Fast and Efficient Deployment of Security Defenses Via Context Sensitive Decoding

Modern CPU cores feature translation of instructions into internal instructions, often called micro-ops, for simplified CPU design and improved instruction throughput. However, this translation is static in most known instances. This paper gives an overview of context-sensitive decoding (CSD), a technique that enables customization of the micro-op translation, based on the execution context or particular hardware triggers. This enables rapid deployment of security defenses, enabling changes to the instruction stream without the need for recompilation, translation, or interpretation of the original code. In addition, because the alternate decodings can be turned on and off as quickly as a single cycle, it enables the defense to be strategically deployed only on those instructions that require it, minimizing performance overhead. In this work, CSD is paired with a novel machine-learning based attack detection mechanism, allowing the system to adapt the level of protection in the presence of suspected malicious code. Keywords—security defense; microcode; side channel; attack detection

[1]  John L. Henning SPEC CPU2006 benchmark descriptions , 2006, CARN.

[2]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[3]  Marco Chiappetta,et al.  Real time detection of cache-based side-channel attacks using hardware performance counters , 2016, Appl. Soft Comput..

[4]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[5]  Ramesh Karri,et al.  Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing , 2016, ACM Trans. Archit. Code Optim..

[6]  Mahdi Abadi,et al.  HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition , 2014, 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE).

[7]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[8]  Samira Briongos,et al.  CacheShield: Protecting Legacy Processes Against Cache Attacks , 2017, ArXiv.

[9]  Avesta Sasan,et al.  Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehensive Analysis and Classification , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[10]  Dean M. Tullsen,et al.  Context-Sensitive Fencing: Securing Speculative Execution via Microcode Customization , 2019, ASPLOS.

[11]  Dean M. Tullsen,et al.  Mobilizing the Micro-Ops: Exploiting Context Sensitive Decoding for Security and Energy Efficiency , 2018, 2018 ACM/IEEE 45th Annual International Symposium on Computer Architecture (ISCA).

[12]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[13]  Ramesh Karri,et al.  Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[14]  Ammar Ahmed E. Elhadi,et al.  Malware detection based on hybrid signature behavior application programming interface call graph , 2012 .

[15]  Mehmet Kayaalp,et al.  SCRAP: Architecture for signature-based protection from Code Reuse Attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[16]  Ruby B. Lee,et al.  CloudRadar: A Real-Time Side-Channel Attack Detection System in Clouds , 2016, RAID.

[17]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[19]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[20]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[21]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[22]  Nael B. Abu-Ghazaleh,et al.  Malware-aware processors: A framework for efficient online malware detection , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[23]  Avesta Sasan,et al.  Analyzing hardware based malware detectors , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[24]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[25]  Yanfang Ye,et al.  Gotcha - Sly Malware!: Scorpion A Metagraph2vec Based Malware Detection System , 2018, KDD.