Proposta para o uso de Contadores de Performance em Hardware para detecção de Malware
Resumo
Malware são programas maliciosos que causam danos em diferentes sistemas. Isso pode resultar em prejuízos aos usuários e organizações atacados. Nesse contexto, este artigo apresenta uma proposta de método de testagem para verificar até que ponto o não-determinismo do hardware e dos sistemas operacionais e a imprecisão nos eventos registrados pelos Hardware Performance Counters (HPC) podem impactar na detecção precisa de malware.Referências
Das, S., Werner, J., Antonakakis, M., Polychronakis, M., and Monrose, F. (2019). Sok: The challenges, pitfalls, and perils of using hardware performance counters for security. In Proc. IEEE Symp. on Security and Privacy, pages 20-38.
Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., and Stolfo, S. (2013). On the feasibility of online malware detection with performance counters. In ISCA, page 559-570. ACM.
Demme, J. and Sethumadhavan, S. (2011). Rapid identification of architectural bottlenecks via precise event counting. In ISCA, page 353-364. ACM.
Jacob, G., Debar, H., and Filiol, E. (2008). Behavioral detection of malware: from a survey towards an established taxonomy. In JCV, volume 4, pages 251-266. Springer.
Jana, S. and Shmatikov, V. (2012). Abusing file processing in malware detectors for fun and profit. In Proc. IEEE Symp. on Security and Privacy, pages 80-94.
Malone, C., Zahran, M., and Karri, R. (2011). Are hardware performance counters a cost effective way for integrity checking of programs. In Proc. of the Sixth ACM Workshop on Scalable Trusted Computing, page 71-76.
Samani, R., Beek, C., Chandana, S., Dunton, T., Grobman, S., Gupta, R., et al. (2020). Mcafee labs threats report, november 2020. Technical report, McAfee Labs.
Singh, B., Evtyushkin, D., Elwell, J., Riley, R., and Cervesato, I. (2017). On the detection of kernel-level rootkits using hardware performance counters. In Proc. of the ACM on ASIA CCS, page 483-493. ACM.
Weaver, V. M., Terpstra, D., and Moore, S. (2013). Non-determinism and overcount on modern hardware performance counter implementations. In ISPASS, pages 215-224.
Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., and Stolfo, S. (2013). On the feasibility of online malware detection with performance counters. In ISCA, page 559-570. ACM.
Demme, J. and Sethumadhavan, S. (2011). Rapid identification of architectural bottlenecks via precise event counting. In ISCA, page 353-364. ACM.
Jacob, G., Debar, H., and Filiol, E. (2008). Behavioral detection of malware: from a survey towards an established taxonomy. In JCV, volume 4, pages 251-266. Springer.
Jana, S. and Shmatikov, V. (2012). Abusing file processing in malware detectors for fun and profit. In Proc. IEEE Symp. on Security and Privacy, pages 80-94.
Malone, C., Zahran, M., and Karri, R. (2011). Are hardware performance counters a cost effective way for integrity checking of programs. In Proc. of the Sixth ACM Workshop on Scalable Trusted Computing, page 71-76.
Samani, R., Beek, C., Chandana, S., Dunton, T., Grobman, S., Gupta, R., et al. (2020). Mcafee labs threats report, november 2020. Technical report, McAfee Labs.
Singh, B., Evtyushkin, D., Elwell, J., Riley, R., and Cervesato, I. (2017). On the detection of kernel-level rootkits using hardware performance counters. In Proc. of the ACM on ASIA CCS, page 483-493. ACM.
Weaver, V. M., Terpstra, D., and Moore, S. (2013). Non-determinism and overcount on modern hardware performance counter implementations. In ISPASS, pages 215-224.
Publicado
10/05/2023
Como Citar
DAL PONTTE, Bruno; DOMINICO, Simone; ALVES, Marco A. Z..
Proposta para o uso de Contadores de Performance em Hardware para detecção de Malware. In: ESCOLA REGIONAL DE ALTO DESEMPENHO DA REGIÃO SUL (ERAD-RS), 23. , 2023, Porto Alegre/RS.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 77-80.
ISSN 2595-4164.
DOI: https://doi.org/10.5753/eradrs.2023.229678.