulnerabilities on the hardware platform. Although attackers found 10 vulnerabilities in various candidate architectures, Morpheus is one of the designs to repel all attacks.

“FETT challenges the executives and matures the architecture under development,” Keith Rebello, the DARPA project manager who leads the SSITH and FETT programs, said in a statement earlier this year. “Several research teams are forced to document the use and benefits of their security frameworks in a rigorous and easy-to-understand manner, which will ultimately help third parties understand and use these security processors for operations.”

Researchers pointed out that attackers often use undefined semantics-undefined code behavior in the program, such as buffer overflow and return-oriented programming. The Morpheus project identified these undefined semantics and created a moving target defense (EMTD) collection or collection to prevent them. Then, the processor periodically encrypts the pointer to the EMTD, which essentially creates a new memory architecture that the attacker knows nothing about-this process is called “churn.”

Initially, the researchers updated the key every 100 milliseconds, resulting in significant processor overhead-up to 10%. In the processor created for the DARPA test last summer, the researchers extended the churn cycle to a few seconds and reduced the overhead to less than 2%.

“The role of the drain mechanism is to reset all defenses so that any detection or reverse engineering or side channel that occurs, basically all progress will be lost,” he said. “In fact, unless they mechanize the attack, it is difficult for humans to solve the problem within a minute.”

The researchers improved their design and will release the second architecture Morpheus 2 in a future paper.

This technology uses an encryption process called SIMON developed by the National Security Agency, which is a lightweight block cipher designed for fast running of IoT devices in hardware. Although after the International Organization for Standardization (ISO) rejected it in 2018, there was a major controversy surrounding SIMON and the second password SPECK, but the use of SIMON in the Morpheus processor design only requires password protection of data in less than one minute. .

The proliferation of IoT devices often cannot run large amounts of software security code, which means that most of the security of these lightweight systems must be on the processor.

The Morpheus architecture, as well as other processor designs that survived the FETT competition, should be able to prevent exploits such as buffer errors, privilege escalation, resource management attacks, information leakage attacks, digital errors, code injection attacks, and password attacks.

A senior technical reporter for more than 20 years. Former research engineer. Contributed to more than two dozen publications, including CNET, Dark Reading, MIT Technology Review, Popular Science, and Wired News.Five journalism awards, including the best deadline… View full bio

Recommended reading:

More insights

Related Articles

Back to top button