Are hardware performance counters a cost effective way for integrity checking of programs

In this paper, we propose to use hardware performance counters (HPC) to detect malicious program modifications at load time (static) and at runtime (dynamic). HPC have been used for program characterization and testing, system testing and performance evaluation, and as side channels. We propose to use HPCs for static and dynamic integrity checking of programs.. The main advantage of HPC-based integrity checking is that it is almost free in terms of hardware cost; HPCs are built into almost all processors. The runtime performance overhead is minimal because we use the operating system for integrity checking, which is called anyway for process scheduling and other interrupts. Our preliminary results confirm that HPC very efficiently detect program modifications with very low cost.

[1]  Ralf H. Reussner,et al.  Analysing the fidelity of measurements performed with hardware performance counters , 2011, ICPE '11.

[2]  Miodrag Potkonjak,et al.  Enabling trusted software integrity , 2002, ASPLOS X.

[3]  Sergey Bratus,et al.  TOCTOU, Traps, and Trusted Computing , 2008, TRUST.

[4]  Hod Lipson,et al.  Distilling Free-Form Natural Laws from Experimental Data , 2009, Science.

[5]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[6]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[7]  Ruby B. Lee,et al.  Runtime execution monitoring (REM) to detect and prevent malicious code execution , 2004, IEEE International Conference on Computer Design: VLSI in Computers and Processors, 2004. ICCD 2004. Proceedings..

[8]  Lieven Eeckhout,et al.  Comparing Benchmarks Using Key Microarchitecture-Independent Characteristics , 2006, 2006 IEEE International Symposium on Workload Characterization.

[9]  J. Doug Tygar,et al.  Side Effects Are Not Sufficient to Authenticate Software , 2004, USENIX Security Symposium.

[10]  Simha Sethumadhavan,et al.  Rapid identification of architectural bottlenecks via precise event counting , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[11]  Kirk W. Cameron,et al.  Instruction-level characterization of scientific computing applications using hardware performance counters , 1998, Workload Characterization: Methodology and Case Studies. Based on the First Workshop on Workload Characterization.

[12]  Ingrid Verbauwhede,et al.  Exploiting Hardware Performance Counters , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[13]  Cemal Yilmaz Using Hardware Performance Counters for Fault Localization , 2010, 2010 Second International Conference on Advances in System Testing and Validation Lifecycle.

[14]  Minhua Ma,et al.  Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems , 2010, 2010 Fourth International Conference on Digital Society.

[15]  Alok N. Choudhary,et al.  CODESSEAL: Compiler/FPGA Approach to Secure Applications , 2005, ISI.

[16]  Alexander Tereshkin Evil maid goes after PGP whole disk encryption , 2010, SIN.

[17]  John Paul Shen,et al.  Processor Control Flow Monitoring Using Signatured Instruction Streams , 1987, IEEE Transactions on Computers.

[18]  Sally A. McKee,et al.  Can hardware performance counters be trusted? , 2008, 2008 IEEE International Symposium on Workload Characterization.

[19]  Brad Calder,et al.  Phase tracking and prediction , 2003, ISCA '03.