Minecraft, the popular video game first released in 2009, has grown a cult following over the past decade. The ultimate goal of Minecraft is to defeat the Ender Dragon, the achievement of which requires mining, farming, and collecting materials to craft special items. Over play time, there is an accumulation of knowledge and articles to gain unique in-game capabilities. Players can discover how to craft magical potions, golden apples, diamond armor, and so much more. Whereas good games have a mission, exceptional games let the player live. Minecraft is a great game, you can ignore the goal and craft a remarkable world without ever entering the End.
Minecraft makes the user feel as though they are transported back in time to play a retro-pixelated video game. However, what the game lacks in more advanced graphics is made up in player mechanics and freedom. Minecraft allows the creation of basic circuits to create a wide range of custom machines such as simple trap doors or complex spawn collectors rendering monsters. Minecraft’s intellectual appeal – the ability to construct a world in a fashion similar to coding an early 80s computer – has kept the game relevant.
A master crafter, SammyURI, has developed an 8-bit CPU within the Minecraft game – a computer-implemented inside of a video game. SammyURI is the second person ever to craft a CPU in Minecraft. This second processor’s feature set is on-par with an 80s RISC processor. To demonstrate the CPU, SammyURI developed a few video games, too. The whole package took seven months to develop. In just seven months, one person used basic building blocks to create a virtual CPU – it’s a fantastic feat.
Nonetheless, just as SammyURI has learned to develop a computer within a video game, hackers have learned how to develop new spyware that operates within our devices.
A new spyware sample, ForcedEntry, was recovered by a Canadian laboratory called Citizen Lab. Citizen Lab has a large mandate: the lab ran out of the University of Toronto studies technology that potentially affects the openness of the Internet and threats to human rights. The researchers tracking commercial surveillance organizations provided the ForcedEntry sample to Google’s educational research group, Project Zero, for further analysis. In Project Zero’s opinion, the spyware contains characteristics that link the spyware to NSO Group’s Pegasus package. If produced by NSO Group, ForcedEntry will be the most complex malware developed by a non-Nation-State actor.
The spyware hooks into Apple’s iMessage via PDF parser defect – this is not unusual. Complex code is usually the weak link, but what is unusual is that the spyware logic implements a Turing-complete circuit system, a computer inside an app. The spyware is able to evade detection and attack without user interaction, a so-called zero-click attack. It utilizes the circuit system of software gates to do its malicious activity.
Researchers have been marveling at the effort involved in building such a beast. There is a preconceived notion that businesses view everything through a simple return on investment (ROI) lens. Nation-State actors are not burdened with a ruthless profitability motivation. Therefore, in many people’s minds, it is unusual for a business to build such a beast. Attacks are generally implemented as a much simpler, minimal viable attack tool — this attack tool is a bit overkill.
In an alternative view, it was a business decision to invest in this tool to protect and increase the company’s ROI. It’s well known that zero-day vulnerabilities trade for millions of dollars, but these million-dollar paydays require working proof of concept code. It’s not easy protecting intellectual property in the espionage market, there’s no honor among thieves. This architecture should be easy to harden and uniquely fingerprint a circuit instruction set for each customer account. Indeed, such a beast will be challenging to reverse engineer.
The beast, of course, can be repurposed to any target that consumes PDF files without meddling with the instruction engine – virtualized portable malware. Obvious targets are printers: load malicious PDF onto SD Card, then – bing, bong, boom – the printer is pwned. Anything with a browser and other media devices are viable targets. Less obvious targets will be cameras due to feature bloat. It’s not difficult to imagine the software’s elasticity allows porting the basic engine to other media types than PDF files, or various modes of transport to increase the total addressable market, for an even greater ROI.
Do current mitigation methods work? Let’s consider a favorite threat pattern: thread grooming. The victim is running multiple threads in a process. Each thread has its unique stack and context, nothing unusual. The shell code locks the libC’s mutex – libC’s mutex is a recursive mutex; therefore, a thread can relock without a deadlock. All sibling threads will eventually be frozen after some execution time – for example, heap allocation (malloc/free) uses the libC mutex. An attacker identifies victim threads running-state by a stack fingerprint. Attackers can safely replace the existing stack with a manipulated stack, release the libC mutex, and the newly zombified threads resume.
This attack technique bypasses solutions that monitor flash memory changes – the computer running inside the computer is running out of RAM – so no flash changes are required. Control-flow Integrity (CFI) solutions typically ignore libraries, so it’s trivial to bypass this mitigation method. A bolt-on CFI that utilizes allow-lists to detect ROP/JOP attacks will be foiled, too. Build-time shadow stacks are victimized by tainting the extra stack simultaneously under lock. Solutions that randomize code layout are easy to attack, too: they require an additional step to walk the stack to determine flow pattern with function fingerprinting.
One approach to help mitigate against using libC mutex to launch an attack is to not allow code outside of the libC to lock or unlock the libC mutex, as unlocked running threads are harder to groom. Atomic-by-nature data structures and algorithms would be safer since mutexes are unnecessary. This helps but doesn’t entirely mitigate the problem; attackers can cause a block on network I/O in some situations, and an application-level mutexes can be abused as well for locking threads. Control-Flow Monitoring developed by Dellfer mitigates thread grooming threats by understanding the source code under protection and enforcing its control flow graph at the kernel.
As crypto-expert Bruce Schneier has posited many times, “Attacks only get better, they never get worse.” Not long ago, today’s commonly available polymorphism and ROP gadget tools had been considered Nation-State tradecraft. Our world will shatter if anyone dares to recursively spawn a Minecraft CPU within Minecraft while running in the ForcedEntry circuit running on a Minecraft CPU. For, as Dellfer advisor Bob Pasker surmises, “It’s gates all the way down.”
See DENSO’s SAE WCX Technical Paper, Zero-Day Attack Defenses and Test Framework for Connected Mobility ECUs. DellferizeTM your code to mitigate against advanced, emerging threats.
Links
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html