![Page 1: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/1.jpg)
HexPADS: a platform to detect “stealth” attacks
Mathias Payer (@gannimo), Purdue Universityhttp://hexhive.github.io
![Page 2: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/2.jpg)
(c) AP Photo/RIA Novosti, Alexei Druzhinin, Government Press Service
Deployed defenses focus on memory corruption
![Page 3: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/3.jpg)
(c) National Nuclear Security Administration, 1953
![Page 4: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/4.jpg)
Consider program state and behavior
![Page 5: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/5.jpg)
HexPADSDesign
![Page 6: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/6.jpg)
HexPADS Design● Host-based Intrusion/Attack
Detection System● Measure fine-grained process-level
runtime behavior– Operating system provides basic
runtime characteristics
– Performance Monitoring Unit (PMU) allows counting/sampling of detailed and fine-grained events
● Detect attacks based on signatures/anomalies
● Take evasive action/counter measure
CPU
PMU
OS
PADSPROCPROCPROCATTACK
![Page 7: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/7.jpg)
Default Metrics (always collected)
● Number of executed instructions● Number of last level cache accesses● Number of last level cache misses● Minor/major page faults● Execution time
(c) Intel
![Page 8: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/8.jpg)
Additional Metrics
● Anything in /proc– Opened files, network ports, and IPC
– Loaded libraries
– Memory maps
● Any measurable PMU event– Memory/cache hierarchy events
– Instruction mix and behavior
– Execution profile and branch records
● System calls
![Page 9: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/9.jpg)
Implementation
● Modular implementation● Collect metrics for all processes● Keep configurable history● Run detection modules every iteration
http://github.com/HexHive/HexPads
![Page 11: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/11.jpg)
SPEC CPU2006
0
50
100
150
200
250
300
350
400
450
Idle
PADS
Ru
ntim
e in
se
con
ds
No measurableoverhead
![Page 12: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/12.jpg)
Rowhammer
● Cause DRAM bit flips by accessing adjacent cells– High amount of cache misses: > 500,000/s
– High cache miss rate: > 70%
– Low page fault rate: < 1%
● Possible extension: use sampling– Detect and correlate actual accesses
– Detect “nearby” accesses
![Page 13: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/13.jpg)
Cache-based side/covert channels
● Communicate through access timing– Same pattern as rowhammer
– Additional challenge: which process is bad?
● Possible extension: longer history– Consider development over time
![Page 14: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/14.jpg)
Cross-VM ASL INtrospection (CAIN)*
● CAIN attacks leak ASLR base addresses in co-located VMs – High amount of page faults/allocated pages/cache misses/per instr.
– Followed by inactivity
● Possible extension: study access patterns– Push detection to VMM level
– Check page similarity
– Evaluate page access patterns
CAIN: Silently Breaking ASLR in the Cloud. Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross. In WOOT '15
![Page 15: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/15.jpg)
Upcoming Challenges
● Move collection to VMM to allow per-machine correlation● Extend and develop new detection modules● Synthesize detection modules by applying machine learning
CPU
PMU
OS
PADSPROCPROCPROCATTACK
![Page 16: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/16.jpg)
Conclusion
![Page 17: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/17.jpg)
Conclusion
● HexPADS is a modular IDS/ADS framework● Process-based collection of runtime/performance information● High precision and negligible overhead through PMU● Ongoing work:
– More detection modules
– Machine learning
– Push framework to VMM level
● Go clone the project at https://github.com/HexHive/HexPADS
![Page 18: HexPADS: a platform to detect “stealth” attacks · HexPADS Design Host-based Intrusion/Attack Detection System Measure fine-grained process-level runtime behavior – Operating](https://reader034.vdocument.in/reader034/viewer/2022050605/5fad119ba11cec70a70818a0/html5/thumbnails/18.jpg)
Thank you!Questions?
Mathias Payer (@gannimo), Purdue Universityhttp://hexhive.github.io