| 摘要: |
| 处理器中的未公开指令可被攻击者利用发起处理器指纹识别攻击、侧信道攻击和对外拒绝服务攻击等,从而威胁计算机系统的安全性。现有的未公开指令的研究大多针对的是未公开指令的存在性分析,对未公开指令的行为和安全威胁分析的工作较少,且行为相关分析技术依赖于反汇编器和手动查找指令手册的方法,其分析精度和效率较低。本研究提出了一种基于合法指令引导的未公开指令行为分类方法,通过利用合法指令执行时处理器硬件性能计数器的数据特征训练分类器,构建了一个无标签分类框架FuncCount,实现了合法指令的自动化分类,达到了将合法指令划分为四类的效果(访存指令、分支指令、算术指令和其他指令)。进一步的,我们将FuncCount应用于对未公开指令的行为分析,通过将未公开指令执行时性能计数器的行为特征输入分类器,实现了判定未公开指令的行为类别。根据未公开指令的行为分类结果,我们提出了一种基于未公开指令行为特点的侧信道分析方法,通过性能计数器数据和寄存器状态变化探索未公开指令对系统资源的访问模式,从而达到分析未公开指令对计算机系统的安全威胁的效果。实验结果表明,FuncCount对合法指令的识别准确率达到了90.3%,验证了性能计数器在无标签指令分类任务中的有效性。对未公开指令的分析结果表明,0F0Dxx未公开指令在内存访问时能引发异常预取行为,属于访存指令类型,而且其侧信道行为与标准的PREFETCH指令相似。更为重要的是,0F0Dxx指令的行为可用于构造侧信道攻击,并绕过现代系统中的地址空间布局随机化(KASLR)机制,进而泄露内核地址信息。为应对此类威胁,我们设计了一种低开销的检测机制,该机制基于性能计数器异常检测。当检测到超过设定阈值的异常数据转换后备缓存(DTLB)命中时,系统会激活内核强隔离机制,有效防止基于PREFETCH的侧信道攻击。实验结果表明,在没有攻击的正常工作情况下,该检测机制几乎不会对系统性能产生影响,在高负载情况下也能成功防御。 |
| 关键词: 未公开指令 指令行为分析 硬件性能计数器 |
| DOI: |
| 投稿时间:2024-11-28修订日期:2025-03-03 |
| 基金项目:中国科学院抢占科技制高点专项任务(GJ020204) |
|
| Instruction Functionality and Security Threat Analysis Using Hardware Performance Counters |
|
liu qin, wangguang, zhuziyuan
|
| (Institute of Information Engineering,Chinese Academy of Sciences) |
| Abstract: |
| Undocumented instructions in processors can be exploited by attackers to launch processor fingerprinting attacks, side-channel attacks, and denial-of-service attacks, thereby threatening the security of computer systems. Existing research on undocumented instructions primarily focuses on analyzing their existence, with limited work dedicated to behavioral and security threat analysis. Current behavioral analysis techniques rely on disassemblers and manual checks against instruction manuals, resulting in low accuracy and efficiency.This study proposes a legitimate instruction-guided behavioral classification method for undocumented instructions. By leveraging data features from hardware performance counters HPCs during the execution of legitimate instructions, we train a classifier to construct a label-free classification framework FuncCount. This framework achieves automated classification of legitimate instructions into four categories: memory access, branch, arithmetic, and other instructions.Further, we apply FuncCount to analyze undocumented instructions. By inputting HPC behavioral features from undocumented instruction execution into the classifier, we determine their behavioral categories. Based on this classification, we propose a side-channel analysis methodology tailored to the behavioral characteristics of undocumented instructions. This method explores undocumented instructions’ access patterns to system resources through HPC data and register state changes, enabling systematic evaluation of their security threats.Experimental results demonstrate that FuncCount achieves 90.3% accuracy in classifying legitimate instructions, validating the effectiveness of HPCs in label-free instruction classification. Analysis of undocumented instructions reveals that the 0F0Dxx instruction triggers abnormal prefetch behaviors during memory access, classified as a memory access instruction, and exhibits side-channel behavior similar to standard PREFETCH instructions. Crucially, 0F0Dxx can be exploited to construct side-channel attacks that bypass modern Address Space Layout Randomization KASLR mechanisms, leaking kernel address information. To mitigate such threats, we design a low-overhead detection mechanism based on HPC anomaly detection. When abnormal Data Translation Lookaside Buffer DTLB hit rates exceed predefined thresholds, the system activates a kernel-enforced isolation mechanism to block PREFETCH-based side-channel attacks. Experimental results confirm that this mechanism introduces negligible performance overhead ≤1.5 under normal conditions and successfully defends against attacks even under high workloads. |
| Key words: Hidden instructions Instruction behavior analysis Hardware performance counter |
