skip to main content
10.1145/3411495.3421353acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

MARTINI: Memory Access Traces to Detect Attacks

Published: 09 November 2020 Publication History

Abstract

Hardware architectural vulnerabilities, such as Spectre and Meltdown, are difficult or inefficient to mitigate in software. Although revised hardware designs may address some architectural vulnerabilities going forward, most current remedies increase execution time significantly. Techniques are needed to rapidly and efficiently detect these and other emerging threats. We present an anomaly detector, MARTINI, that analyzes traces of memory accesses in real time to detect attacks. Our experimental evaluation shows that anomalies in these traces are strongly correlated with unauthorized program execution, including architectural side-channel attacks of multiple types. MARTINI consists of a finite automaton that models normal program behavior in terms of memory addresses that are read from, and written to, at runtime. The model uses a compact representation of n-grams, i.e., short sequences of memory accesses, which can be stored and processed efficiently. Once the system is trained on authorized behavior, it rapidly detects a variety of low-level anomalous behaviors and attacks not otherwise easily discernible at the software level. MARTINI's implementation leverages recent advances in in-cache and in-memory automata for computation, and we present a hardware unit that repurposes a small portion of a last-level cache slice to monitor memory addresses. Our detector directly inspects the addresses of memory accesses, using the pre-constructed automaton to identify anomalies with high accuracy, negligible runtime overhead, and trivial increase in CPU chip area. We present analyses of expected hardware properties based on indicative cache and memory hierarchy simulations and empirical evaluations.

References

[1]
Kevin Angstadt, Arun Subramaniyan, Elaheh Sadredini, Reza Rahimi, Kevin Skadron, Westley Weimer, and Reetuparna Das. 2018a. ASPEN: A Scalable in-SRAM Architecture for Pushdown Automata. In Proceedings of the 51st Annual IEEE/ACM International Symposium on Microarchitecture (Fukuoka, Japan) (MICRO-51). IEEE Press, Piscataway, NJ, USA, 921--932. https://doi.org/10.1109/MICRO.2018.00079
[2]
K. Angstadt, J. Wadden, V. Dang, T. Xie, D. Kramp, W. Weimer, M. Stan, and K. Skadron. 2018b. MNCaRT: An Open-Source, Multi-Architecture Automata-Processing Research and Execution Ecosystem. IEEE Computer Architecture Letters, Vol. 17, 1 (Jan 2018), 84--87. https://doi.org/10.1109/LCA.2017.2780105
[3]
Kevin Angstadt, Jack Wadden, Westley Weimer, and Kevin Skadron. 2017. MNRL and MNCaRT: An Open-Source, Multi-Architecture State Machine Research and Execution Ecosystem . Technical Report CS2017-01. University of Virginia.
[4]
Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46.
[5]
Christian Bienia, Sanjeev Kumar, Jaswinder Pal Singh, and Kai Li. 2008. The PARSEC Benchmark Suite: Characterization and Architectural Implications. In Proceedings of the 17th International Conference on Parallel Architectures and Compilation Techniques (Toronto, Ontario, Canada) (PACT '08). ACM, New York, NY, USA, 72--81. https://doi.org/10.1145/1454115.1454128
[6]
William J. Bowhill, Blaine A. Stackhouse, Nevine Nassif, Zibing Yang, Arvind Raghavan, Oscar Mendoza, Charles Morganti, Chris Houghton, Dan Krueger, Olivier Franza, Jayen Desai, Jason Crop, Brian Brock, Dave Bradley, Chris Bostak, Sal Bhimji, and Matt Becker. 2016. The Xeon® Processor E5--2600 v3: a 22 nm 18-Core Product Family. J. Solid-State Circuits, Vol. 51, 1 (2016), 92--104. https://doi.org/10.1109/JSSC.2015.2472598
[7]
Pascal Caron and Djelloul Ziadi. 2000. Characterization of Glushkov automata. Theoretical Computer Science, Vol. 233, 1 (2000), 75--90.
[8]
Wei Chen, Szu-Liang Chen, Siufu Chiu, Raghuraman Ganesan, Venkata Lukka, Wei Wing Mar, and Stefan Rusu. 2013. A 22nm 2.5 MB slice on-die L3 cache for the next generation Xeon® processor. In Symposium on VLSI Technology . C132--C133.
[9]
Yu Cheng, Duo Wang, Pan Zhou, and Tao Zhang. 2017. A survey of model compression and acceleration for deep neural networks. arXiv preprint arXiv:1710.09282 (2017).
[10]
Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-Wide Security Testing of Real-World Embedded Systems Software. In 27th USENIX Security Symposium (USENIX Security 18) . USENIX Association, Baltimore, MD, 309--326. https://www.usenix.org/conference/usenixsecurity18/presentation/corteggiani
[11]
Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large-scale Analysis of the Security of Embedded Firmwares. In Proceedings of the 23rd USENIX Conference on Security Symposium (San Diego, CA) (SEC'14). USENIX Association, Berkeley, CA, USA, 95--110. http://dl.acm.org/citation.cfm?id=2671225.2671232
[12]
Sanjeev Das, Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose. 2019. SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security. In 40th IEEE Symposium on Security and Privacy (S&P'19) .
[13]
John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. ACM SIGARCH Computer Architecture News, Vol. 41, 3 (2013), 559--570.
[14]
Paul Dlugosch, Dave Brown, Paul Glendenning, Michael Leventhal, and Harold Noyes. 2014. An Efficient and Scalable Semiconductor Architecture for Parallel Automata Processing. IEEE Transactions on Parallel and Distributed Systems, Vol. 25, 12 (2014), 3088--3098. https://doi.org/10.1109/TPDS.2014.8
[15]
Brendan Dolan-Gavitt, Tim Leek, Josh Hodosh, and Wenke Lee. 2013. Tappan zee (north) bridge: mining memory accesses for introspection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 839--850.
[16]
European Commission. [n.d.]. https://ec.europa.eu/info/law/law-topic/data-protection_en .
[17]
S. Forrest, S. Hofmeyr, and A. Somayaji. 2008. The Evolution of System-Call Monitoring. In ACSAC '08: Procc. of the 2008 Annual Computer Security Applications Conf. IEEE Computer Society, Washington, DC, USA, 418--430. https://doi.org/10.1109/ACSAC.2008.54 Invited paper for Classic Papers session.
[18]
Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. 1996. A Sense of Self for Unix Processes. In Proceedings of the IEEE Symposium on Security and Privacy (SP '96). IEEE Computer Society, Washington, DC, USA, 120--. http://dl.acm.org/citation.cfm?id=525080.884258
[19]
Douglas M. Hawkins. 2004. The Problem of Overfitting. Journal of Chemical Information and Computer Sciences, Vol. 44, 1 (2004), 1--12. https://doi.org/10.1021/ci0342472 https://doi.org/10.1109/SP.2015.11

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCSW'20: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
November 2020
176 pages
ISBN:9781450380843
DOI:10.1145/3411495
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2020

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. automata processing
  2. intrusion detection
  3. side-channel attacks

Qualifiers

  • Research-article

Funding Sources

  • National Science Foundation
  • Air Force Research Lab
  • DARPA

Conference

CCS '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 341
    Total Downloads
  • Downloads (Last 12 months)92
  • Downloads (Last 6 weeks)19
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media