Security breaches as PMU deviation: detecting and identifying security attacks using performance counters

  • Authors:
  • Liwei Yuan;Weichao Xing;Haibo Chen;Binyu Zang

  • Affiliations:
  • Fudan University;Fudan University;Fudan University;Fudan University

  • Venue:
  • Proceedings of the Second Asia-Pacific Workshop on Systems
  • Year:
  • 2011

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper considers and validates the applicability of leveraging pervasively-available performance counters for detecting and reasoning about security breaches. Our key observation is that many security breaches, which typically cause abnormal control flow, usually incur precisely identifiable deviation in performance samples captured by processors. Based on this observation, we implement a prototype system called Eunomia, which is the first non-intrusive system that can detect emerging attacks based on return-oriented programming without any changes to applications (either source or binary code) or special-purpose hardware. Our security evaluation shows that Eunomia can detect some realistic attacks including code-injection attacks, return-to-libc attacks and return-oriented programming attacks on unmodified binaries with relatively low overhead.