Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance Counters

Carnà, Stefano; Ferracci, Serena; Quaglia, Francesco; Pellegrini, Alessandro

doi:10.1145/3519601

Cited by 7 publications

(9 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hardware introspection capabilities provided by HPCs are suitable to address multiple security challenges, 46,47 ranging from the identification of return‐oriented programming attacks 48 to the detection of several exploits of side‐channel vulnerabilities 49,50 . Furthermore, the design of countermeasures for new transient execution vulnerabilities 51 present in most processors required new strategies featured by hardware instrumentation 52,53 to observe the stealth activities performed by attackers, also in a system‐wide fashion 4 . All these works highlight the relevance of PMUs as a support for the online profiling of applications.…”

Section: Related Workmentioning

confidence: 99%

“…Moreover, perf contains an anti‐trashing detector that reduces the profiling frequency rate if the interrupt routine experiences a delay over a defined threshold. However, this mechanism introduces a degree of indeterminism that cannot be easily quantified and that, depending on the objective for which PMU data are used, may be unacceptable—like for the case of security based on the hardware footprint left by the running software 4 …”

Section: Experimental Assessmentmentioning

confidence: 99%

“…49,50 Furthermore, the design of countermeasures for new transient execution vulnerabilities 51 present in most processors required new strategies featured by hardware instrumentation 52,53 to observe the stealth activities performed by attackers, also in a system-wide fashion. 4 All these works highlight the relevance of PMUs as a support for the online profiling of applications. Nevertheless, carrying out this kind of activity might incur severe performance penalties.…”

Section: Related Workmentioning

confidence: 99%

“…While HPCs have been available since very old architectures like Intel Pentium and AMD Athlon, their importance has made them see a considerable expansion over the last decades. In fact, they have been used not only to profile the execution of software in terms of actual hardware reactiveness and achievable performance, 1 or for relating software execution to power and energy consumption, 2,3 but also to support security 4 or specific functional tasks 5 thus offloading them from software modules.…”

Section: Introductionmentioning

confidence: 99%

“…Furthermore, as we also show in our experimental analysis, they can lose PMU samples under the high frequency of their production, which can be undesirable in specific application contexts, like, for example, PMU exploitation for security. 4 Hence, how to cope with all the aforementioned aspects in the context of online exploitation of HPCs is still an ongoing research activity.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Strategies and software support for the management of hardware performance counters

Carnà

Marotta²,

Pellegrini

et al. 2023

Softw Pract Exp

View full text Add to dashboard Cite

Hardware performance counters (HPCs) are facilities offered by most off‐the‐shelf CPU architectures. They are a vital support to post‐mortem performance profiling and are exploited by standard tools such as Linux or Intel V‐Tune. Nevertheless, an increasing number of application domains (e.g., simulation, task‐based high‐performance computing, or cybersecurity) are exploiting them to perform different activities, such as self‐tuning, autonomic optimization, and/or system inspection. This repurposing of HPCs can be difficult, for example, because of the overhead for extracting relevant information. This overhead might render any online or self‐tuning activity ineffective. This article discusses various practical strategies to exploit HPCs beyond post‐mortem profiling, suitable for different application contexts. The presented strategies are accompanied by a general primer on HPCs usage on Linux. We also provide reference x86 (both Intel and AMD) implementations targeting the Linux kernel, upon which we present an experimental assessment of the viability of our proposals.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Experimental Assessmentmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Strategies and software support for the management of hardware performance counters

Carnà

Marotta²,

Pellegrini

et al. 2023

Softw Pract Exp

View full text Add to dashboard Cite

show abstract

A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracing

Park,

Choi,

Choi

et al. 2024

Sci Rep

View full text Add to dashboard Cite

As IoT devices are being widely used, malicious code is increasingly appearing in Linux environments. Sophisticated Linux malware employs various evasive techniques to deter analysis. The embedded trace microcell (ETM) supported by modern Arm CPUs is a suitable hardware tracer for analyzing evasive malware because it is almost artifact-free and has negligible overhead. In this paper, we present an efficient method to automatically find debugger-detection routines using the ETM hardware tracer. The proposed scheme reconstructs the execution flow of the compiled binary code from ETM trace data. In addition, it automatically identifies and patches the debugger-detection routine by comparing two traces (with and without the debugger). The proposed method was implemented using the Ghidra plug-in program, which is one of the most widely used disassemblers. To verify its effectiveness, 15 debugger-detection techniques were investigated in the Arm-Linux environment to determine whether they could be detected. We also confirmed that our implementation works successfully for the popular malicious Mirai malware in Linux. Experiments were further conducted on 423 malware samples collected from the Internet, demonstrating that our implementation works well for real malware samples.

show abstract

Special Session: Security and RAS in the Computing Continuum

Alonso,

Andreu,

Canal

et al. 2024

2024 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT)

View full text Add to dashboard Cite

Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance Counters

Cited by 7 publications

References 50 publications

Strategies and software support for the management of hardware performance counters

Strategies and software support for the management of hardware performance counters

A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracing

Special Session: Security and RAS in the Computing Continuum

Contact Info

Product

Resources

About