CPU performance signatures for security attacks detection
Document typeBachelor thesis
Rights accessOpen Access
A new approach for detecting security attacks on real-time embedded applications by using performance signatures is introduced in the thesis. Assuming that the behavior of real-time embedded applications is quite stable i.e suffers from little variability, using performance signatures, or in other words key performance metric estimations of the applications, arises as a good option to detect the potential malfunctioning of the system caused by the presence of malware or by the simple existence of bugs escaping the verification process. In our approach we also take into account that slight modifications in the memory layout can lead to high deviations in the performance of the applications for CPUs using standard cache designs implementing modulo placement and LRU replacement. This performance variability may jeopardize the utilization of performance signatures on top of these processors. Therefore, we will also analyze the suitability of performance signatures in the context of time-randomized processors since these processors have been shown to provide higher performance stability.The underlying assumption of this work is that significant performance deviations from well-behaved systems can be used to trigger alerts about the presence of security attacks. In order to be able to study the behavior of the CPU performance in different cases, we will use a SPARC simulator resembling the NGMP (Next Generation Microprocessor) processor, a source-to-source compiler called TASA to mimic the variability due to modification in the cache layout. We also use the EEBMC Autobench benchmarks as representative workloads of the automotive industry. From these benchmarks we have generated randomized variants with TASA to simulate the cache layout variability. We have observed that most of the cases performance signatures suffices to detect the presence of malware since intrinsic cache variability is reduced.