2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO) PerSpectron: Detecting Invariant Footprints of Microarchitectural Attacks with Perceptron Samira Mirbagher-Ajorpaz Gilles Pokam Esmaeil Mohammadian-Koruyeh Computer Science and Engineering Intel Labs Computer Science and Engineering Texas A&M University Santa Clara, USA University of California, Riverside College Station, USA [email protected] Riverside, USA [email protected] [email protected] Elba Garza Nael Abu-Ghazaleh Daniel A. Jimenez´ Computer Science and Engineering Computer Science and Engineering Computer Science and Engineering Texas A&M University University of California, Riverside Texas A&M University College Station, USA Riverside, USA College Station, USA [email protected] [email protected] [email protected] Abstract—Detecting microarchitectural attacks is critical given Various components in a modern processor pipeline are their proliferation in recent years. Many of these attacks ex- susceptible to attacks [1], exposing many side-channels. A hibit intrinsic behaviors essential to the nature of their opera- large body of work has been devoted to identifying each of tion, such as creating contention or misspeculation. This study these attacks, with industry responding with appropriate patches. systematically investigates the microarchitectural footprints of However, this is a cat-and-mouse game as new attacks continue hardware-based attacks and shows how they can be detected and classified using an efficient hardware predictor. We present to appear at a regular cadence. a methodology to use correlated microarchitectural statistics to Prior work on detecting side-channel attacks relies on design a hardware-based neural predictor capable of detecting querying hardware performance counters via software to reveal and classifying microarchitectural attacks before data is leaked. malevolent behavior and prevent data from being leaked [6], [7], Once a potential attack is detected, it can be proactively mitigated [8], [9], [10], [11], [12]. Unfortunately, relying on performance by triggering appropriate countermeasures. Our hardware-based detector, PerSpectron, uses perceptron counters poses practical problems that can hurt detection learning to identify and classify attacks. Perceptron-based predic- and performance. First, the number of events available to tion has been successfully used in branch prediction and other performance counters is limited, e.g. on recent Intel processors, hardware-based applications. PerSpectron has minimal perfor- performance counters can only monitor up to 4 events at a mance overhead. The statistics being monitored have similar time. Thus, detection techniques that require monitoring a rich overhead to already existing performance monitoring counters. Additionally, PerSpectron operates outside the processor’s critical feature space must multiplex counters, potentially degrading paths, offering security without added computation delay. Our accuracy, providing opportunities for evasion, and missing system achieves a usable detection rate for detecting attacks opportunities to detect an attack. Second, because performance such as SpectreV1, SpectreV2, SpectreRSB, Meltdown, break- counters are accessible in software, an attacker may be able to ingKSLR, Flush+Flush, Flush+Reload, Prime+Probe as well as access them and modulate its attack to evade detection. Third, cache-attack calibration programs. We also believe that the large number of diverse microarchitectural features offers both evasion the sampling rate of performance counters is low enough to resilience and interpretability—features not present in previous allow an attacker to adjust the bandwidth of an attack to fit hardware security detectors. We detect these attacks early enough within the sampling interval of a software based detector. to avoid any data leakage, unlike previous work that triggers We propose an alternative approach: a first line of defense countermeasures only after data has been exposed. that protects systems against broadly-defined microarchitectural Index Terms—microarchitectural attack defenses, secure archi- tectures, anomaly detection attacks by leveraging a distinct microarchitectural footprint of each attack to detect and classify these attacks-in-progress. This I. INTRODUCTION technique enables countermeasures to be deployed proactively, The number of known microarchitectural security vulnera- before the attack can be successful. There is evidence that bilities caused by speculative execution has increased sharply microarchitectural attacks are being used to hide other, more in recent years [1]. More recently, microarchitectural data traditional attacks as well, so it is important for security sampling (MDS) vulnerabilities have been introduced: RIDL solutions to be able to detect attacks in the speculative execution [2], Fallout [3] and LVI [4] exploit these vulnerabilities to leak feature space [13]. data from internal CPU buffers. Also, the new CacheOut [5] Our hardware classifier can capture the signature of an attack attack adds the ability to select which data to leak from the in a much richer feature space, allowing higher classification L1 cache to the MDS-based attack. accuracy. Security guarantees are stronger in systems that rely 978-1-7281-7383-2/20/$31.00 ©2020 IEEE 1124 DOI 10.1109/MICRO50266.2020.00093 on microarchitectural statistics and are monitored in hardware. With any machine learning based detection solution, there are The detector cannot be disabled by software even if the kernel concerns about the ability of the attackers to evade detection by is compromised, which is important for threat scenarios where modifying their behavior to fool the detector [19]. We believe a compromised kernel may be attempting to compromise a that the nature of microarchitectural attacks, and the fact that secure enclave [14], [15]. Lastly, our hardware-based detector most of them are timing sensitive, substantially limit the ability has a sampling frequency that makes it impossible for an of the attackers to evade detection. Moreover, we believe that attacker to time its attack to the sampling interval. solutions such as RHMD [19] where multiple detectors are used Our proposed approach to detecting microarchitectural and invoked stochastically can substantially mitigate the threat attacks moves the detection of active attacks to hardware from of evasion. Another consideration with hardware detection is software, allowing the predictor to efficiently use and monitor the threat of false positives: our detectors experience a very a large set of microarchitectural features that is not limited to low false positive rate. Moreover, we view them as a first line the commit state and includes speculative instructions. There of defense that simply alerts the operating system to enable the has been prior work on detecting malware in hardware [16], invocation of subsequent mechanisms to isolate a suspicious [17], [18], [19]. process or to monitor it more closely. However those works were (1) not specific to microarchi- This paper makes the following contributions: tectural attacks; and (2) primarily look at features related 1) A novel use of perceptron learning to detect and clas- to committed state such as instruction mixes or memory sify a broad range of microarchitectural attacks. We access distribution. This is important because the signature introduce new replicated perceptron-based algorithms for for microarchitectural attacks is different than the signature of the selection of highly correlated invariant features of malware. We compare PerSpectron to these and other works microarchitectural attacks across, the different pipeline in Section VII-B. stages, most relevant for attack classification. Designing such a system in hardware poses multiple chal- 2) A comprehensive analysis of microarchitectural features lenges. First, we need a way to select a set of features to that indicate footprints of an attack. We show using the pro- use as input to the detector. The features should be strongly posed detection and classification algorithms, that valuable correlated to known microarchitectural attacks. Identifying insights pertaining to the properties of microarchitectural features that correlate well with an active microarchitectural attacks can be gleaned from a systematic analysis of the attack is challenging, as it requires understanding the subtle weights of the features in the perceptron design. interactions between various and plentiful pipeline stages across 3) A hardware design of the proposed detection system and different processor components. It is also important that these a fast classification system with low area and performance features be discriminatory; otherwise, attackers may be able overhead. We provide proof that it is robust to even to evade them. Worse, normal programs may lead to false tweaked variations of considered attacks, including one positives, reducing the effectiveness of the defense. of Flush+Flush, which prior work could not detect in We propose a perceptron-based algorithm that streamlines the hardware. feature selection process. From the 1159 microarchitectural fea- tures available in our hardware simulator, our algorithm selects 106 features that show the strongest correlation to a range II. BACKGROUND AND MOTIVATION of microarchitectural attacks, including SpectreV1, Spectr- The following two subsections explain the attacks considered eRSB, Meltdown, breakingKSLR, Flush+Flush, Flush+Reload, in our work.