What are Weird Machines?

 

The expression "weird machines" was first used in the RSS 2009 talk. It referred to state-of-the-art exploitation as finding and programming an execution model (a machine, such as a virtual automaton) within the target via crafted inputs. It was soon extended to other methods of reliably or probabilistically influencing the target's state. A compressed version of that original talk was given at the Chaos Computing Congress 27c3 [slides], [video].

The concept was further elaborated in Exploitation and State Machines by Thomas Dullien / Halvar Flake at Infiltrate 2011, Heap Exploitation Abstraction by Example by Census Labs at OWASP 2012, and others. A historical sketch can be found in From Buffer Overflows to "Weird Machines" by Bratus et al.

Effort is underway to produce formal descriptions of weird machine classes in various computing environments. Thomas Dullien's 2017 paper Weird machines, exploitability, and provable unexploitability is the most notable recent development (see Formalisms below).

The LangSec effort is aimed at describing and eliminating broad classes of input-related bugs and associated weird machines.

Beginnings of formalism

• Weird machines, exploitability, and provable unexploitability, Thomas Dullien, IEEE Transactions on Emerging Topics in Computing, December 2017, [PDF] (also compare with "Spectre is here to stay" below)
• Exploitation as Code Reuse: On the Need of Formalization, Sergey Bratus, Anna Shubina, Information Technology, vol. 59, no. 2, p. 93, 2017, [PDF]

Recent related work

• ExSpectre: Hiding Malware in Speculative Execution, Jack Wampler, Ian Martiny, Eric Wustrow, NDSS 2019, [paper]. The authors note that their results extend research in "weird machines".
• Spectre is here to stay: An analysis of side-channels and speculative execution, Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest, [paper]. The authors introduce a mathematical meta-model that explains side-channels in simulations and CPUs, which appears to be directly comparable with the weird machine approach.
• Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector, Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, IEEE Security and Privacy 2016, [paper]. The authors demonstrate that Windows 8.1-10 built-in memory deduplication feature combined with RowHammer yields a powerful weird machine.
• Framing Signals - A Return to Portable Shellcode, Erik Bosman, Herbert Bos, IEEE Security and Privacy 2014, [paper], [wikipedia]. The authors show that Unix signal handling mechanisms can be generically programmed with fake signal frames to initiate returns from signals that the kernel never really delivered.

Original Papers

• "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata, Shapiro et al., USENIX WOOT'13 [paper], [slides], [video], [mp3].
• The Page-Fault Weird Machine: Lessons in Instruction-less Computation, Bangert et al., USENIX WOOT'13 [paper], [video], [mp3].
• The Weird Machines in Proof-Carrying Code, Julien Vanegue, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014, [paper].
• Exploiting the Hard-Working DWARF: Trojan and Exploit Techniques with No Native Executable Code, Oakley & Bratus, USENIX WOOT'11 [paper], [video], [slides], [mp3].

Historical overviews

• Exploit Programming: from Buffer Overflows to Weird Machines and Theory of Computation, Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, Anna Shubina, USENIX ;login: 2011 [PDF]
• The Halting Problems of Internet Insecurity, Len Sassaman, Meredith L. Patterson, Sergey Bratus, Anna Shubina, USENIX ;login: 2011 [PDF]

Strange & radiant machines

(exploits that borrow existing computation in unexpected ways)

PHY layer

• Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios, Goodspeed et al., USENIX WOOT'11 [paper], [blog], [video] -- borrows simple machines in digital radio PHY layer.
• Phantom Boundaries and Cross-layer Illusions in 802.15.4 Digital Radio, Travis Goodspeed, 1st IEEE Language-theoretic Security & Privacy Workshop, 2014, [paper].
• Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface, Barisani et al. BlackHat USA [paper] [slides] -- includes packet-in-packet for 802.3/Ethernet

See also BabylonPHY.org, DemystiPHY.org.

Embedded Systems

• Interrupt-oriented bugdoor programming: a minimalist approach to bugdooring embedded systems firmware, Samuel J. Tan, Sergey Bratus, Travis Goodspeed, ACSAC 2014 [PDF]

Higher network layers

• BGP: Using Routers to Build Logic Circuits: How Powerful is BGP?, Marco Chiesa et al., 2013, [paper]; Computing with BGP: from Routing Configurations to Turing Machines, Marco Chiesa et al., 2012, [paper]

Intra-OS machines

• Julia Wolf's Analysis of the Windows Kernel TrueType Font Engine Vulnerability (MS11-087) -- programs the TTF rendering automaton with a crafted font to "render" over kernel memory.
• Tavis Ormandy's Fun with Constrained Programming --"Believe it or not, RAR files can contain bytecode for a simple x86-like virtual machine called the RarVM. [..]

Other papers on x86

• Stephen Dolan, mov is Turing-complete (caveat: one jmp is still necessary to complete the machine)
• Now implemented in a real compiler https://github.com/xoreaxeaxeax/movfuscator/ by Christopher Domas (@xoreaxeaxeax) (presented at Recon 2015). MOVfuscator uses a neat trick to get rid of the jmp for the global loop needed by Dolan's paper; now a program is pure MOVs!)
• keegan @ main is usually a function blog: x86 is Turing-complete with no registers

Games

• 0xabad1dea's Index of Weird Machines in Video Games

Other Lists

• Accidentally Turing-Complete, by Andreas Zwinkau