Abstract
Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate their privileges to exfiltrate data or to gain arbitrary code execution. While inline defense mechanisms like DEP, ASLR, or stack canaries are important, they have a local, program centric view and miss some attacks. Intrusion Detection Systems (IDS) use runtime monitors to measure current state and behavior of the system to detect an attack orthogonal to active defenses.
Attacks change the execution behavior of a system. Our attack detection system HexPADS detects attacks through divergences from normal behavior using attack signatures. HexPADS collects information from the operating system on runtime performance metrics with measurements from hardware performance counters for individual processes. Cache behavior is a strong indicator of ongoing attacks like rowhammer, side channels, covert channels, or CAIN attacks. Collecting performance metrics across all running processes allows the correlation and detection of these attacks. In addition, HexPADS can mitigate the attacks or significantly reduce their effectiveness with negligible overhead to benign processes.
The stamp on the top of this paper refers to an approval process conducted by the ESSoS artifact evaluation committee chaired by Alessandra Gorla and Jacques Klein.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Additional information and details are available on the proc manpage.
- 2.
Scheduling processes on disjoint cores is not enough as the last level cache is shared.
- 3.
The source code of HexPADS is available at http://github.com/HexHive/HexPADS.
- 4.
Google’s prototype implementation is available at https://github.com/google/rowhammer-test.
References
Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)
Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015: 9th Usenix Workshop on Offensive Technologies (2015)
Cid, D.B.: Ossec: open source host-based intrusion detection system (2015). http://ossec-docs.readthedocs.org/en/latest/
Corp, I.: Intel 64 and IA-32 Intel Architecture Software Developer’s Manual Combined vols. 3A and 3B: System Programming Guide, Parts 1 and 2 (2015)
Denning, D.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
Domnitser, L., Jaleel, A., Loew, J., Abu-Ghazaleh, N., Ponomarev, D.: Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans. Archit. Code Optim. (2012)
Flo, T.R.: ninja process monitor (2010). http://forkbomb.org/ninja/
Fogh, A.: Cache side channel attacks (2015). http://dreamsofastone.blogspot.com/2015/09/cache-side-channel-attacks.html
Ghosh, A., Wanken, J., Charron, F.: Detecting anomalous and unknown intrusions against programs. In: Annual Computer Security Applications Conference (1998)
Grim, L., Vandenbrink, R.: Ids: File integrity checking. Technical report, SANS Institute (2014)
Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)
Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes 75, 181–188 (2001)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)
Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! a fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)
Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security Symposium (2012)
Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: IEEE Symposium on Security and Privacy (1997)
Martin, R., Demme, J., Sethumadhavan, S.: Timewarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: International Symposium on Computer, Architecture (2012)
Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)
Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Bos, H., et al. (eds.) Raid 2015. LNCS, vol. 9404, pp. 48–65. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26362-5_3
Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1) (2006)
PaX-Team. PaX ASLR (Address Space Layout Randomization) (2003). http://pax.grsecurity.net/docs/aslr.txt
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Porras, P.A., Neumann, P.G.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference(1997)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communication Security (2009)
Seaborn, M., Dullien, T.: Exploiting the dram rowhammer bug to gain kernel privileges (2015). http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: European Workshop on System Security (2011)
van de Ven, A., Molnar, I.: Exec shield (2004). https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf
Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine-grained timers in xen. In: ACM Cloud Computing Security Workshop (2011)
Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: European Software Engineering Conference (2003)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM Conference on Computer and Communication Security (2002)
Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Annual Computer Security Applications Conference (2006)
Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: International Symposium on Computer, Architecture (2007)
Wang, Z., Lee, R.B.: A novel cache architecture with enhanced performance and security. In: International Symposium on Microarchitecture (2008)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using system calls: alternative data models. In: IEEE Symposium on Security and Privacy (1999)
Wu, J., Ding, L., Wu, Y., Min-Allah, N., Khan, S.U., Wang, Y.: \(c^{2}\) detector: a covert channel detection framework in cloud computing. Secur. Commun. Netw. 7(3), 544–557 (2014)
Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: USENIX Security Symposium (2012)
Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: USENIX Security Symposium (2014)
Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: co-residency detection in the cloud via side-channel analysis. In: IEEE Symposium on Security and Privacy (2012)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communication Security (2012)
Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side-channels in the cloud. In: ACM Conference on Computer and Communication Security (2013)
Acknowledgments
We would like to thank Clémentine Maurice, Daniel Grauss, Antonio Barresi, Scott A. Carr, and Terry Ching-Hsiang Hsu for generous feedback on the paper. We also thank Clémentine and Daniel for providing access to the CSC implementation and Antonio for providing access to the CAIN implementation. This work was sponsored, in part, by NSF CNS-1513783.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Payer, M. (2016). HexPADS: A Platform to Detect “Stealth” Attacks. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-30806-7_9
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30805-0
Online ISBN: 978-3-319-30806-7
eBook Packages: Computer ScienceComputer Science (R0)