Investigating Black-Box Function Recognition Using Hardware Performance Counters
share
This paper presents new methods and results for learning information about black-box program functions using hardware performance counters (HPC), where an investigator can only invoke and measure function calls. Important use cases include analysing compiled libraries, e.g. static and dynamic link libraries, and trusted execution environment (TEE) applications. We develop a generic machine learning-based approach to classify a comprehensive set of hardware events, e.g. branch mis-predictions and instruction retirements, to recognise standard benchmarking and cryptographic library functions. This includes various signing, verification and hash functions, and ciphers in numerous modes of operation. Three major architectures are evaluated using off-the-shelf Intel/X86-64, ARM, and RISC-V CPUs. Following this, we develop and evaluate two use cases. Firstly, we show that several known CVE-numbered OpenSSL vulnerabilities can be detected using HPC differences between patched and unpatched library versions. Secondly, we demonstrate that standardised cryptographic functions executing in ARM TrustZone TEE applications can be recognised using non-secure world HPC measurements. High accuracy was achieved in all cases (86.22-99.83 compilation assumptions. Lastly, we discuss mitigations, outstanding challenges, and directions for future research.
READ FULL TEXT