By Thomas S. Benjamin, Jeffery A. Eitel, Jesse Elwell, Dmitry Evtyushkin, Abhrajit Ghosh, and Angelo Sapello

Side-channel attacks, such as Spectre, rely on properties of modern CPUs that permit discovery of microarchitectural state via timing of various operations. The Weird Machine concept is an increasingly popular model for characterization of execution that arises from side effects of conventional computing constructs. In this work, we introduce microarchitectural weird machines (µWM), code constructions that allow performing computation through the means of side effects and conflicts between microarchitectual entities such as branch predictors and caches. The results of such computations are observed as timing variations in the execution of instructions that interact with these side effects. We demonstrate how µWMs can be used as a powerful obfuscation engine where computation operates using events unobservable to conventional anti-obfuscation tools based on emulation, debugging, and static and dynamic analysis techniques. We present a practical example in which we use a µWM to obfuscate malware code such that its passive operation is invisible to an observer with full power to view the architectural state of the system until the code receives a trigger. When the trigger is received, the malware decrypts and executes its payload. To show the effectiveness of obfuscation, we demonstrate its use in the concealment and subsequent execution of a payload that creates a reverse shell. In the full version of this work, we also demonstrate a payload that exfiltrates a shadow password file. We then demonstrate the generality of μWMs by showing that they can be used to reliably perform non-trivial computation by implementing a SHA-1 hash function.