Better scan strategy

[fireice-uk]

Hi! Something right up my alley.

The current scan strategy can be bypassed by rearranging FLOPS into blocks and setting mxcsr before and after those blocks, it won't change unless you hit on that block exactly.

You probably want to add a secondary detection method. Did you consider taking entropy measurement of xmm and regular regs?

[tevador]

The current scan strategy can be bypassed by rearranging FLOPS into blocks and setting mxcsr before and after those blocks, it won't change unless you hit on that block exactly.

This could decrease the chance of detection, but I'd say the probability of hitting a non-default rounding mode would still be substantial even if you rearrange the FLOPs and keep the required MXCSR value only for the minimum time possible. The miner is running RandomX code around 90% of the time and roughly a third of that are floating point ops.

Also note that the programs contain branches and some FP operations have a dependency on integer registers (via a memory address), so you can't lump all FLOPs into one block. Additionally, ldmxcsr is a very slow instruction.

Did you consider taking entropy measurement of xmm and regular regs?

Yeah, that could be used as a secondary heuristic.

[fireice-uk]

One other strategy I thought up while making coffee would be to check process memory mappings for contiguous 2.1GB high entropy areas.

[monero101]

1. by emulating floating point operations using integer math and losing >95% of performance in the process
2. by modifying the operating system

There is much easier way to bypass this detection, but can't disclose it at the moment.