Yuhui ZHU

Modern out-of-order CPUs heavily rely on speculative execution for performance optimization, with branch prediction serving as a cornerstone to minimize stalls and maximize efficiency. Whenever shared branch prediction resources lack proper isolation and sanitization methods, they may originate security vulnerabilities that expose sensitive data across different software contexts. This paper examines the fundamental components of modern Branch Prediction Units (BPUs) and investigates how resource sharing and contention affect two widely implemented but underdocumented features: Bias-Free Branch Prediction and Branch History Speculation. Our analysis demonstrates that these BPU features, while designed to enhance speculative execution efficiency through more accurate branch histories, can also introduce significant security risks. We show that these features can inadvertently modify the Branch History Buffer (BHB) update behavior and create new primitives that trigger malicious mis-speculations. This discovery exposes previously unknown cross-privilege attack surfaces for Branch History Injection (BHI). Based on these findings, we present three novel attack primitives: two Spectre attacks, namely Spectre-BSE and Spectre-BHS, and a cross-privilege control flow side-channel attack called BiasScope. Our research identifies corresponding patterns of vulnerable control flows and demonstrates exploitation on multiple processors. Finally, Chimera is presented: an attack demonstrator based on eBPF for a variant of Spectre-BHS that is capable of leaking kernel memory contents at 24,628 bit/s.

One of the innovations brought by Mirai and its derived malware is the adoption of self-contained loaders for infecting IoT devices and recruiting them in botnets. Functionally decoupled from other botnet components and not embedded in the payload, loaders cannot be analysed using conventional approaches that rely on honeypots for capturing samples. Different approaches are necessary for studying the loaders evolution and defining a genealogy. To address the insufficient knowledge about loaders’ lineage in existing studies, in this paper, we propose a semantic-aware method to measure, categorize, and compare different loader servers, with the goal of highlighting their evolution, independent from the payload evolution. Leveraging behavior-based metrics, we cluster the discovered loaders and define eight families to determine the genealogy and draw a homology map. Our study shows that the source code of Mirai is evolving and spawning new botnets with new capabilities, both on the client side and the server side. In turn, shedding light on the infection loaders can help the cybersecurity community to improve detection and prevention tools.

IoT devices have been affected by fundamental security flaws in recent years, rendering them exposed to various threats and viruses, particularly IoT botnets. In contrast to conventional malware on desktop computers and Android, heterogeneous processor architecture constraints on IoT devices pose various challenges to researchers. Traditional methodologies are challenging to apply because of the IoT’s unique properties, such as resource-constrained devices, enormous volumes of data, and the requirement of real-time detection. Then it proposes a lightweight framework to detect IoT botnet and botnet families. The framework operates with bot behavior data over a simple yet effective learning based method named Extreme Learning Machine. For IoT botnet detection, the experimental results demonstrate that the suggested technique achieves accuracy, precision, and recall of 97.7%, 97.1%, and 97.1%, respectively. The detection performance of botnet families is inspiring. Furthermore, a comparison of our framework to other current approaches reveals that it produces better results, particularly in terms of the training time, which gives it a considerable edge over other learning-based methods.