Hardware Performance Counters Research Articles

Detecting Hardware Trojans in PCBs Using Side Channel Loopbacks

Malicious modifications to printed circuit boards (PCBs) are known as hardware Trojans. These may arise when malafide third parties alter PCBs premanufacturing or postmanufacturing and are a concern in safety-critical applications, such as industrial control systems. In this research, we examine how data-driven detection can be utilized to detect such Trojans at run-time. We develop a flexible and reconfigurable PCB test bed derived from the popular open-source programmable logic controller (PLC) platform “OpenPLC.” We then develop a Trojan detection framework, which utilizes and analyzes multimodal side channels (e.g., timing, magnetic signals, power, and hardware performance counters). We consider defender-configurable input/output (I/O) loopback test, comparison with design-document baselines, and magnetometer-aided monitoring of system behavior under defender-chosen excitations. Our approach can extend to golden-free environments. Golden (known-good) versions of the PCBs are assumed not available, but design information, datasheets, and component-level data are available. We demonstrate the efficacy of our approach on a range of Trojans instantiated in the test bed.

MAPPER: Managing Application Performance via Parallel Efficiency Regulation

State-of-the-art systems, whether in servers or desktops, provide ample computational and storage resources to allow multiple simultaneously executing potentially parallel applications. However, performance tends to be unpredictable, being a function of algorithmic design, resource allocation choices, and hardware resource limitations. In this article, we introduce MAPPER, a manager of application performance via parallel efficiency regulation. MAPPER uses a privileged daemon to monitor (using hardware performance counters) and coordinate all participating applications by making two coupled decisions: the degree of parallelism to allow each application to improve system efficiency while guaranteeing quality of service (QoS), and which specific CPU cores to schedule applications on. The QoS metric may be chosen by the application and could be in terms of execution time, throughput, or tail latency, relative to the maximum performance achievable on the machine. We demonstrate that using a normalized parallel efficiency metric allows comparison across and cooperation among applications to guarantee their required QoS. While MAPPER may be used without application or runtime modification, use of a simple interface to communicate application-level knowledge improves MAPPER’s efficacy. Using a QoS guarantee of 85% of the IPC achieved with a fair share of resources on the machine, MAPPER achieves up to 3.3 \( \times \) speedup relative to unmodified Linux and runtime systems, with an average improvement of 17% in our test cases. At the same time, MAPPER violates QoS for only 2% of the applications (compared to 23% for Linux), while placing much tighter bounds on the worst case. MAPPER relieves hardware bottlenecks via task-to-CPU placement and allocates more CPU contexts to applications that exhibit higher parallel efficiency while guaranteeing QoS, resulting in both individual application performance predictability and overall system efficiency.

MATANA: A Reconfigurable Framework for Runtime Attack Detection Based on the Analysis of Microarchitectural Signals

Microarchitectural attacks exploit target hardware properties to break software isolation techniques used by the processor. These attacks are extremely powerful and hard to detect since the determination of the program execution’s impact on the microarchitecture is at the same time not precisely understood and not easily observable at the software layer. Some approaches have attempted to benefit from existing hardware to better understand and detect the microarchitectural attacks (i.e., Hardware Performance Counters or Arm CoreSight), but such hardware was not meant to be used for cybersecurity, with reduced choice on observable signals and limited throughput of information. In this paper, we propose MATANA, an open and adaptive reconfigurable hardware/software co-designed framework. Combining fine-grained analysis of microarchitectural signals and software support, MATANA allows to design and assess detection mechanisms for attacks by characterizing their microarchitectural effects—in particular, microarchitectural attacks, but also some high-level attacks such as return-oriented programming attacks. The paper also describes a prototype implementation, built with a RISC-V softcore processor Rocket running Linux 4.15 on a Virtex-6 FPGA. We successfully used MATANA to analyze cache side-channel attacks and build attack detection logic from two different perspectives: instruction-based and memory-access-based. We also successfully detected return-oriented programming attacks by exhibiting a specific behavioral pattern on the microarchitecture.

CacheHawkeye: Detecting Cache Side Channel Attacks Based on Memory Events

Cache side channel attacks, as a type of cryptanalysis, seriously threaten the security of the cryptosystem. These attacks continuously monitor the memory addresses associated with the victim’s secret information, which cause frequent memory access on these addresses. This paper proposes CacheHawkeye, which uses the frequent memory access characteristic of the attacker to detect attacks. CacheHawkeye monitors memory events by CPU hardware performance counters. We proved the effectiveness of CacheHawkeye on Flush+Reload and Flush+Flush attacks. In addition, we evaluated the accuracy of CacheHawkeye under different system loads. Experiments demonstrate that CacheHawkeye not only has good accuracy but can also adapt to various system loads.

MADFAM: MicroArchitectural Data Framework and Methodology

In the aftermath of Spectre and Meltdown researchers have proposed a variety of attack detection solutions by applying machine learning to data collected from hardware performance monitoring units. Although many microarchitectural attack detection systems provide high-accuracy detection results, the behavior of the underlying data collection mechanisms is not well described or understood. This research introduces the MicroArchitectural Data Framework And Methodology (MADFAM) to prescribe a systematic approach to collecting and preserving the information available in sequences of microarchitectural data. The proposed framework focuses on hardware performance counters (HPCs) as the primary data source. HPC configuration is complex, which makes it difficult for others to reproduce results or advance the state-of-the-art. This framework includes a description of design decisions that HPC research must consider across an array of problem domains, including information security. MADFAM proposes a data collection architecture and evaluation criteria to improve the discussion about the experimental settings and design decisions used in HPC research. The proposed framework evaluation criteria are then used to establish a baseline characterization of time series data that future research can use to compare alternative framework implementations.

A Review on Vulnerabilities to Modern Processors and its Mitigation for Various Variants

Recently, security researchers have found two hardware security vulnerabilities namely Spectre and Meltdown, related to computer memory. They are not singular, many variants of these two vulnerabilities are being a head ache for secure hardware designers. These attacks affect the modern CPUs which use speculative and out-of-order execution for optimization. This attack may affect the computing device which using the processor like Intel, AMD, ARM, and other processors like ARM processors that may use by mobile devices. By exploiting these attack that may allow the adversary to gain the control of a device to capture all the secrete data available on the system or a memory. These vulnerabilities need the better solution at the hardware level, but the problem is hardware updates is not possible at the real-time. In the face, the software-based solution is not addressed by the long run to avoid this attack, this solution is only for time constrain. This paper presents the solution for different variants of Spectre and Meltdown vulnerabilities and how they are dangerous to the modern processors like Intel, AMD, and so on to avoid the damage of the hardware using Hardware Performance Counters (HPCs). Finally, some of the mitigation techniques against these vulnerabilities are suggested based on the running application of a device.

Hardware-Assisted Malware Detection and Localization using Explainable Machine Learning

Malicious software, popularly known as malware, is widely acknowledged as a serious threat to modern computing systems. Software-based solutions, such as anti-virus software (AVS), are not effective since they rely on matching patterns that can be easily fooled by carefully crafted malware with obfuscation or other deviation capabilities. While recent malware detection methods provide promising results through effective utilization of hardware features, the detection results cannot be interpreted in a meaningful way. In this paper, we propose a hardware-assisted malware detection framework using explainable machine learning. This paper makes three important contributions. First, we theoretically establish that our proposed method can provide interpretable explanations for classification results to address the challenge of transparency. Next, we show that the explainable outcome through effective utilization of hardware performance counters and embedded trace buffer can lead to accurate localization of malicious behavior. Finally, we have performed efficiency versus accuracy trade-off analysis using decision tree and recurrent neural networks. Extensive evaluation using a wide variety of real-world malware datasets demonstrates that our framework can produce accurate and human-understandable malware detection results with provable guarantees.

Enabling Micro AI for Securing Edge Devices at Hardware Level

Emerging embedded systems and Internet-of-Things (IoT) devices, which account for a wide range of applications are often highly resource-constrained that are challenging the software-based methods traditionally adopted for detecting and containing cyber-attacks (e.g., malware) in general-purpose computing systems. In addition to the complexity and cost (computing and storage), the software-based detection methods mainly rely on the static signature analysis of the running programs, requiring continuous software update which is not affordable for embedded systems and edge devices with limited computing and communication bandwidth. To address these challenges, this work proposes an accurate and cost-efficient micro AI enabled countermeasure for securing modern edge devices against emerging cyber-attacks, i.e., malware and Side-Channel Attacks (SCAs) at the hardware level by monitoring applications’ Hardware Performance Counter (HPC) features. To realize a run-time ML-based solution that relies on limited available HPCs in modern edge processors, we first identify the most prominent HPC events for accurate attack detection with the aid of an effective feature selection method. Next, various standard machine learning classifiers are implemented for effective and accurate run-time hardware-assisted malware and side-channel attacks detection. They are compared and characterized in terms of detection accuracy, F-measure, robustness, latency, power consumption, and hardware overheads. Experimental results demonstrate that the J48 classifier achieves the highest detection rate (F-measure) for both malware and SCAs detection with 0.917 and 0.987, respectively, with relatively negligible latency and area overhead as compared to complex models making it a suitable algorithm for enabling an efficient hardware-assisted micro AI countermeasure in edge devices.

Probability Analysis to Improve the Confidence in Profiling Accuracy

Performance profiling for the system is necessary and has already been widely supported by hardware performance counters (HPC). HPC is based on the registers to count the number of events in a time interval and uses system interruption to read the number from registers to a recording file. The profiled result approximates the actual running states and is not accurate since the profiling technique uses sampling to capture the states. We do not know the actual running states before, which makes the validation on profiling results complex. Jianwei YinSome experiments-based analysis compared the running results of benchmarks running on different systems to improve the confidence of the profiling technique. But they have not explained why the sampling technique can represent the actual running states. We use the probability theory to prove that the expectation value of events profiled is an unbiased estimation of the actual states, and its variance is small enough. For knowing the actual running states, we design a simulation to generate the running states and get the profiled results. We refer to the applications running on production data centers to choose the parameters for our simulation settings. Comparing the actual running states and the profiled results shows they are similar, which proves our probability analysis is correct and improves our confidence in profiling accuracy.

Using hardware performance counters to speed up autotuning convergence on GPUs

Nowadays, GPU accelerators are commonly used to speed up general-purpose computing tasks on a variety of hardware. However, due to the diversity of GPU architectures and processed data, optimization of codes for a particular type of hardware and specific data characteristics can be extremely challenging. The autotuning of performance-relevant source-code parameters allows for automatic optimization of applications and keeps their performance portable. Although the autotuning process typically results in code speed-up, searching the tuning space can bring unacceptable overhead if (i) the tuning space is vast and full of poorly-performing implementations, or (ii) the autotuning process has to be repeated frequently because of changes in processed data or migration to different hardware.In this paper, we introduce a novel method for searching generic tuning spaces. The tuning spaces can contain tuning parameters changing any user-defined property of the source code. The method takes advantage of collecting hardware performance counters (also known as profiling counters) during empirical tuning. Those counters are used to navigate the searching process towards faster implementations. The method requires the tuning space to be sampled on any GPU. It builds a problem-specific model, which can be used during autotuning on various, even previously unseen inputs or GPUs. Using a set of five benchmarks, we experimentally demonstrate that our method can speed up autotuning when an application needs to be ported to different hardware or when it needs to process data with different characteristics. We also compared our method to state of the art and show that our method is superior in terms of the number of searching steps and typically outperforms other searches in terms of convergence time.

Towards Accurate Run-Time Hardware-Assisted Stealthy Malware Detection: A Lightweight, yet Effective Time Series CNN-Based Approach

According to recent security analysis reports, malicious software (a.k.a. malware) is rising at an alarming rate in numbers, complexity, and harmful purposes to compromise the security of modern computer systems. Recently, malware detection based on low-level hardware features (e.g., Hardware Performance Counters (HPCs) information) has emerged as an effective alternative solution to address the complexity and performance overheads of traditional software-based detection methods. Hardware-assisted Malware Detection (HMD) techniques depend on standard Machine Learning (ML) classifiers to detect signatures of malicious applications by monitoring built-in HPC registers during execution at run-time. Prior HMD methods though effective have limited their study on detecting malicious applications that are spawned as a separate thread during application execution, hence detecting stealthy malware patterns at run-time remains a critical challenge. Stealthy malware refers to harmful cyber attacks in which malicious code is hidden within benign applications and remains undetected by traditional malware detection approaches. In this paper, we first present a comprehensive review of recent advances in hardware-assisted malware detection studies that have used standard ML techniques to detect the malware signatures. Next, to address the challenge of stealthy malware detection at the processor’s hardware level, we propose StealthMiner, a novel specialized time series machine learning-based approach to accurately detect stealthy malware trace at run-time using branch instructions, the most prominent HPC feature. StealthMiner is based on a lightweight time series Fully Convolutional Neural Network (FCN) model that automatically identifies potentially contaminated samples in HPC-based time series data and utilizes them to accurately recognize the trace of stealthy malware. Our analysis demonstrates that using state-of-the-art ML-based malware detection methods is not effective in detecting stealthy malware samples since the captured HPC data not only represents malware but also carries benign applications’ microarchitectural data. The experimental results demonstrate that with the aid of our novel intelligent approach, stealthy malware can be detected at run-time with 94% detection performance on average with only one HPC feature, outperforming the detection performance of state-of-the-art HMD and general time series classification methods by up to 42% and 36%, respectively.

Hardware Performance Counters: Ready-Made vs Tailor-Made

Micro-architectural footprints can be used to distinguish one application from another. Most modern processors feature hardware performance counters to monitor the various micro-architectural events when an application is executing. These ready-made hardware performance counters can be used to create program fingerprints and have been shown to successfully differentiate between individual applications. In this paper, we demonstrate how ready-made hardware performance counters, due to their coarse-grain nature (low sampling rate and bundling of similar events, e.g., number of instructions instead of number of add instructions), are insufficient to this end. This observation motivates exploration of tailor-made hardware performance counters to capture fine-grain characteristics of the programs. As a case study, we evaluate both ready-made and tailor-made hardware performance counters using post-quantum cryptographic key encapsulation mechanism implementations. Machine learning models trained on tailor-made hardwareperformance counter streams demonstrate that they can uniquely identify the behavior of every post-quantum cryptographic key encapsulation mechanism algorithm with at least 98.99% accuracy.

Measurement and analysis of GPU-accelerated applications with HPCToolkit

To address the challenge of performance analysis on the US DOE’s forthcoming exascale supercomputers, Rice University has been extending its HPCToolkit performance tools to support measurement and analysis of GPU-accelerated applications. To help developers understand the performance of accelerated applications as a whole, HPCToolkit’s measurement and analysis tools attribute metrics to calling contexts that span both CPUs and GPUs. To measure GPU-accelerated applications efficiently, HPCToolkit employs a novel wait-free data structure to coordinate monitoring and attribution of GPU performance. To help developers understand the performance of complex GPU code generated from high-level programming models, HPCToolkit constructs sophisticated approximations of call path profiles for GPU computations. To support fine-grained analysis and tuning, HPCToolkit uses PC sampling and instrumentation to measure and attribute GPU performance metrics to source lines, loops, and inlined code. To supplement fine-grained measurements, HPCToolkit can measure GPU kernel executions using hardware performance counters. To provide a view of how an execution evolves over time, HPCToolkit can collect, analyze, and visualize call path traces within and across nodes. Finally, on NVIDIA GPUs, HPCToolkit can derive and attribute a collection of useful performance metrics based on measurements using GPU PC samples. We illustrate HPCToolkit’s new capabilities for analyzing GPU-accelerated applications with several codes developed as part of the Exascale Computing Project.

A methodology for selecting hardware performance counters for supporting non-intrusive diagnostic of flood DDoS attacks on web servers

Web server outages caused by a Distributed Denial of Service (DDoS) attacks have increased considerably over the years. Intrusion Detection Systems (IDS) are not sufficient to detect threats in the system, even when used in conjunction with Intrusion Prevention Systems (IPS) and even considering the use of data sets containing information about typical situations and attacks on the system’s service. Performing analyzes with a very dense amount of observed variables can cost a significant amount of host resources. Furthermore, these data sets are at risk of not representing the system’s behavior properly, and they cannot always be shared as they may contain confidential information in the diagnostic data. This paper presents a non-intrusive diagnostic methodology to select hardware performance counters in HTTP flood DDoS attacks on enterprise-level web servers, combining methods and techniques from different segments. The proposed approach uses low-level resource appliances such as Hardware Performance Counters (HPCs) for diagnosis, creating behavioral profiles in the face of attacks and usual service usage. The proposed strategy supports delivering reliable diagnoses with accurate characterization without third-party data sets. With the proposed methodology, we were able to reduce HPCs by 26%, compared to the initial group.

Utilizing ensemble learning for performance and power modeling and improvement of parallel cancer deep learning CANDLE benchmarks

AbstractMachine learning (ML) continues to grow in importance across nearly all domains in modeling to learn from data. Often a tradeoff exists between a model's ability to minimize bias and variance. In this article, we utilize ensemble learning to combine linear, nonlinear, and tree‐/rule‐based ML methods to cope with the bias‐variance tradeoff and result in more accurate models. We use the datasets collected for two parallel cancer deep learning CANDLE benchmarks, NT3 and P1B2, to build performance and power models based on hardware performance counters using single‐object and multiple‐objects ensemble learning to identify the most important counters for improvement on the Cray XC40 Theta at Argonne National Laboratory. Based on the insights from these models, we improve the performance and energy of P1B2 and NT3 by optimizing the deep learning environments TensorFlow, Keras, Horovod, and Python under the huge page size of 8 MB. Experimental results show that ensemble learning not only produces more accurate models but also provides more robust performance counter ranking. We achieve up to 61.15% performance improvement and up to 62.58% energy saving for P1B2 and up to 55.81% performance improvement and up to 52.60% energy saving for NT3 on up to 24,576 cores.

Malware Detection Using Machine Learning Algorithms Based on Hardware Performance Counters: Analysis and Simulation

In the last decade, Hardware Performance Counters (HPCs) events are increasingly used by Machine Learning (ML) algorithms for malware detection. Modern processors provide a variety of HPCs to measure and monitor processes’ events such as memory accesses, instructions, etc. during their execution. In this paper, an analysis study to categorize the machine learning algorithms based on HPCs that have been used for malware detection is introduced. Besides, the most efficient and effective features of HPCs that have been exploited to recognize the abnormal activities on various systems are identified. Furthermore, the Neural Network (NN) algorithms including Multi-Layer Perceptron (MLP), Convolutional Neural Network (CNN), and Full Order Radial Basis Function (RBF) algorithms are used to simulate several experiments from the literature. The simulation results show that the accuracy of MLP, CNN, and Full Order RBF are 96.95%, 98.22%, and 98.68%, respectively.

Security Begins at Home

Of the many interesting articles in this issue of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">IEEE Design&amp;Test</i> , one particular article by Zhou et al. grabbed my attention. The article showed that hardware performance counters, which count instances of microarchitectural events, cannot distinguish between a system in normal operation and a system under attack. One reason given is the gap between the functional behavior of a system and the behavior at the microarchitectural level. Therefore, it is best to look for incursions at the functional level and distinguish good from any suspicious behavior there.

A Cautionary Tale About Detecting Malware Using Hardware Performance Counters and Machine Learning

Editor's note: This article revisits the literature around the use of hardware performance counters for malware detection, highlighting discrepancies, and providing a retrospection of challenges for future research.

Hardware-assisted detection of firmware attacks in inverter-based cyberphysical microgrids

The electric grid modernization effort relies on the extensive deployment of microgrid (MG) systems. MGs integrate renewable resources and energy storage systems, allowing to generate economic and zero-carbon footprint electricity, deliver sustainable energy to communities using local energy resources, and enhance grid resilience. MGs as cyberphysical systems include interconnected devices that measure, control, and actuate energy resources and loads. For optimal operation, cyberphysical MGs regulate the onsite energy generation through support functions enabled by smart inverters. Smart inverters, being consumer electronic firmware-based devices, are susceptible to increasing security threats. If inverters are maliciously controlled, they can significantly disrupt MG operation and electricity delivery as well as impact the grid stability. In this paper, we demonstrate the impact of denial-of-service (DoS) as well as controller and setpoint modification attacks on a simulated MG system. Furthermore, we employ custom-built hardware performance counters (HPCs) as design-for-security (DfS) primitives to detect malicious firmware modifications on MG inverters. The proposed HPCs measure periodically the order of various instruction types within the MG inverter’s firmware code. Our experiments illustrate that the firmware modifications are successfully identified by our custom-built HPCs utilizing various machine learning-based classifiers.

Intelligent colocation of HPC workloads

Many HPC applications suffer from a bottleneck in the shared caches, instruction execution units, I/O or memory bandwidth, even though the remaining resources may be underutilized. It is hard for developers and runtime systems to ensure that all critical resources are fully exploited by a single application, so an attractive technique for increasing HPC system utilization is to colocate multiple applications on the same server. When applications share critical resources, however, contention on shared resources may lead to reduced application performance.In this paper, we show that server efficiency can be improved by first modeling the expected performance degradation of colocated applications based on measured hardware performance counters, and then exploiting the model to determine an optimized mix of colocated applications. This paper presents a new intelligent resource manager and makes the following contributions: (1) a new machine learning model to predict the performance degradation of colocated applications based on hardware counters and (2) an intelligent scheduling scheme deployed on an existing resource manager to enable application co-scheduling with minimum performance degradation. Our results show that our approach achieves performance improvements of 7% (avg) and 12% (max) compared to the standard policy commonly used by existing job managers.