skip to main content
10.1145/2948618.2948620acmotherconferencesArticle/Chapter ViewAbstractPublication PageshaspConference Proceedingsconference-collections
research-article

Can Data-Only Exploits be Detected at Runtime Using Hardware Events?: A Case Study of the Heartbleed Vulnerability

Published: 18 June 2016 Publication History

Abstract

In this study, we investigate the feasibility of using an anomaly-based detection scheme that utilizes information collected from hardware performance counters at runtime to detect data-oriented attacks in user space libraries. Using the Heartbleed vulnerability as a test case, we studied twelve different hardware events and used a Support Vector Machine (SVM) model to classify between regular and abnormal behaviors. Our results demonstrated a detection accuracy over 92% for the two-class SVM model and over 70% for the one-class SVM model. We also studied the limitations of using certain type of hardware events and discussed possible implications of their use in detection schemes. Overall, the experiments conducted suggest that data-oriented attacks can be more difficult to detect than control-data exploits, as certain events are susceptible to interference hence less reliable.

References

[1]
The heartbleed bug. http://www.heartbleed.com.
[2]
Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur., 13(1):4:1--4:40, November 2009.
[3]
Eep Bhatkar, Daniel C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, pages 105--120, 2003.
[4]
Varun Chandola, Arindam Banerjee, and Vipin Kumar. Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):15, 2009.
[5]
Chih-Chung Chang and Chih-Jen Lin. LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology, 2(3):27:1--27:27, May 2011.
[6]
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM'05, pages 12--12, Berkeley, CA, USA, 2005. USENIX Association.
[7]
John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. On the feasibility of online malware detection with performance counters. In Proceedings of the 40th Annual International Symposium on Computer Architecture, ISCA '13, pages 559--570, New York, NY, USA, 2013. ACM.
[8]
John Demme and Simha Sethumadhavan. Rapid identification of architectural bottlenecks via precise event counting. In Proceedings of the 38th Annual International Symposium on Computer Architecture, ISCA '11, pages 353--364, NY, USA, 2011. ACM.
[9]
Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. Automatic generation of data-oriented exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 177--192, Washington, D.C., August 2015. USENIX Association.
[10]
Intel. Intel 64 and ia-32 architectures software developer manual. Technical report, Intel, 2013.
[11]
Netcraft. April 2014 web server survey. http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html, April 2014.
[12]
Jared Stafford. Heartbleed proof of concept. https://gist.github.com/10100394, 2014.
[13]
Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. Unsupervised anomaly-based malware detection using hardware features. In Angelos Stavrou, Herbert Bos, and Georgios Portokalidis, editors, Research in Attacks, Intrusions and Defenses, volume 8688 of Lecture Notes in Computer Science, pages 109--129. Springer International Publishing, 2014.
[14]
The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org, April 2003.
[15]
Gildo Torres and Chen Liu. Adaptive virtual machine management in the cloud: A performance-counter-driven approach. Int. J. Syst. Serv.-Oriented Eng., 4(2):28--43, April 2014.
[16]
Xueyang Wang and R. Karri. Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters. In Design Automation Conference (DAC), 2013 50th ACM/EDAC/IEEE, pages 1--7, May 2013.
[17]
Lichen Weng, Chen Liu, and Jean-Luc Gaudiot. Scheduling optimization in multicore multithreaded microprocessors through dynamic modeling. In Proceedings of the ACM International Conference on Computing Frontiers, CF '13, pages 5:1--5:10, New York, NY, USA, 2013. ACM.
[18]
Wucherl Yoo, Kevin Larson, Lee Baugh, Sangkyum Kim, and Roy H. Campbell. Adp: Automated diagnosis of performance pathologies using hardware events. In Proceedings of the 12th ACM SIGMETRICS/PERFORMANCE Joint International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS '12, pages 283--294, New York, NY, USA, 2012. ACM.
[19]
Chao Zhang, Tao Wei, Zhaofeng Chen, Lei Duan, Laszlo Szekeres, Stephen McCamant, Dawn Song, and Wei Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 559--573, Washington, DC, USA, 2013. IEEE Computer Society.

Cited By

View all
  • (2025)Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernelComputers & Security10.1016/j.cose.2024.104189150(104189)Online publication date: Mar-2025
  • (2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
  • (2024)Small-Scale Implementation of a Hardware Detector for Malicious Communications and Malware Targeting the IoT2024 Twelfth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW64572.2024.00056(300-306)Online publication date: 26-Nov-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
HASP '16: Proceedings of the Hardware and Architectural Support for Security and Privacy 2016
June 2016
96 pages
ISBN:9781450347693
DOI:10.1145/2948618
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2016

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

HASP 2016

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)14
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Constructing arbitrary write via puppet objects and delivering gadgets in Linux kernelComputers & Security10.1016/j.cose.2024.104189150(104189)Online publication date: Mar-2025
  • (2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
  • (2024)Small-Scale Implementation of a Hardware Detector for Malicious Communications and Malware Targeting the IoT2024 Twelfth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW64572.2024.00056(300-306)Online publication date: 26-Nov-2024
  • (2023)Low Resource and Power Consumption and Improved Classification Accuracy for IoT Implementation of a Malware Detection Mechanism using Processor InformationInternational Journal of Networking and Computing10.15803/ijnc.13.2_14913:2(149-172)Online publication date: 2023
  • (2023)Program Characterization for Software Exploitation DetectionProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605034(1-8)Online publication date: 29-Aug-2023
  • (2023)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 7-Mar-2023
  • (2023)Use of Ensemble Learning to Detect Buffer Overflow ExploitationIEEE Access10.1109/ACCESS.2023.327928011(52009-52025)Online publication date: 2023
  • (2022)Where's Waldo?Proceedings of the 19th ACM International Conference on Computing Frontiers10.1145/3528416.3530226(75-84)Online publication date: 17-May-2022
  • (2022)IoT-oriented high-efficient anti-malware hardware focusing on time series metadata extractable from inside a processor coreInternational Journal of Information Security10.1007/s10207-021-00577-021:4(1-19)Online publication date: 1-Aug-2022
  • (2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media