Hardware Events Research Articles

Using Hardware Events to Detect Side-Channel Attacks

The article discusses the monitoring system being developed by authors for the detection of Side-Channel Attacks, SCA. The theoretical justification of the chosen method of detecting SCA attacks is given: analysis of hardware events of the target system. The architecture of the monitoring system is described, including low-level data collection processes and an expert system that analyzes the collected data. The results of the proof-of-concept on various classes of SCA-attacks are presented. The paper considers a class of attacks on side-channels that use the processor cache to obtain secret information. A method of countering attacks of this class based on the use of a hardware event mechanism is proposed. As a result of the analysis of existing hardware events, predicates have been built for the Intel architecture, allowing one to identify the suspicious behavior of programs in the Linux OS environment. To test the proposed method, a prototype monitoring system was implemented that successfully coped with the detection of simulated SCA-attacks. The advantages and disadvantages of this method are considered, and the direction of further research is indicated.

Pac-Sim: Simulation of Multi-threaded Workloads using Intelligent, Live Sampling

High-performance, multi-core processors are the key to accelerating workloads in several application domains. To continue to scale performance at the limit of Moore’s Law and Dennard scaling, software and hardware designers have turned to dynamic solutions that adapt to the needs of applications in a transparent, automatic way. For example, modern hardware improves its performance and power efficiency by changing the hardware configuration, like the frequency and voltage of cores, according to a number of parameters, such as the technology used or the workload running at the time. With this level of dynamism, it is essential to simulate next-generation multi-core processors in a way that can both respond to system changes and accurately determine system performance metrics. Currently, no sampled simulation platform can achieve these goals of dynamic, fast, and accurate simulation of multi-threaded workloads. In this work, we propose a solution that allows for fast, accurate simulation in the presence of both hardware and software dynamism. To accomplish this goal, we present Pac-Sim, a novel sampled simulation methodology for fast, accurate sampled simulation that requires no upfront analysis of the workload. With our proposed methodology, it is now possible to simulate long-running dynamically scheduled multi-threaded programs with significant simulation speedups, even in the presence of dynamic hardware events. We evaluate Pac-Sim using the SPEC CPU2017, NPB, and PARSEC multi-threaded benchmarks with both static and dynamic thread scheduling. The experimental results show that Pac-Sim achieves a very low sampling error of 1.63% and 3.81% on average for statically and dynamically scheduled benchmarks, respectively. Pac-Sim also demonstrates significant simulation speedups as high as 523.5 × (210.3 × on average) for the training input set of SPEC CPU2017 running eight threads.

An Evaluation On The Entropy Supplying Capability Of Smartphone Sensors

Abstract Random numbers are very important for the security of computer system. However, generating qualified random numbers is difficult because we cannot always successfully introduce dedicated random number hardware into computer system. Although most operating systems provide random number generation capabilities, the effective entropy supply is still dependent on the hardware platform including memory and clocks etc. However, obtaining hardware events such as clocks requires system privileges, which is not conducive for entropy estimation at the application layer. In contrast, data related to the sensor hardware can be extracted directly at the application layer. These sensor data contain some randomness and may be used as a noise source. In this way, applications can use these sensors to implement their own proprietary random number generators. Before taking these sensors as the noise source, it is necessary to fully evaluate their entropy supply capability. In this paper, 300 Android smartphones and 30 iOS smartphones are selected as samples and their sensor entropy supply capabilities are comprehensively evaluated. Based on the entropy evaluation results, we give some suggestions on how to generate random numbers using these sensor data. We first design a framework for evaluating the entropy supply capability for smartphone sensors, based on the min-entropy estimation method proposed in NIST SP 800-90B. According to this framework, we simulate stationary and mobile working states for each smartphone, and collect sufficient sensor data as the min-entropy estimation dataset. The min-entropy estimation results show that in the stationary working state, each ACCELEROMETER sensor data collection can obtain at least 1.5 bits of entropy in Android, while each GYROSCOPE sensor data collection can obtain at least 20 bits of entropy in iOS. In the mobile working state, each ACCELEROMETER sensor data collection can obtain at least 1.9 bits of entropy, while each GYROSCOPE sensor data acquisition in iOS system can obtain at least 27 bits of entropy. This means that we can still get a stable entropy output from the sensor even when the smartphone is in stationary working state. Statistical analysis of the data using cross correlation methods suggests it is hard for an attacker to guess or predict the random numbers generated by a smartphone through another smartphone put in the similar external environment.

Investigating Black-Box Function Recognition Using Hardware Performance Counters

This paper presents new methods and results for recognising black-box program functions using hardware performance counters (HPC), where an investigator can invoke and measure function calls. Important use cases include analysing compiled libraries, e.g. static and dynamic link libraries, and trusted execution environment (TEE) applications. We develop a generic approach to classify a comprehensive set of hardware events, e.g. branch mis-predictions and instruction retirements, to recognise standard benchmarking and cryptographic library functions. This includes various signing, verification and hash functions, and ciphers in numerous modes of operation. Three architectures are evaluated using off-the-shelf Intel/X86-64, ARM, and RISC-V CPUs. Next, we show that several known CVE-numbered OpenSSL vulnerabilities can be detected using HPC differences between patched and unpatched library versions. Further, we demonstrate that standardised cryptographic functions within ARM TrustZone TEE applications can be recognised using non-secure world HPC measurements, applying to platforms that insecurely perturb the performance monitoring unit (PMU) during TEE execution. High accuracy was achieved in all cases (86.22–99.83%) depending on the application, architectural, and compilation assumptions. Lastly, we discuss mitigations, outstanding challenges, and directions for future research.

Precise Event Sampling on AMD Versus Intel: Quantitative and Qualitative Comparison

Precise event sampling is a profiling feature in commodity processors that can sample hardware events and accurately locate the instructions that trigger the events. This feature has been used in a large number of tools to detect application performance issues. Although precise event sampling is readily supported in modern multicore architectures, vendor supports exhibit great differences that affect their accuracy, stability, overhead, and functionality. This work presents the most comprehensive study to date on benchmarking the event sampling features of Intel PEBS and AMD IBS and performs in-depth analysis on key differences through series of microbenchmarks. Our qualitative and quantitative analysis shows that PEBS allows finer-grained and more accurate sampling of hardware events, while IBS offers richer set of information at each sample though it suffers from lower accuracy and stability. Moreover, OS signal delivery, which is a common method used by the profiling software, introduces significant time overhead to the original overhead incurred by the hardware mechanisms in both PEBS and IBS. We also found that both PEBS and IBS have bias in sampling events across multiple different locations in a code. Lastly, we demonstrate how our findings on microbenchmarks under different thread counts hold for a full-fledged profiling tool that runs on the state-of-the-art Intel and AMD machines. Overall our detailed comparisons serve as a great reference and provide invaluable information for hardware designers and profiling tool developers.

Security Analysis of Zigbee Protocol Implementation via Device-agnostic Fuzzing

Zigbee is widely adopted as a resource-efficient wireless protocol in the IoT network. IoT devices from manufacturers have recently been affected due to major vulnerabilities in Zigbee protocol implementations. Security testing of Zigbee protocol implementations is becoming increasingly important. However, applying existing vulnerability detection techniques such as fuzzing to the Zigbee protocol is not a simple task. Dealing with low-level hardware events still remains a big challenge. For the Zigbee protocol, which communicates over a radio channel, many existing protocol fuzzing tools lack a sufficient execution environment. To narrow the gap, we designed Z-Fuzzer , a device-agnostic fuzzing tool for detecting security flaws in Zigbee protocol implementations. To simulate Zigbee protocol execution, Z-Fuzzer leverages a commercial embedded device simulator with pre-defined peripherals and hardware interrupt setups to interact with the fuzzing engine. Z-Fuzzer generates more high-quality test cases with code-coverage heuristics. We compare Z-Fuzzer with advanced protocol fuzzing tools, BooFuzz and Peach fuzzer, on top of Z-Fuzzer’s simulation platform. Our findings suggest that Z-Fuzzer can achieve greater code coverage in Z-Stack, a widely used Zigbee protocol implementation. Compared to BooFuzz and Peach, Z-Fuzzer found more vulnerabilities with fewer test cases. Three of them have been assigned CVE IDs with high CVSS scores (7.5~8.2).

RT-Sniper: A Low-Overhead Defense Mechanism Pinpointing Cache Side-Channel Attacks

Since cache side-channel attacks have been serious security threats to multi-tenant systems, there have been several studies to protect systems against the attacks. However, the prior studies have limitations in determining only the existence of the attack and/or occupying too many computing resources in runtime. We propose a low-overhead pinpointing solution, called RT-Sniper, to overcome such limitations. RT-Sniper employs a two-level filtering mechanism to minimize performance overhead. It first monitors hardware events per core and isolates a suspected core to run a malicious process. Then among the processes running on the selected core, RT-Sniper pinpoints a malicious process through a per-process monitoring approach. With the core-level filtering, RT-Sniper has an advantage in overhead compared to the previous works. We evaluate RT-Sniper against Flush+Reload and Prime+Probe attacks running SPEC2017, LMBench, and PARSEC benchmarks on multi-core systems. Our evaluation demonstrates that the performance overhead by RT-Sniper is negligible (0.3% for single-threaded applications and 2.05% for multi-threaded applications). Compared to the previous defense solutions against cache side-channel attacks, RT-Sniper exhibits better detection performance with lower performance overhead.

A PE header-based method for malware detection using clustering and deep embedding techniques

Recent years have witnessed the dramatic growth of malware programs in a wide range of malicious intentions following the expansion of computer systems. Hence, highly effective systems to detect malware are extremely demanded. Most of the recent approaches use machine learning techniques along with the features extracted from files such as byte sequence, API-Calls, Op-Code sequence, and hardware events to detect malware. Utilizing the executable file header to extract features is a wide-spread way in this field since it contains efficient and prominent content to distinguish malware and benign programs. In this paper, a novel deep learning method is proposed to learn different embedding representations for malware and benign programs. To this end, the deep neural network uses a clustering algorithm in the training process. During the training process, samples are embedded through the neural network, and then the output of the neural network is fed into the k-means clustering algorithm, which is segmenting samples into two clusters of malware and benign. The network parameters are then updated based on the clustering result. By repeating this training process, the network representations and clustering assignments refine iteratively to the point that the network learns different representations for malware and benign programs. The proposed method utilizes raw bytes of the PE files header. Due to the lightweight network and utilizing the raw byte, which is fast to extract, the proposed method has a considerably low-computational overhead, and a set of experiments showed that this method is highly fast to use as a real-time malware detection method with high performance.

A novel method for malware detection based on hardware events using deep neural networks

A novel method for malware detection based on hardware events using deep neural networks

Exploiting Hardware Events to Reduce Energy Consumption of HPC Systems

Exploiting Hardware Events to Reduce Energy Consumption of HPC Systems

Establishment of AIRS climate-level radiometric stability using radiance anomaly retrievals of minor gases and sea surface temperature

Abstract. Temperature, H2O, and O3 profiles, as well as CO2, N2O, CH4, chlorofluorocarbon-12 (CFC-12), and sea surface temperature (SST) scalar anomalies are computed using a clear subset of AIRS observations over ocean for the first 16 years of NASA's Earth-Observing Satellite (EOS) Aqua Atmospheric Infrared Sounder (AIRS) operation. The AIRS Level-1c radiances are averaged over 16 d and 40 equal-area zonal bins and then converted to brightness temperature anomalies. Geophysical anomalies are retrieved from the brightness temperature anomalies using a relatively standard optimal estimation approach. The CO2, N2O, CH4, and CFC-12 anomalies are derived by applying a vertically uniform multiplicative shift to each gas in order to obtain an estimate for the gas mixing ratio. The minor-gas anomalies are compared to the National Oceanic and Atmospheric Administration (NOAA) Earth System Research Laboratory (ESRL) in situ values and used to estimate the radiometric stability of the AIRS radiances. Similarly, the retrieved SST anomalies are compared to the SST values used in the ERA-Interim reanalysis and to NOAA's Optimum Interpolation SST (OISST) product. These intercomparisons strongly suggest that many AIRS channels are stable to better than 0.02 to 0.03 K per decade, well below climate trend levels, indicating that the AIRS blackbody is not drifting. However, detailed examination of the anomaly retrieval residuals (observed – computed) shows various small unphysical shifts that correspond to AIRS hardware events (shutdowns, etc.). Some examples are given highlighting how the AIRS radiance stability could be improved, especially for channels sensitive to N2O and CH4. The AIRS shortwave channels exhibit larger drifts that make them unsuitable for climate trending, and they are avoided in this work. The AIRS Level 2 surface temperature retrievals only use shortwave channels. We summarize how these shortwave drifts impacts recently published comparisons of AIRS surface temperature trends to other surface climatologies.

HRM: Merging Hardware Event Monitors for Improved Timing Analysis of Complex MPSoCs

The performance monitoring unit (PMU) in multiprocessor system-on-chips (MPSoCs) is at the heart of the latest measurement-based timing analysis techniques in critical embedded systems. In particular, hardware event monitors (HEMs) in the PMU are used as building blocks in the process of budgeting and verifying software timing by tracking and controlling access counts to shared resources. While the number of HEMs in current MPSoCs reaches hundreds, they are read via performance monitoring counters whose number is usually limited to 4-8, thus requiring multiple runs of each experiment in order to collect all desired HEMs. Despite the effort of engineers in controlling the execution conditions of each experiment, the complexity of current MPSoCs makes it arguably impossible to completely remove the noise affecting each run. As a result, HEMs read in different runs are subject to different variability, and hence, those HEMs captured in different runs cannot be “blindly” merged. In this work, we focus on the NXP T2080 platform where we observed up to 59% variability across different runs of the same experiment for some relevant HEMs (e.g., processor cycles). We develop a HEM reading and merging (HRM) approach to join reliably HEMs across different runs as a fundamental element of any measurement-based timing budgeting and verification technique. Our method builds on order statistics and the selection of an anchor HEM read in all runs to derive the most plausible combination of HEM readings that keep the distribution of each HEM and their relationship with the anchor HEM intact.

Performance Assessment of Deep Learning Frameworks through Metrics of CPU Hardware Exploitation on an Embedded Platform

In this paper, we analyze heterogeneous performance exhibited by some popular deep learning software frameworks for visual inference on a resource-constrained hardware platform. Benchmarking of Caffe, OpenCV, TensorFlow, and Caffe2 is performed on the same set of convolutional neural networks in terms of instantaneous throughput, power consumption, memory footprint, and CPU utilization. To understand the resulting dissimilar behavior, we thoroughly examine how the resources in the processor are differently exploited by these frameworks. We demonstrate that a strong correlation exists between hardware events occurring in the processor and inference performance. The proposed hardware-aware analysis aims to find limitations and bottlenecks emerging from the joint interaction of frameworks and networks on a particular CPU-based platform. This provides insight into introducing suitable modifications in both types of components to enhance their global performance. It also facilitates the selection of frameworks and networks among a large diversity of these components available these days for visual understanding.

Predicting and reining in application-level slowdown on spatial multitasking GPUs

Predicting performance degradation of a GPU application at co-location on a spatial multitasking GPU without prior application knowledge is essential in public Clouds. Prior work mainly targets CPU co-location, and is inaccurate and/or inefficient for predicting performance of applications at co-location on spatial multitasking GPUs. Our investigation shows that hardware event statistics caused by co-located applications strongly correlate with their slowdowns. Based on this observation, we present Themis with a kernel slowdown model (Themis-KSM), which performs precise and efficient online application slowdown prediction without prior application knowledge. The kernel slowdown model is trained offline. When new applications co-run, Themis-KSM collects event statistics and predicts their slowdowns simultaneously. In addition, we also propose a two-stage slowdown prediction mechanism (Themis-TSP) for real-system GPUs without any hardware modification. Our evaluation shows that Themis has negligible runtime overhead, and both Themis-KSM and Themis-TSP can precisely predict application-level slowdown with prediction error smaller than 9.5% and 12.8%, respectively. Based on Themis, we also implement an SM allocation engine to rein in application slowdown at co-location. Case studies show that the engine successfully enforces fair sharing and QoS.

Interference Analysis of Co-Located Container Workloads: A Perspective from Hardware Performance Counters

Workload characterization is critical for resource management and scheduling. Recently, with the fast development of container technique, more and more cloud service providers like Google and Alibaba adopt containers to provide cloud services, due to the low overheads. However, the characteristics of co-located diverse services (e.g., interactive on-line services, off-line computing services) running in containers are still not clear. In this paper, we present a comprehensive analysis of the characteristics of co-located workloads running in containers on the same server from the perspective of hardware events. Our study quantifies and reveals the system behavior from the micro-architecture level when workloads are running in different co-location patterns. Through the analysis of typical hardware events, we provide recommended/unrecommended co-location workload patterns which provide valuable deployment suggestions for datacenter administrators.

KVMInspector: KVM Based introspection approach to detect malware in cloud environment

Cloud security is of paramount importance in this new era of computing. There are various security challenges in which researchers are still working on. Malware detection is one such domain. However, most of the work, mainly focuses on In-VM security techniques which can be evaded easily by malicious users. In this paper, we have proposed a dynamic analysis based introspection approach, called KVMInspector to detect malware in KVM-based cloud environment. The KVMInspector is deployed both inside and outside the VM at the KVM-layer and hence is more robust to attacks. LibVMI and Nitro libraries are used to extract the low-level details of a running virtual machine by viewing its memory, trapping hardware events, and accessing the vCPU registers from KVM. The KVMInspector first performs the process verification at KVM layer to provide a basic security check. After then, a detailed behaviour analysis is carried out to learn the dynamic (run-time) behaviour of the monitored programs using machine learning techniques as an advanced security check. A preliminary analysis has been performed using University of New Maxico (UNM) & University of California dataset and results seem to be promising.

Intra- and inter-core power modelling for single-ISA heterogeneous processors

This research presents a systematic methodology for producing accurate power models for single instruction set architecture (ISA) heterogeneous processors. We use the hardware event counters from the processor performance monitoring unit (PMU) to accurately capture the CPU states and ordinary least squares (OLS), assisted by automated event selection algorithms, to compute the power models. Several estimators for single-thread and multi-thread benchmarks are proposed capable of performing power predictions across different frequency levels for one processor as well as between the heterogeneous processors with less than 3% error. The models are compared to related work showing significant improvement in accuracy and good computational efficiency which makes them suitable for run-time deployment.

Interference-aware co-scheduling method based on classification of application characteristics from hardware performance counter using data mining

Computational scientists and engineers who are eager to obtain the best performance of scientific applications need efficient application characterization methods to successfully exploit high-performance hardware resources. However, modern processors are accompanied by high-bandwidth on-chip memory or a large number of cores. Therefore, application characterization research that takes into account the newly introduced hardware features in next-generation high performance computing environments is insufficient and complex. In this paper, we propose a simple and fast method to classify the application characteristics in systems state-of-the-art processors using hardware performance counters. The proposed method utilizes hardware performance counters to monitor hardware events related to system performance. A clustering approach is adopted that requires limited understanding of the correlation between hardware events and application characteristics. The application characterization technique is applied to NAS parallel benchmarks in two systems, including Intel Knights Landing and SkyLake Xeon processors. We demonstrate that the proposed techniques can capture system and application characteristics and provide users with useful insights into application execution.

Context-Sensitive Decoding: On-Demand Microcode Customization for Security and Energy Management

Modern instruction set decoders feature translation of native instructions into internal micro-ops to simplify the CPU design and improve instruction-level parallelism. However, this translation is static in most known instances. This paper proposes context-sensitive decoding, a technique that enables customization of the micro-op translation based on the current execution context and/or preset hardware events. Further, it can transition between different translation modes rapidly. While there are many potential applications, this paper demonstrates its effectiveness with two use cases: 1) as a novel security defense to thwart instruction/data cache-based side-channel attacks; and 2) as a power management technique that performs selective devectorization to enable efficient unit-level power gating.

Time-Randomized Wormhole NoCs for Critical Applications

Wormhole-based NoCs (wNoCs) are widely accepted in high-performance domains as the most appropriate solution to interconnect an increasing number of cores in the chip. However, wNoCs suitability in the context of critical real-time applications has not been demonstrated yet. In this article, in the context of probabilistic timing analysis (PTA), we propose a PTA-compatible wNoC design that provides tight time-composable contention bounds. The proposed wNoC design builds on PTA ability to reason in probabilistic terms about hardware events impacting execution time (e.g., wNoC contention), discarding those sequences of events occurring with a negligible low probability. This allows our wNoC design to deliver improved guaranteed performance w.r.t. conventional time-deterministic setups. Our results show that performance guarantees of applications running on top of probabilistic wNoC designs improve by 40% and 93% on average for 4 × 4 and 6 × 6 wNoC setups, respectively.