Hardware Performance Counters: Ready-Made vs Tailor-Made

Micro-architectural footprints can be used to distinguish one application from another. Most modern processors feature hardware performance counters to monitor the various micro-architectural events when an application is executing. These ready-made hardware performance counters can be used to create program fingerprints and have been shown to successfully differentiate between individual applications. In this paper, we demonstrate how ready-made hardware performance counters, due to their coarse-grain nature (low sampling rate and bundling of similar events, e.g., number of instructions instead of number of add instructions), are insufficient to this end. This observation motivates exploration of tailor-made hardware performance counters to capture fine-grain characteristics of the programs. As a case study, we evaluate both ready-made and tailor-made hardware performance counters using post-quantum cryptographic key encapsulation mechanism implementations. Machine learning models trained on tailor-made hardwareperformance counter streams demonstrate that they can uniquely identify the behavior of every post-quantum cryptographic key encapsulation mechanism algorithm with at least 98.99% accuracy.

[1]  Abraham Peedikayil Kuruvila,et al.  Defending Hardware-Based Malware Detectors Against Adversarial Attacks , 2020, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[2]  Ramesh Karri,et al.  Hardware Architectures for Post-Quantum Digital Signature Schemes , 2021 .

[3]  Kanad Basu,et al.  ND-HMDs: Non-Differentiable Hardware Malware Detectors against Evasive Transient Execution Attacks , 2020, 2020 IEEE 38th International Conference on Computer Design (ICCD).

[4]  Charalambos Konstantinou,et al.  Hardware-Assisted Detection of Firmware Attacks in Inverter-Based Cyberphysical Microgrids , 2020, ArXiv.

[5]  Kanad Basu,et al.  Analyzing the Efficiency of Machine Learning Classifiers in Hardware-Based Malware Detectors , 2020, 2020 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[6]  Ramesh Karri,et al.  A Theoretical Study of Hardware Performance Counters-Based Malware Detection , 2020, IEEE Transactions on Information Forensics and Security.

[7]  Ramesh Karri,et al.  Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters , 2020, IEEE Transactions on Information Forensics and Security.

[8]  Ramesh Karri,et al.  Can Monitoring System State + Counting Custom Instruction Sequences Aid Malware Detection? , 2019, 2019 IEEE 28th Asian Test Symposium (ATS).

[9]  Thomas Eisenbarth,et al.  FortuneTeller: Predicting Microarchitectural Attacks via Unsupervised Deep Learning , 2019, ArXiv.

[10]  Avesta Sasan,et al.  Adversarial Attack on Microarchitectural Events based Malware Detectors , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[11]  Manos Antonakakis,et al.  SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[12]  Avesta Sasan,et al.  2SMaRT: A Two-Stage Machine Learning-Based Approach for Run-Time Specialized Hardware-Assisted Malware Detection , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[13]  Ramesh Karri,et al.  NIST Post-Quantum Cryptography- A Hardware Evaluation Study , 2019, IACR Cryptol. ePrint Arch..

[14]  Ingrid Verbauwhede,et al.  Saber on ARM: CCA-secure module lattice-based key encapsulation on ARM , 2018 .

[15]  Ingrid Verbauwhede,et al.  Saber on ARM CCA-secure module lattice-based key encapsulation on ARM , 2018, IACR Cryptol. ePrint Arch..

[16]  Avesta Sasan,et al.  Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehensive Analysis and Classification , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[17]  Ajay Joshi,et al.  Hardware Performance Counters Can Detect Malware: Myth or Fact? , 2018, AsiaCCS.

[18]  Yiorgos Makris,et al.  Hardware-assisted rootkit detection via on-line statistical fingerprinting of process execution , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[19]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[20]  Paulo S. L. M. Barreto,et al.  BIKE: Bit Flipping Key Encapsulation , 2017 .

[21]  Avesta Sasan,et al.  Analyzing hardware based malware detectors , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[22]  P. Vinod,et al.  Heterogeneous Opcode Space for Metamorphic Malware Detection , 2017 .

[23]  Daniel J. Bernstein,et al.  conservative code-based cryptography , 2017 .

[24]  Yiorgos Makris,et al.  Hardware-Based Workload Forensics and Malware Detection in Microprocessors , 2016, 2016 17th International Workshop on Microprocessor and SOC Test and Verification (MTV).

[25]  Nael B. Abu-Ghazaleh,et al.  Hardware-Based Malware Detection Using Low-Level Architectural Features , 2016, IEEE Transactions on Computers.

[26]  Michail Maniatakos,et al.  Malicious Firmware Detection with Hardware Performance Counters , 2016, IEEE Transactions on Multi-Scale Computing Systems.

[27]  Yiorgos Makris,et al.  Hardware-based workload forensics: Process reconstruction via TLB monitoring , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[28]  Ramesh Karri,et al.  Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing , 2016, ACM Trans. Archit. Code Optim..

[29]  Ramesh Karri,et al.  Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[30]  Ramesh Karri,et al.  BRAIN: BehavioR Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[31]  Tanja Lange,et al.  NTRU Prime , 2016, IACR Cryptol. ePrint Arch..

[32]  Moti Yung,et al.  Cliptography: Clipping the Power of Kleptographic Attacks , 2016, ASIACRYPT.

[33]  Michail Maniatakos,et al.  ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters , 2015, 2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[34]  Nael B. Abu-Ghazaleh,et al.  Malware-aware processors: A framework for efficient online malware detection , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[35]  Bruce Schneier,et al.  Surreptitiously Weakening Cryptographic Systems , 2015, IACR Cryptol. ePrint Arch..

[36]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[37]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[38]  Brian R. Richardson Uefi Secure Boot in Modern Computer Security Solutions , 2013 .

[39]  Ivan Martinovic,et al.  A Practical Man-In-The-Middle Attack on Signal-Based Key Generation Protocols , 2012, ESORICS.

[40]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[41]  Kangbin Yim,et al.  Malware Obfuscation Techniques: A Brief Survey , 2010, 2010 International Conference on Broadband, Wireless Computing, Communication and Applications.

[42]  Alexander Tereshkin Evil maid goes after PGP whole disk encryption , 2010, SIN.

[43]  Hiroyuki Tomiyama,et al.  Proposal and Quantitative Analysis of the CHStone Benchmark Program Suite for Practical C-based High-level Synthesis , 2009, J. Inf. Process..

[44]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[45]  Ingrid Verbauwhede,et al.  Exploiting Hardware Performance Counters , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[46]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[47]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[48]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[49]  Robert Hecht-Nielsen,et al.  Theory of the backpropagation neural network , 1989, International 1989 Joint Conference on Neural Networks.