HexPADS: A Platform to Detect “Stealth” Attacks

  • Mathias Payer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9639)


Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate their privileges to exfiltrate data or to gain arbitrary code execution. While inline defense mechanisms like DEP, ASLR, or stack canaries are important, they have a local, program centric view and miss some attacks. Intrusion Detection Systems (IDS) use runtime monitors to measure current state and behavior of the system to detect an attack orthogonal to active defenses.

Attacks change the execution behavior of a system. Our attack detection system HexPADS detects attacks through divergences from normal behavior using attack signatures. HexPADS collects information from the operating system on runtime performance metrics with measurements from hardware performance counters for individual processes. Cache behavior is a strong indicator of ongoing attacks like rowhammer, side channels, covert channels, or CAIN attacks. Collecting performance metrics across all running processes allows the correlation and detection of these attacks. In addition, HexPADS can mitigate the attacks or significantly reduce their effectiveness with negligible overhead to benign processes.


Virtual Machine Intrusion Detection System Attack Detection Covert Channel Performance Overhead 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Clémentine Maurice, Daniel Grauss, Antonio Barresi, Scott A. Carr, and Terry Ching-Hsiang Hsu for generous feedback on the paper. We also thank Clémentine and Daniel for providing access to the CSC implementation and Antonio for providing access to the CAIN implementation. This work was sponsored, in part, by NSF CNS-1513783.


  1. 1.
    Acıiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 225–242. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Barresi, A., Razavi, K., Payer, M., Gross, T.R.: CAIN: silently breaking ASLR in the cloud. In: WOOT 2015: 9th Usenix Workshop on Offensive Technologies (2015)Google Scholar
  3. 3.
    Cid, D.B.: Ossec: open source host-based intrusion detection system (2015).
  4. 4.
    Corp, I.: Intel 64 and IA-32 Intel Architecture Software Developer’s Manual Combined vols. 3A and 3B: System Programming Guide, Parts 1 and 2 (2015)Google Scholar
  5. 5.
    Denning, D.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  6. 6.
    Domnitser, L., Jaleel, A., Loew, J., Abu-Ghazaleh, N., Ponomarev, D.: Non-monopolizable caches: low-complexity mitigation of cache side channel attacks. ACM Trans. Archit. Code Optim. (2012)Google Scholar
  7. 7.
    Flo, T.R.: ninja process monitor (2010).
  8. 8.
  9. 9.
    Ghosh, A., Wanken, J., Charron, F.: Detecting anomalous and unknown intrusions against programs. In: Annual Computer Security Applications Conference (1998)Google Scholar
  10. 10.
    Grim, L., Vandenbrink, R.: Ids: File integrity checking. Technical report, SANS Institute (2014)Google Scholar
  11. 11.
    Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security Symposium (2015)Google Scholar
  12. 12.
    Hiroaki, E., Kunikazu, Y.: ProPolice: improved stack-smashing attack detection. IPSJ SIG Notes 75, 181–188 (2001)Google Scholar
  13. 13.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)CrossRefGoogle Scholar
  14. 14.
    Irazoqui, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! a fast, cross-VM attack on AES. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 299–319. Springer, Heidelberg (2014)Google Scholar
  15. 15.
    Kim, T., Peinado, M., Mainar-Ruiz, G.: Stealthmem: system-level protection against cache-based side channel attacks in the cloud. In: USENIX Security Symposium (2012)Google Scholar
  16. 16.
    Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: IEEE Symposium on Security and Privacy (1997)Google Scholar
  17. 17.
    Martin, R., Demme, J., Sethumadhavan, S.: Timewarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: International Symposium on Computer, Architecture (2012)Google Scholar
  18. 18.
    Maurice, C., Neumann, C., Heen, O., Francillon, A.: C5: cross-cores cache covert channel. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 46–64. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  19. 19.
    Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering intel last-level cache complex addressing using performance counters. In: Bos, H., et al. (eds.) Raid 2015. LNCS, vol. 9404, pp. 48–65. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26362-5_3CrossRefGoogle Scholar
  20. 20.
    Mutz, D., Valeur, F., Vigna, G., Kruegel, C.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1) (2006)Google Scholar
  21. 21.
    PaX-Team. PaX ASLR (Address Space Layout Randomization) (2003).
  22. 22.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)CrossRefGoogle Scholar
  23. 23.
    Porras, P.A., Neumann, P.G.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference(1997)Google Scholar
  24. 24.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: ACM Conference on Computer and Communication Security (2009)Google Scholar
  25. 25.
    Seaborn, M., Dullien, T.: Exploiting the dram rowhammer bug to gain kernel privileges (2015).
  26. 26.
    Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: European Workshop on System Security (2011)Google Scholar
  27. 27.
    van de Ven, A., Molnar, I.: Exec shield (2004).
  28. 28.
    Vattikonda, B.C., Das, S., Shacham, H.: Eliminating fine-grained timers in xen. In: ACM Cloud Computing Security Workshop (2011)Google Scholar
  29. 29.
    Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: European Software Engineering Conference (2003)Google Scholar
  30. 30.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: ACM Conference on Computer and Communication Security (2002)Google Scholar
  31. 31.
    Wang, Z., Lee, R.B.: Covert and side channels due to processor architecture. In: Annual Computer Security Applications Conference (2006)Google Scholar
  32. 32.
    Wang, Z., Lee, R.B.: New cache designs for thwarting software cache-based side channel attacks. In: International Symposium on Computer, Architecture (2007)Google Scholar
  33. 33.
    Wang, Z., Lee, R.B.: A novel cache architecture with enhanced performance and security. In: International Symposium on Microarchitecture (2008)Google Scholar
  34. 34.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using system calls: alternative data models. In: IEEE Symposium on Security and Privacy (1999)Google Scholar
  35. 35.
    Wu, J., Ding, L., Wu, Y., Min-Allah, N., Khan, S.U., Wang, Y.: \(c^{2}\) detector: a covert channel detection framework in cloud computing. Secur. Commun. Netw. 7(3), 544–557 (2014)CrossRefGoogle Scholar
  36. 36.
    Wu, Z., Xu, Z., Wang, H.: Whispers in the hyper-space: high-speed covert channel attacks in the cloud. In: USENIX Security Symposium (2012)Google Scholar
  37. 37.
    Yarom, Y., Falkner, K.: Flush+reload: a high resolution, low noise, l3 cache side-channel attack. In: USENIX Security Symposium (2014)Google Scholar
  38. 38.
    Zhang, Y., Juels, A., Oprea, A., Reiter, M.K.: Homealone: co-residency detection in the cloud via side-channel analysis. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  39. 39.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communication Security (2012)Google Scholar
  40. 40.
    Zhang, Y., Reiter, M.K.: Düppel: retrofitting commodity operating systems to mitigate cache side-channels in the cloud. In: ACM Conference on Computer and Communication Security (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Purdue UniversityWest LafayetteUSA

Personalised recommendations