![Page 1: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/1.jpg)
Processor Intrusion Detection
Mark Zwolinski
June 2018
@MarkZwolinski
![Page 2: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/2.jpg)
Outline
• Background
• Anomalous behaviour
• Security monitoring
• Responses
• Summary
![Page 3: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/3.jpg)
How is hardware different to software?
• Hardware exists in the real world
– Physical access allows side-channel attacks
• Implementation is not the same as design
– Timing
– Energy
• Every device is unique
– Variability
![Page 4: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/4.jpg)
On-Chip Intrusion Detection
• Hypothesis: Embedded systems do predictable things
• Therefore anomalous behaviour occurs because something bad has happened
– Reliability problem
• One-off (radiation) or gradual (ageing)
– Security problem
• Sudden, sustained
• Resulting actions may be very different
![Page 5: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/5.jpg)
Normal Behaviour
• Processors have built-in Hardware Performance Counters for code optimisation – can we reuse them?
• Different programs look different – Committed Instructions:
![Page 6: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/6.jpg)
Normal Behaviour
• Different programs look different – Committed Instructions. Also varies with data:
![Page 7: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/7.jpg)
Anomaly Detection
• Security anomaly may cause different types of unusual behaviour
– Program Counter has unusual pattern
– Cache Miss rate suddenly increases
– Temperature suddenly rises
• Can we model this easily?
– Instruction set simulator (Gem5)
– 0.15s takes 900s and generates 7.5GB data
• US$20k Microsoft Azure award
![Page 8: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/8.jpg)
Anomalous Behaviour
• Insert single bit-flips into different registers. Different effects:
![Page 9: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/9.jpg)
Anomalous Behaviour
• Four main types of behaviour:
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Fetch Decode Execute Load/Store
% o
f F
ault
s M
an
ife
sted
as
Err
or
Various Stages of the Pipeline
Failures Distribution on QSort Benchmark
Crash
Hang
FailSilenceViola on
NotManifested
![Page 10: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/10.jpg)
Anomaly Monitoring
• On-chip learning
– Self-monitoring (which is part of normal pattern)
– Auxiliary processor (Quis custodiet ipsos custodes?)
– Buddy processors
• Distributed Intelligence
• Scalability?
![Page 11: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/11.jpg)
Detection: Moving Average Cache Misses
True Positives (TP) 6
False Positives (FP) 5
False Negatives (FN) 39
True Negatives (TN) 171
Accuracy 0.80
![Page 12: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/12.jpg)
Detection: Autoencoder Cache Misses
True Positives (TP) 4
False Positives (FP) 0
False Negatives (FN) 7
True Negatives (TN) 176
Accuracy 0.96
![Page 13: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/13.jpg)
Detection time
• Random bit flips inserted – hang/crash/silent/not seen
• How long to detection? Minimum detection time shown in green.
• Note: Simulator is not sampling every clock cycle. Benchmarks are loops
![Page 14: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/14.jpg)
Software Attack
• Normal behaviour on left.
• Code injection attack on right.
• (NB Sampling resolution gives slight differences.)
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
1 51 101 151 201 251 301 351 401 451 501 551 601 651
CPU Cache Overall Miss Rate
![Page 15: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/15.jpg)
Responses
• Single event reliability problems can be mitigated by replay
• Long-term reliability problems require monitoring and preventative maintenance
• Security problems require something different
– fail-safe or fail-secure?
![Page 16: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/16.jpg)
Summary
• On-chip monitoring for reliability
• Similar monitoring for security?
• Learn normal vs abnormal behaviour
• Fail-safe or fail-secure?
![Page 17: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/17.jpg)
Is there any alternative?
"We believe that our results motivate a different type of defense; a defense where trusted circuits monitor the execution of untrusted circuits, looking for out-of-specification behavior in the digital domain."
K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, “A2: Analog Malicious Hardware”, Proceedings of the IEEE Symposium on Security and Privacy, May 2016.
![Page 18: Processor Intrusion Detection - testandverification.com · Processor Intrusion Detection Mark Zwolinski June 2018 mz@ecs.soton.ac.uk ... •Anomalous behaviour •Security monitoring](https://reader033.vdocuments.us/reader033/viewer/2022060307/5f09d7b77e708231d428c164/html5/thumbnails/18.jpg)
Thanks
• Thanks to Elena Woo and Miao Yu, who did most of the simulations.