New Hack Code can Hijack CPU’s

A new Hack Code can steal CPU time without being noticed!

Three scientists have developed a new kind of attack against Linux, Windows and Unix.

Prior to an international IT security convention in Boston this Agust – Usenix Security ’07 – three of the presenters published the following publication: Secretly Monopolizing the CPU Without Superuser Privileges.

The trio, Dan Tsafrir, Yoav Etsion and Dror G. Feitelson, are all working at School of Computer Science and Engineering at Hebrew University in Jerusalem. One of them, Tsafrir, is also connected to IBMs Watson Research Center in New York.

The publication shows how you can build a program that uses the CPU in a way the OS can’t monitor. The process is completely invisible as the impact caused by the program is added to the other “normal” processes run at the same time, thus bypassing the security and monitoring systems in the OS. The program can be executed without superuser privileges (admin).

The method can be used to construct a hacker tool that could run any program completely hidden for the OS, and consequently also for any anti virus and other security apps..

The tool is named “Cheat” – and is controlled through the command:

cheat p prog

When executing the command “prog” refers to the random program/app run and “p” is the hijacked CPU time in percent.

The control mechanism in most of todays operating systems (OS’s) demands a “interupt” called “tick” to be created at certain intervalls. Depending on OS the time between each tick is 1-15 milliseconds.
At each tick the OS receives information about all running processes.

The attack therefore makes sure that any program run by Cheat is stopped before every tick and only active in the interval in between. Even though the OS’s have mechanisms in place to prevent this the scientists explains how these can be bypassed, also by programs/apps without any special privileges.

The picture below illustrates the procedure:

Cheat - CPU Hacking illustration

The Cheat process is marked red. “Clock interrupt” is the tick. “Billed” refers to how the OS acknowledges the CPU cycles Cheat has used.

Cheat works on Linux 2.4, Linux 2.6 (tick-mechanism changed compared with 2.4), BSD, Unix-variants Solaris, AIX, HPUX and IRIX, and Windows. It does not work on other OS’s that uses different control mechanisms than tick, which means real-time systems like QNX and Mac OS.

Experiments with Cheat shows that it can capture 80% of the clock cycle of any CPU without being spotted by the OS or any security tool. The processes making up for the remaining 20% get “billed” for the whole cycle. Varying the percentage “p” in the Cheat command also revealed that it got exactly the CPU time expected.

All kinds of horror scenarios can be imagined if evil hackers succeeds in an attack using Cheat. An intelligent attack would only use a small percentage of the CPU time to avoid suspicion. Only your imagination limits the kind of damage that could be performed. PC’s can act as Zombies, sensitive information could be hijacked, services sabotaged, on-line banking interrupted and data could be falsified or transferred and so on.

To avoid Cheat the OS’s needs to change how they register processes and how the CPU time actually is distributed, says the scientists. They also shows how both Solaris and Windows have more precise mechanisms than tick but gets bypassed by Cheat as the OS’s don’t understand their own registrations.

In an attempt where Linux was altered to improve the CPU registrations, a Cheat process set to hijack 80% of the CPU time still managed to get 46%.

The scientists emphasises that increased demand for CPU intensive multimedia on Windows, Linux and BSD has made the task even easier for Cheat. They suggest how to alter these systems to reveal Cheat.

In the meanwhile any PC is at risk to an intelligent “cheater” which can use up your CPU time and gain access to your system without being noticed at all… Scary

About Author