Skip to main content
SpringerLink
Log in

HexPADS: A Platform to Detect “Stealth” Attacks

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9639))

Included in the following conference series:

Abstract

Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate their privileges to exfiltrate data or to gain arbitrary code execution. While inline defense mechanisms like DEP, ASLR, or stack canaries are important, they have a local, program centric view and miss some attacks. Intrusion Detection Systems (IDS) use runtime monitors to measure current state and behavior of the system to detect an attack orthogonal to active defenses.

Attacks change the execution behavior of a system. Our attack detection system HexPADS detects attacks through divergences from normal behavior using attack signatures. HexPADS collects information from the operating system on runtime performance metrics with measurements from hardware performance counters for individual processes. Cache behavior is a strong indicator of ongoing attacks like rowhammer, side channels, covert channels, or CAIN attacks. Collecting performance metrics across all running processes allows the correlation and detection of these attacks. In addition, HexPADS can mitigate the attacks or significantly reduce their effectiveness with negligible overhead to benign processes.

figure afigure a

The stamp on the top of this paper refers to an approval process conducted by the ESSoS artifact evaluation committee chaired by Alessandra Gorla and Jacques Klein.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Additional information and details are available on the proc manpage.

  2. 2.

    Scheduling processes on disjoint cores is not enough as the last level cache is shared.

  3. 3.

    The source code of HexPADS is available at http://github.com/HexHive/HexPADS.

  4. 4.

    Google’s prototype implementation is available at https://github.com/google/rowhammer-test.

References

  1. Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015: 9th Usenix Workshop on Offensive Technologies (2015)

    Google Scholar 

  3. Cid, D.B.: Ossec: open source host-based intrusion detection system (2015). http://ossec-docs.readthedocs.org/en/latest/

  4. Corp, I.: Intel 64 and IA-32 Intel Architecture Software Developer’s Manual Combined vols. 3A and 3B: System Programming Guide, Parts 1 and 2 (2015)

    Google Scholar 

  5. Denning, D.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)

    Article  Google Scholar 

  6. Domnitser, L., Jaleel, A., Loew, J., Abu-Ghazaleh, N., Ponomarev, D.: Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans. Archit. Code Optim. (2012)

    Google Scholar 

  7. Flo, T.R.: ninja process monitor (2010). http://forkbomb.org/ninja/

  8. Fogh, A.: Cache side channel attacks (2015). http://dreamsofastone.blogspot.com/2015/09/cache-side-channel-attacks.html

  9. Ghosh, A., Wanken, J., Charron, F.: Detecting anomalous and unknown intrusions against programs. In: Annual Computer Security Applications Conference (1998)

    Google Scholar 

  10. Grim, L., Vandenbrink, R.: Ids: File integrity checking. Technical report, SANS Institute (2014)

    Google Scholar 

  11. Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)

    Google Scholar 

  12. Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes 75, 181–188 (2001)

    Google Scholar 

  13. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)

    Article  Google Scholar 

  14. Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! a fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)

    Google Scholar 

  15. Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security Symposium (2012)

    Google Scholar 

  16. Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: IEEE Symposium on Security and Privacy (1997)

    Google Scholar 

  17. Martin, R., Demme, J., Sethumadhavan, S.: Timewarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: International Symposium on Computer, Architecture (2012)

    Google Scholar 

  18. Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  19. Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Bos, H., et al. (eds.) Raid 2015. LNCS, vol. 9404, pp. 48–65. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26362-5_3

    Chapter  Google Scholar 

  20. Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1) (2006)

    Google Scholar 

  21. PaX-Team. PaX ASLR (Address Space Layout Randomization) (2003). http://pax.grsecurity.net/docs/aslr.txt

  22. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  23. Porras, P.A., Neumann, P.G.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference(1997)

    Google Scholar 

  24. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communication Security (2009)

    Google Scholar 

  25. Seaborn, M., Dullien, T.: Exploiting the dram rowhammer bug to gain kernel privileges (2015). http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

  26. Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: European Workshop on System Security (2011)

    Google Scholar 

  27. van de Ven, A., Molnar, I.: Exec shield (2004). https://www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf

  28. Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine-grained timers in xen. In: ACM Cloud Computing Security Workshop (2011)

    Google Scholar 

  29. Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: European Software Engineering Conference (2003)

    Google Scholar 

  30. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM Conference on Computer and Communication Security (2002)

    Google Scholar 

  31. Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Annual Computer Security Applications Conference (2006)

    Google Scholar 

  32. Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: International Symposium on Computer, Architecture (2007)

    Google Scholar 

  33. Wang, Z., Lee, R.B.: A novel cache architecture with enhanced performance and security. In: International Symposium on Microarchitecture (2008)

    Google Scholar 

  34. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using system calls: alternative data models. In: IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  35. Wu, J., Ding, L., Wu, Y., Min-Allah, N., Khan, S.U., Wang, Y.: \(c^{2}\) detector: a covert channel detection framework in cloud computing. Secur. Commun. Netw. 7(3), 544–557 (2014)

    Article  Google Scholar 

  36. Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: USENIX Security Symposium (2012)

    Google Scholar 

  37. Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: USENIX Security Symposium (2014)

    Google Scholar 

  38. Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: co-residency detection in the cloud via side-channel analysis. In: IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  39. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communication Security (2012)

    Google Scholar 

  40. Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side-channels in the cloud. In: ACM Conference on Computer and Communication Security (2013)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Clémentine Maurice, Daniel Grauss, Antonio Barresi, Scott A. Carr, and Terry Ching-Hsiang Hsu for generous feedback on the paper. We also thank Clémentine and Daniel for providing access to the CSC implementation and Antonio for providing access to the CAIN implementation. This work was sponsored, in part, by NSF CNS-1513783.

Author information

Authors and Affiliations

  1. Purdue University, West Lafayette, USA

    Mathias Payer

Authors
  1. Mathias Payer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mathias Payer .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    Juan Caballero

  2. Paderborn University & Fraunhofer IEM, Paderborn, Germany

    Eric Bodden

  3. VU University, Amsterdam, The Netherlands

    Elias Athanasopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Payer, M. (2016). HexPADS: A Platform to Detect “Stealth” Attacks. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2016. Lecture Notes in Computer Science(), vol 9639. Springer, Cham. https://doi.org/10.1007/978-3-319-30806-7_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30806-7_9

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30805-0

  • Online ISBN: 978-3-319-30806-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation