Uncommon Sense: Detecting Exploits with Novel Hardware Performance Counters and ML Magic

Conference:  BlackHat USA 2020



The presentation discusses the use of undocumented performance counters to detect Spectre and Rob exploits in cybersecurity.
  • Undocumented performance counters were used to detect Spectre and Rob exploits.
  • The presentation discusses the data collection process and the models used to analyze the data.
  • The main metrics used to evaluate the models were precision, recall, F1 score, area under the curve, and confusion matrix.
  • Support vector machine, random forest, extreme gradient boosting, and histogram-based query and boosting were the models that worked well for detecting exploits.
The presentation revealed that the same undocumented counters used to detect Spectre exploits also worked for detecting Rob exploits, which was surprising and unexpected. The team spent hours trying to figure out if there was an error in their data, but ultimately found that the counters were effective for both types of exploits.


In recent years, exploits like speculative execution, Rowhammer, and Return Oriented Programming (ROP) were detected using hardware performance counters (HPCs). But to date, only relatively simple and well-understood counters have been used, representing just a tiny fraction of the information we can glean from the system. What's worse, using only well-known counters as detectors for these attacks has a huge disadvantage - an attacker can easily bypass known counter-based detection techniques with minimal changes to existing sample exploit code. If we want a viable future for exploit detection, we need to move beyond just scratching the surface of the HPC iceberg. Uncovering the treasure trove of overlooked and undocumented counters is necessary if we are to both build defenses against these attacks and anticipate how an adversary could bypass our defenses.We'll begin our journey in walking through our ML-based solution to more effective exploit detection. Using the entire corpus of performance counters for commonly used baseline programs and behaviorally-similar malicious programs, we zero in on the counters we want to use as features for our supervised classifiers. We will then interpret our model to determine how they can effectively detect various exploits using novel performance counters.Finally, we'll showcase the uncommon and previously ignored performance counters that were lurking in the dark, with so much useful information. The results seen here will emphasize the need for documenting these counters, which were highly significant in our models for attack detection.