[raimue]

It would be easier to intercept the open() for the /proc/cpuinfo file with a LD_PRELOAD library. Of course that would still be detectable by the benchmark. You could also use a modified libc to spoof it. Then their only way out would be static linking.

You could even just modify the kernel to report arbitrary strings in /proc/cpuinfo.

So they use the CPUID instruction instead. The CPUID instruction can be trapped to throw a SIGSEGV instead of returning real values on x86 with arch_prctl(ARCH_SET_CPUID, 0). So an injected SIGSEGV handler could then spoof it.

But even then, you could also trap the CPUID instruction in the kernel, and spoof it from there, which would be even harder to detect from user space.

In the end, the benchmark program always needs to trust the kernel. Is it really worth trying to detect spoofing?