MaDMAN: Detection of Software Attacks Targeting Hardware Vulnerabilities

Abstract: The increasing complexity of modern microprocessors created new attack areas. Attackers exploit these areas using Software Attacks Targeting Hardware Vulnerabilities (SATHV) such as Cache Side-Channel, Spectre, and Rowhammer attacks. These attacks target the microarchitecture to extract privileged information. As their target is the hardware, antivirus programs cannot detect them. But, they modify the normal behavior of the microarchitecture. Modern systems are equipped with hardware performance counters (HPCs… Show more

“…Limited dataset: Botacin et al [4] recently discuss about the use of limited dataset to detect microarchitectural attacks and other kind of malwares with ML algorithms. In order to circumvent this issue, we choose to use evasive attacks based on techniques proposed in [27]. These include the insertion of N OP or sleep instructions in between sensitive tasks to modify the output counts to range closer to normal behavior.…”

“…However, LSTMs are resource-intensive MLs, and while a 3.5% performance overhead is not high for server or desktop environments, it can pose limitations when deployed in an IoT device, as resources are limited. Decreasing the frequency of HPC extraction and ML deployment can reduce the overheads, but as shown in [27], in this case the ML algorithms might be vulnerable to evasive attacks, i.e., attacks whose behavior is modified in a way that the extracted HPCs are closer to the normal behavior.…”

“…Each core of the processor provides 84 HPCs and enables the extraction of measurements from six registers simultaneously. As proposed in [27], we extract measurements from the HPC registers each 1ms to be able to detect cache attacks integrating eviction techniques. A dedicated kernel module mainly based on assembly code was used to extract the samples in order to limit the performance overhead.…”

“…These include CacheSCA variants, Spectre variants, Meltdown, and Rowhammer. Also, we include obfuscated (evasive) variants as suggested in [27] by inserting nop or sleep instructions in the attack code to hide malicious activity. Most of these attacks are publicly available from github [24], [35], [14], [25], [6], [30], [5] and modified to be able to run on the targeted processor.…”

“…Since microarchitectural attacks directly exploit hardware, a number of works [10], [23], [33], [27] rely on Hardware Performance Counters (HPCs) to detect these attacks. HPCs are special core registers found in most modern processors.…”

A Hybrid Solution for Constrained Devices to Detect Microarchitectural Attacks

“…Limited dataset: Botacin et al [4] recently discuss about the use of limited dataset to detect microarchitectural attacks and other kind of malwares with ML algorithms. In order to circumvent this issue, we choose to use evasive attacks based on techniques proposed in [27]. These include the insertion of N OP or sleep instructions in between sensitive tasks to modify the output counts to range closer to normal behavior.…”

“…However, LSTMs are resource-intensive MLs, and while a 3.5% performance overhead is not high for server or desktop environments, it can pose limitations when deployed in an IoT device, as resources are limited. Decreasing the frequency of HPC extraction and ML deployment can reduce the overheads, but as shown in [27], in this case the ML algorithms might be vulnerable to evasive attacks, i.e., attacks whose behavior is modified in a way that the extracted HPCs are closer to the normal behavior.…”

“…Each core of the processor provides 84 HPCs and enables the extraction of measurements from six registers simultaneously. As proposed in [27], we extract measurements from the HPC registers each 1ms to be able to detect cache attacks integrating eviction techniques. A dedicated kernel module mainly based on assembly code was used to extract the samples in order to limit the performance overhead.…”

“…These include CacheSCA variants, Spectre variants, Meltdown, and Rowhammer. Also, we include obfuscated (evasive) variants as suggested in [27] by inserting nop or sleep instructions in the attack code to hide malicious activity. Most of these attacks are publicly available from github [24], [35], [14], [25], [6], [30], [5] and modified to be able to run on the targeted processor.…”

“…Since microarchitectural attacks directly exploit hardware, a number of works [10], [23], [33], [27] rely on Hardware Performance Counters (HPCs) to detect these attacks. HPCs are special core registers found in most modern processors.…”

A Hybrid Solution for Constrained Devices to Detect Microarchitectural Attacks

SoK: Can We Really Detect Cache Side-Channel Attacks by Monitoring Performance Counters?

A Survey of Bit-Flip Attacks on Deep Neural Network and Corresponding Defense Methods