Unsupervised Anomaly-based Malware Detection using Hardware Features

Recent works have shown promise in using microarchitectural execution patterns to detect malware programs. These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs. In this work, we propose a new class of detectors - anomaly-based hardware malware detectors - that do not require signatures for malware detection, and thus can catch a wider range of malware including potentially novel ones. We use unsupervised machine learning to build profiles of normal program execution based on data from performance counters, and use these profiles to detect significant deviations in program behavior that occur as a result of malware exploitation. We show that real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can be detected with nearly perfect certainty. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomaly-based detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.Comment: 1 page, Latex; added description for feature selection in Section 4, results unchange

Energy Secure Architecture: A Wish List

Energy optimizations are being aggressively pursued today. Can these optimizations open up security vulnerabilities? In this invited talk at the Energy Secure System Architectures Workshop (run by Pradip Bose from IBM Watson research center) I discussed security implications of energy optimizations, capabilities of attackers, ease of exploitation, and payoff to the attacker. I first presented a mini tutorial on security for computer architects, and a personal research wish list for this emerging topic

Applied constant gain amplification in circulating loop experiments

The reconfiguration of channel or wavelength routes in optically transparent mesh networks can lead to deviations in channel power that may impact transmission performance. A new experimental approach, applied constant gain, is used to maintain constant gain in a circulating loop enabling the study of gain error effects on long-haul transmission under reconfigured channel loading. Using this technique we examine a number of channel configurations and system tuning operations for both full-span dispersion-compensated and optimized dispersion-managed systems. For each system design, large power divergence was observed with a maximum of 15 dB at 2240 km, when switching was implemented without additional system tuning. For a bit error rate of 10-3, the maximum number of loop circulations was reduced by up to 33%

Scalable hardware memory disambiguation

This dissertation deals with one of the long-standing problems in Computer Architecture – the problem of memory disambiguation. Microprocessors typically reorder memory instructions during execution to improve concurrency. Such microprocessors use hardware memory structures for memory disambiguation, known as LoadStore Queues (LSQs), to ensure that memory instruction dependences are satisfied even when the memory instructions execute out-of-order. A typical LSQ implementation (circa 2006) holds all in-flight memory instructions in a physically centralized LSQ and performs a fully associative search on all buffered instructions to ensure that memory dependences are satisfied. These LSQ implementations do not scale because they use large, fully associative structures, which are known to be slow and power hungry. The increasing trend towards distributed microarchitectures further exacerbates these problems. As on-chip wire delays increase and high-performance processors become necessarily distributed, centralized structures such as the LSQ can limit scalability. This dissertation describes techniques to create scalable LSQs in both centralized and distributed microarchitectures. The problems and solutions described in this thesis are motivated and validated by real system designs. The dissertation starts with a description of the partitioned primary memory system of the TRIPS processor, of which the LSQ is an important component, and then through a series of optimizations describes how the power, area, and centralization problems of the LSQ can be solved with minor performance losses (if at all) even for large number of in flight memory instructions. The four solutions described in this dissertation — partitioning, filtering, late binding and efficient overflow management — enable power-, area-efficient, distributed and scalable LSQs, which in turn enable aggressive large-window processors capable of simultaneously executing thousands of instructions. To mitigate the power problem, we replaced the power-hungry, fully associative search with a power-efficient hash table lookup using a simple address-based Bloom filter. Bloom filters are probabilistic data structures used for testing set membership and can be used to quickly check if an instruction with the same data address is likely to be found in the LSQ without performing the associative search. Bloom filters typically eliminate more than 80% of the associative searches and they are highly effective because in most programs, it is uncommon for loads and stores to have the same data address and be in execution simultaneously. To rectify the area problem, we observe the fact that only a small fraction of all memory instructions are dependent, that only such dependent instructions need to be buffered in the LSQ, and that these instructions need to be in the LSQ only for certain parts of the pipelined execution. We propose two mechanisms to exploit these observations. The first mechanism, area filtering, is a hardware mechanism that couples Bloom filters and dependence predictors to dynamically identify and buffer only those instructions which are likely to be dependent. The second mechanism, late binding, reduces the occupancy and hence size of the LSQ. Both of these optimizations allows the number of LSQ slots to be reduced by up to one-half compared to a traditional organization without any performance degradation. Finally, we describe a new decentralized LSQ design for handling LSQ structural hazards in distributed microarchitectures. Decentralization of LSQs, and to a large extent distributed microarchitectures with memory speculation, has proved to be impractical because of the high performance penalties associated with the mechanisms for dealing with hazards. To solve this problem, we applied classic flow-control techniques from interconnection networks for handling resource con- flicts. The first method, memory-side buffering, buffers the overflowing instructions in a separate buffer near the LSQs. The second scheme, execution-side NACKing, sends the overflowing instruction back to the issue window from which it is later re-issued. The third scheme, network buffering, uses the buffers in the interconnection network between the execution units and memory to hold instructions when the LSQ is full, and uses virtual channel flow control to avoid deadlocks. The network buffering scheme is the most robust of all the overflow schemes and shows less than 1% performance degradation due to overflows for a subset of SPEC CPU 2000 and EEMBC benchmarks on a cycle-accurate simulator that closely models the TRIPS processor. The techniques proposed in this dissertation are independent, architectureneutral and their cumulative benefits result in LSQs that can be partitioned at a fine granularity and have low design complexity. Each of these partitions selectively buffers only memory instructions with true dependences and can be closely coupled with the execution units thus minimizing power, area, and latency. Such LSQ designs with near-ideal characteristics are well suited for microarchitectures with thousands of instructions in-flight and may enable even more aggressive microarchitectures in the future.Computer Science

Dynamic circulating-loop methods for transmission experiments in optically transparent networks

Recent experiments incorporating multiple fast switching elements and automated system configuration in a circulating loop apparatus have enabled the study of aspects of long-haul WDM transmission unique to optically transparent networks. Techniques include per-span switching to measure the performance limits due to dispersion compensation granularity and mesh network walk-off, and applied constant-gain amplification to evaluate wavelength reconfiguration penalties

The Gestalt: A Secure, High Performance, Low Cost Satellite Ground Station Architecture and its Implementation

In this paper we present The Gestalt, a novel security methodology developed with support from the Office of Naval Research for satellite ground stations systems. While security is often a stated priority for these systems, often it is traded off for better performance, lower cost and reduced design complexity. We identified two main classes of security vulnerabilities that can be exploited by attackers in small-sat systems: 1) intentionally introduced supply chain vulnerabilities in both software and hardware, and 2) inadvertent coding and logic vulnerabilities in code. Our engineering methodology reduces the risk of attacks through four methods: 1. Debloating: Ground stations are complex and involve the integration of many hardware and software systems. This complexity makes them vulnerable to a range of software, and hardware based attacks. Our method of implementing what was previously software functionality in hardware through system debloating achieves this attack surface reduction. 2. Hardware synthesis from Specifications: The use of legacy-free high-level synthesis (HLS) for the specification of processing functions reduces implementation errors, increases productivity, and permits hardware validation using commercial software fuzz testing techniques. 3. Use of hardware scanning techniques: We use a novel method for performing security scans of hardware blocks generated by High-level Synthesis. This step reduces the risk of backdoors inserted by specification developers, attackers modifying the code without knowledge of developers or high-level synthesis tools going undetected. 4. Static memory allocation: A majority of software attacks today are due to memory safety problems in software: Microsoft revealed that 70% of the exploited software vulnerabilities are related to the absence of memory safety. When we use software in the The Gestalt, we take a radical approach to solving the pervasive memory safety problem by completely eliminating the use of dynamic memory. Instead, data processing takes place in hardware using static memory allocation. The result of these approaches is the Exos FEP, a tightly-integrated ground station system that operates in a bit-serial manner. Compared to conventional designs, the Exos FEP achieves high performance by implementing all data processing functions in hardware. Our solution is able to achieve data rates up to 125 Mbps per FPGA in a commodity, commercially cloud-based environment. Perhaps, the most important benefit is a 1000-fold reduction in lines of code compared to state-of-the-art FEP implementation, and achieves Zero Trust supply chain guarantees. With the increased adoption of smallsats, the security problems normally only associated with large military control centers are now spreading to smaller organizations which may not have the necessary security infrastructure to fully understand or cope with the threats. The possibility of using a security-forward approach such as The Gestalt methodology and the resulting ground system architecture and implementation are a promising approach for protecting the smallsat ecosystem

Hybrid Continuous-Discrete Computer: from ISA to Microarchitecture

In this project, we design an instruction set architecture for a proposed hybrid continuous-discrete computer (HCDC) chip. The ISA harnesses the microarchitectural features and analog circuitry provided in the hardware. We describe the workloads that are suitable for the HCDC architecture. The underlying microarchitecture for the HCDC chip, including its controllers, datapaths, and interfaces to analog and digital functional units are specified in detail

Self-monitoring Monitors

Many different monitoring systems have been created to identify system state conditions to detect or prevent a myriad of deliberate attacks, or arbitrary faults inherent in any complex system. Monitoring systems are also vulnerable to attack. A stealthy attacker can simply turn off or disable these monitoring systems without being detected; he would thus be able to perpetrate the very attacks that these systems were designed to stop. For example, many examples of virus attacks against antivirus scanners have appeared in the wild. In this paper, we present a novel technique to "monitor the monitors" in such a way that (a) unauthorized shutdowns of critical monitors are detected with high probability, (b) authorized shutdowns raise no alarm, and (c) the proper shutdown sequence for authorized shutdowns cannot be inferred from reading memory. The techniques proposed to prevent unauthorized shut down (turning off) of monitoring systems was inspired by the duality of safety technology devised to prevent unauthorized discharge (turning on) of nuclear weapons

COMPASS: A Community-driven Parallelization Advisor for Sequential Software

The widespread adoption of multicores has renewed the emphasis on the use of parallelism to improve performance. The present and growing diversity in hardware architectures and software environments, however, continues to pose difficulties in the effective use of parallelism thus delaying a quick and smooth transition to the concurrency era. In this paper, we describe the research being conducted at Columbia University on a system called COMPASS that aims to simplify this transition by providing advice to programmers while they reengineer their code for parallelism. The advice proffered to the programmer is based on the wisdom collected from programmers who have already parallelized some similar code. The utility of COMPASS rests, not only on its ability to collect the wisdom unintrusively but also on its ability to automatically seek, find and synthesize this wisdom into advice that is tailored to the task at hand, i.e., the code the user is considering parallelizing and the environment in which the optimized program is planned to execute. COMPASS provides a platform and an extensible framework for sharing human expertise about code parallelization — widely, and on diverse hardware and software. By leveraging the "wisdom of crowds" model, which has been conjectured to scale exponentially and which has successfully worked for wikis, COMPASS aims to enable rapid propagation of knowledge about code parallelization in the context of the actual parallelization reengineering, and thus continue to extend the benefits of Moore's law scaling to science and society