Perform a case study of ISA extension impact on inspecting a Machine Learning application

[thixotropist]

Suppose we had to inspect a Machine Learning or LLM app for malware. Would the presence of ISA extensions like vector instructions make the inspection materially harder? We'll use the whisper.cpp voice-to-text application as the first exemplar, compiling it for various riscv64 and x86_64 platforms:

• riscv-64 gcc-13 with no vector ISA support
• riscv-64 gcc-14 with vector ISA support
• riscv-64 gcc-14 with vector and vendor-custom ISA support
• x86-64 gcc-14 with - march profiles x86-64-v2, x86-64-v3, and x86-64-v4

In each case we will use the recommended whisper.cpp compilation options -O3 and -ffast-math. As a stretch goal, we might run all versions through BSIM analysis, hoping that the platform variations do not hugely impact BSIM similarity vectors.

Note: whisper.cpp source includes many riscv-64 vector intrinsic functions. The source code is relatively new, with unclear levels of testing and verification

[thixotropist]

Let's refine the goals a bit:

• This is a C++ application using libstdc++. Are the vector instruction insertions materially more complicated than known RE challenges like C++ vtables and inheritance?
• malware isn't likely to mutate tensor math routines where many of the more complicated vector instruction sequences may be found. Perhaps we can teach Ghidra users to recognize the more common vector expansions of memcpy or strcpy where vulnerabilities may be lurking?

[thixotropist]

Preliminary results:

• whisper.cpp is a C++ application, but most of the work in done within ggml C functions. We don't get a clean comparison of vector and C++ vtable complexities here.
• whisper.cpp contains some explicit riscv-64 intrinsics in its source code. By far the majority of the vector instructions are compiler (gcc-14) generated due to loop autovectorization. Ghidra users likely would have to learn to recognize the basic vector load/store, type conversion, and reduction instruction patterns. That's not as hard as it sounds.