sok the challenges pitfalls and perils of using hardware
play

SoK: The Challenges, Pitfalls, and Perils of Using Hardware - PowerPoint PPT Presentation

Nov 06, 2022 •242 likes •529 views

SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security Sanjeev Das , Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose SoK: The Challenges, Pitfalls, and Perils of Using Hardware

  1. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security Sanjeev Das , Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose

  2. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 2 Hardware Performance Counters

  3. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 3 • Available in processors for over two decades • Monitor and measure hardware events, e.g.: • Instruction retired, cycles • Memory accesses • Cache hits/misses • Translation look-aside buffer hits/misses

  4. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 4 • Myriad of applications: • Software Profiling • Debugging • High Performance Computing • Power Analysis • Sharp rise in security domain

  5. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 5 • HPCs provide a good foundation for measuring micro- architectural information (e.g., branch misses, cache misses) • Low performance overhead

  6. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 6 Recent Security Applications SIGDROP: Signature-based ROP Detection using Hardware Performance Counters. Wang et al. [arXiv’16] Who Watches the Watchmen?: Utilizing On the feasibility of online malware Performance Monitors for Compromising detection with performance counters. Keys of RSA on Intel Platforms , Demme et al., SIGARCH, 2013. Bhattacharya et al.[CHES’15] Hardware-Assisted Rootkits : Abusing Performance Counters on the ARM and x86 Architectures. Spisak et al. [WOOT’16]

  7. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 7 Recent Security Applications Detecting Spectre And Meltdown Using Hardware Performance Counters . Pierce, Endgame Inc., Jan. 08, 2018 Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters . Fiser & Gamazo Sanchez, Trend Micro Inc., 2018 Detecting Spectre Attacks by identifying Cache Side-Channel Attacks using Machine Learning . Depoix et al. [WAMOS, 2018 ]

  8. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 8 Impetus of this SoK paper: Can we use HPCs as a foundation for thwarting Data Only Attacks?

  9. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 9 Challenges • Which events should we measure? • There are HUNDREDS of HPC events • How are the events related to each other? • Is there a standard way to collect HPC measurements? • What framework should we use? • Collection techniques vary widely

  10. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 10 • Non-determinism issue in HPCs • “ Can hardware performance counters be trusted? ” Weaver & McKee, Workload Characterization, 2008 • Lack of application-level profiling • No process-level filtering of HPC data at the hardware level

  11. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 11 Did other researchers also notice these pitfalls?

  12. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 12 • We analyzed nearly 100 papers from • Debugging di ff erent application domains • Power Analysis • Performance Analysis • Security • We also conducted a survey: • Sent questionnaire to authors • After repeated attempts, response was 28%

  13. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 13 Findings Non-security domains • We examined 56 papers that acknowledged non-determinism issues from non-security application domains No Yes • Painstakingly evaluated if they recommended 45% 55% using HPCs • 45% of the papers did not, because of lack of determinism and portability

  14. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 14 Findings • Of the 40 security papers that used HPCs • Only 10% acknowledge non- determinism issues • Acceptance of HPCs in security is in stark contrast to other domains Can hardware performance counters be trusted? Weaver & McKee, Workload Characterization, 2008

  15. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 15 Common Failures • Mishandling of performance counter data • Lack of process-level filtering • Ignoring non-determinism issues • Skid • Over/under-counting of events

  16. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 16 Handling of HPC Data • Limited number of programmable counters • Configuration • done in kernel mode by reading and writing into model specific registers (MSRs) • Two modes : Polling vs Sampling

  17. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 17 Handling of HPC Data Event-based sampling using Performance Monitoring Interrupt (PMI) 1.Configure events in sampling mode, e.g., N instructions retired 2. Program begin execution 3. PMI is generated N instructions 4. At interrupt, read counter values

  18. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 18 Mishandling of HPC Data Filtering of processes at performance monitoring interrupt (PMI) Fix : Save HPC Restore HPC Context switch Context switch Process B Process A Process A PMI PMI Noise from process B Loss of events’ count • Thankfully, there is an easy fix • Some papers applied this fix, but many didn’t

  19. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 19 Non-determinism: Skid • In sampling mode: E.g., sampling every N DTLB misses • Late delivery of PMI (due to skid) 0 N 2N 3N leads to variation in measurements • Fingerprint of an application may PMI PMI disappear (e.g., Data only attacks) N+30 N+10 skid skid Program execution “Hardware performance monitoring for the rest of us: a position and survey” Moseley et al., Network and Parallel Computing, 2011

  20. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 20 Non-determinism: Overcount • We revisited the non-determinism issues based on the seminal work by Weaver & McKee [IWC, 2008] • Several problems fixed, but some old issues persist even today • New problem: page faults

  21. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 21 Why do these issues matter from a security perspective?

  22. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 22 • Improper use of HPC in security applications can be disastrous • Incorrect data collection can impact the correctness of an approach • An adversary can manipulate events (e.g., via page faults) to undermine defenses

  23. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 23 Case Study: Malware Classification Malware (14 families), Benign app (IE) • Approach • State of the art temporal model by Tang et al. [RAID’14] • Sampling using PMI every N instructions retired • Events — store micro-operations, indirect call, mispredicted return and return instructions

  24. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 24 Results Filtering process at PMI Saving HPCs at Context switches • Incorrect HPC data collection significantly impacts detection accuracy • Larger question: are HPCs a good foundation for malware detection? • “Hardware Performance Counters Can Detect Malware: Myth or Fact?” [Zhou et al., AsiaCCS, 2018]

  25. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 25 Case Study: ROP Detection • Approach • State of the art [Wang & Backer, arXiv, 2016] • For a given number of return misses, and number of instructions retired < = threshold INC EDX; POP EDI; INC EDX; POP ESI; INC EAX; POP EBP; INC ECX; POP EBP; INC ECX; POP EDI; RET RET RET RET RET RET Gadgets ROP Attack! = Ins. Ret. Instruction = 4 Instruction = 7 Instruction = 2 Instruction = 0 Instruction = 16 Instruction = 13 Instruction = 10 Return = 5 Return = 6 Return = 4 Return = 3 Return = 2 Return = 1 Return = 0

  26. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security, S&P’19 26 Case Study: ROP Detection Results • Irrespective of parameter choices, non-determinism can be leveraged by an adversary to bypass the ROP detection INC EDX; Init. Manipulator Manipulator INC EAX; POP EBP; INC ECX; RET RET Gadget Gadget Gadget RET Gadgets = No ROP detected! Ins. Ret. Instruction = 0 Instruction = 4 Instruction = 2 Instruction = 516 Instruction = 513 Instruction = 260 Instruction = 257 Return = 6 Return = 5 Return = 4 Return = 3 Return = 2 Return = 1 Return = 0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law

Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law

Welcome to Pace Law School A conference celebrating its past, acknowledging its perils, and anticipating its promise. Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law Update Patricia E. Salkin,

1.39k views • 78 slides
The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko

The Promises and Pitfalls of Hardware-Assisted Security Alexandra Dmitrienko Julius-Maximilians-Universitt Wrzburg alexandra.dmitrienko@uni-wuerzburg.de SEPTEMBER 9 13, 2019 CROSSING Summer School on Sustainable Security &amp; Privacy

2.37k views • 187 slides
Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of

Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of

Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of Perception | October 2015 | FINAL | Public 1 Business contributes the largest proportion of tax of any group of tax payers (29%), yet people massively

270 views • 14 slides
Cloud Computing: E-Discovery Challenges Best Practices to Minimize Pitfalls in Identification,

Cloud Computing: E-Discovery Challenges Best Practices to Minimize Pitfalls in Identification,

Presenting a live 90-minute webinar with interactive Q&amp;A Cloud Computing: E-Discovery Challenges Best Practices to Minimize Pitfalls in Identification, Preservation and Collection of ESI WEDNESDAY, OCTOBER 24, 2012 1pm Eastern | 12pm

865 views • 74 slides
BRINGING PEOPLE TO THE TABLE PITFALLS AND CHALLENGES OF COLLABORATIVE ORGANIZING Andrew Thomas

BRINGING PEOPLE TO THE TABLE PITFALLS AND CHALLENGES OF COLLABORATIVE ORGANIZING Andrew Thomas

BRINGING PEOPLE TO THE TABLE PITFALLS AND CHALLENGES OF COLLABORATIVE ORGANIZING Andrew Thomas Fundraising &amp; Membership Director WHY BOTHER WORKING TOGETHER? A camel is a horse designed by a committee What does this mean to folks here?

358 views • 12 slides
Making Collaboration Work Key Considerations, Challenges &amp; Pitfalls Ian Conner CPO

Making Collaboration Work Key Considerations, Challenges &amp; Pitfalls Ian Conner CPO

Making Collaboration Work Key Considerations, Challenges &amp; Pitfalls Ian Conner CPO Strategic Procurement Service Southwest One February 16th 2011 Agenda Southwest One who are we? Collaboration Its the next big thing

570 views • 21 slides
QS Domain: Challenges and Pitfalls Knut Mller UCB Biosciences Conference 2011 October 9th -

QS Domain: Challenges and Pitfalls Knut Mller UCB Biosciences Conference 2011 October 9th -

QS Domain: Challenges and Pitfalls Knut Mller UCB Biosciences Conference 2011 October 9th - 12th, Brighton UK Alun, living with Parkinsons disease Overview Introduction PRO data from source to analysis Data perspective

613 views • 20 slides
The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication (Its the way you tell it..) www.iapf.ie More confusion and more complaints result from poor communication than from almost any other single

408 views • 18 slides
Outline Background on Ketamine The Promise and Perils of Ketamine The Promise

Outline Background on Ketamine The Promise and Perils of Ketamine The Promise

Outline Background on Ketamine The Promise and Perils of Ketamine The Promise Single Infusion Therapy for TRD, Suicidal in Psychiatric Practice Ideation, PTSD Continuation Therapy Sanjay J. Mathew, MD The Perils

577 views • 9 slides
Committee of the whole House and beyond Outline What is committee of the whole House (CWH)?

Committee of the whole House and beyond Outline What is committee of the whole House (CWH)?

Committee of the whole House and beyond Outline What is committee of the whole House (CWH)? The role of officials Pitfalls, pratfalls, and perils Limits on what CWH can do Amendments admissibility, order of consideration,

632 views • 12 slides
What are the Pitfalls for Bangladesh? Presented by Towfiqul Islam Khan Research Fellow, CPD 10

What are the Pitfalls for Bangladesh? Presented by Towfiqul Islam Khan Research Fellow, CPD 10

Public Dialogue on Bangladeshs Graduation from the LDC Group Pitfalls and Promises Session Three: Graduating in a Brave New World Pursuing a Graduation Strategy within the Global and Regional Environment What are the Pitfalls for

650 views • 24 slides
Challenges of the VR Web Low level API to interface with VR hardware. What is Input :

Challenges of the VR Web Low level API to interface with VR hardware. What is Input :

Challenges of the VR Web Low level API to interface with VR hardware. What is Input : Access to headset and WebVR? controllers pose. Output: Efficient and versatile mechanism to send pixels to the headset display (high FPS and low

409 views • 13 slides
Measuring of homelessness in Belgium: pitfalls and challenges Prof. dr. Koen Hermans Belgian

Measuring of homelessness in Belgium: pitfalls and challenges Prof. dr. Koen Hermans Belgian

Measuring of homelessness in Belgium: pitfalls and challenges Prof. dr. Koen Hermans Belgian homelessness policies Federal level : Social assistance Health care (including mental health care) Regional level : Housing

76 views • 7 slides
Pitfalls in Using a case based approach, we will Arrhythmias review pitfalls in management of:

Pitfalls in Using a case based approach, we will Arrhythmias review pitfalls in management of:

Goals Pitfalls in Using a case based approach, we will Arrhythmias review pitfalls in management of: Tachydysrhythmias Jeffrey Tabas, M.D. Narrow Wide Professor of Emergency Medicine Bradydysrhythmias Director of Outcomes and

438 views • 19 slides
Part I Security Challenges in Automotive Hardware/Software Architecture Design Martin

Part I Security Challenges in Automotive Hardware/Software Architecture Design Martin

Part I Security Challenges in Automotive Hardware/Software Architecture Design Martin Lukasiewycz TUM CREATE Singapore Outline Motivation (current E/E architectures) Trends (Integrated Architectures / Connected Car) Challenges Overview

496 views • 23 slides
Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE

Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE

Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE ADVENTURES OF THE ENERGY BILL On March 4, 2004 the Chairman of the Senate Energy Committee, Pete Domenici (R-NM), stated that he hopes Congress can

181 views • 7 slides
Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up!

Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up!

2/21/2018 Meltdown an and Sp Spectre vu vuln lnerabili litie ies th the ch chall llenge is is up! Jos van Eijndhoven Synopsys {040CODERS.nl} Meetup 20180215 Jos van Eijndhoven Profession: IC design tools, Hobby: Processor design

545 views • 15 slides
Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Advanced Systems Security: Hardware Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Hardware Security Trent Jaeger

703 views • 46 slides
Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that efficiently protects against transient side-channel attacks by executing and selectively forwarding an instruction if it cannot forward a covert

411 views • 21 slides
arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to

arXiv:1801.01207 What is meltdown? Meltdown is a hardware exploit that allows unprivileged user to access system memory . Meltdown takes advantage of speculative execution , in particular its ability to meltdown security barrier

369 views • 8 slides
Lecture 23: Cache, Memory, Security Todays topics: Caching policies Main memory

Lecture 23: Cache, Memory, Security Todays topics: Caching policies Main memory

Lecture 23: Cache, Memory, Security Todays topics: Caching policies Main memory system Hardware security intro 1 Cache Misses On a write miss, you may either choose to bring the block into the cache (write-allocate) or

460 views • 11 slides
IMPROVE YOUR SECURITY POSTURE A RED TEAM PERSPECTIVE TIM MEDIN tim@redsiege.com BE LAZY NOT

IMPROVE YOUR SECURITY POSTURE A RED TEAM PERSPECTIVE TIM MEDIN tim@redsiege.com BE LAZY NOT

IMPROVE YOUR SECURITY POSTURE A RED TEAM PERSPECTIVE TIM MEDIN tim@redsiege.com BE LAZY NOT APT JUST PT EQUIFAX CIS CONTROL 1 &amp; 2 INVENTORY PHISHING 101 WEB FILTER UNKNOWN NEW UNCATEGORIZED FINDING A DOMAIN STOP ATTACHMENTS

1.11k views • 31 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica&lt;on to other processes

568 views • 15 slides
SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS

SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS

PIOTR PADLEWSKI KRZYSZTOF PSZENICZNY SOUND DEVIRTUALIZATION LLVM DEVMTG18 SOUND DEVIRTUALIZATION WHAT ARE VIRTUAL CALLS Polymorphism in OOP %vtable = load {} %p %vfun = load {} %vtable call {} %vfun(args) LLVM DEVMTG18

537 views • 25 slides

More recommend