Security breaches as PMU deviation: detecting and identifying security attacks using performance counters

Authors:
Liwei Yuan;Weichao Xing;Haibo Chen;Binyu Zang
Affiliations:
Fudan University;Fudan University;Fudan University;Fudan University
Venue:
Proceedings of the Second Asia-Pacific Workshop on Systems
Year:
2011

Citing 11
Cited 4

ProfileMe: hardware support for instruction-level profiling on out-of-order processors

MICRO 30 Proceedings of the 30th annual ACM/IEEE international symposium on Microarchitecture
Distributed caching with memcached

Linux Journal
Minos: Control Data Attack Prevention Orthogonal to Memory Model

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
From Speculation to Security: Practical and Efficient Information Flow Tracking Using Speculative Hardware

ISCA '08 Proceedings of the 35th Annual International Symposium on Computer Architecture
Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks

Proceedings of the 2009 ACM workshop on Scalable trusted computing
Control flow obfuscation with information flow tracking

Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture
Monitoring for security intrusion using performance signatures

Proceedings of the first joint WOSP/SIPEW international conference on Performance engineering
Defeating return-oriented rootkits with "Return-Less" kernels

Proceedings of the 5th European conference on Computer systems
Return-oriented rootkits: bypassing kernel code integrity protection mechanisms

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Return-oriented programming without returns

Proceedings of the 17th ACM conference on Computer and communications security

Production-run software failure diagnosis via hardware performance counters

Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Run-time control flow authentication: an assessment on contemporary x86 platforms

Proceedings of the 28th Annual ACM Symposium on Applied Computing
Transparent ROP exploit mitigation using indirect branch tracing

SEC'13 Proceedings of the 22nd USENIX conference on Security
Leveraging the short-term memory of hardware to diagnose production-run software failures

Proceedings of the 19th international conference on Architectural support for programming languages and operating systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper considers and validates the applicability of leveraging pervasively-available performance counters for detecting and reasoning about security breaches. Our key observation is that many security breaches, which typically cause abnormal control flow, usually incur precisely identifiable deviation in performance samples captured by processors. Based on this observation, we implement a prototype system called Eunomia, which is the first non-intrusive system that can detect emerging attacks based on return-oriented programming without any changes to applications (either source or binary code) or special-purpose hardware. Our security evaluation shows that Eunomia can detect some realistic attacks including code-injection attacks, return-to-libc attacks and return-oriented programming attacks on unmodified binaries with relatively low overhead.