MARTINI: Memory Access Traces to Detect Attacks

Yujun Qin, Samuel Gonzalez, Kevin Angstadt, Xiaowei Wang, Stephanie Forrest, Reetuparna Das, Kevin Leach, Westley Weimer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Hardware architectural vulnerabilities, such as Spectre and Meltdown, are difficult or inefficient to mitigate in software. Although revised hardware designs may address some architectural vulnerabilities going forward, most current remedies increase execution time significantly. Techniques are needed to rapidly and efficiently detect these and other emerging threats. We present an anomaly detector, MARTINI, that analyzes traces of memory accesses in real time to detect attacks. Our experimental evaluation shows that anomalies in these traces are strongly correlated with unauthorized program execution, including architectural side-channel attacks of multiple types. MARTINI consists of a finite automaton that models normal program behavior in terms of memory addresses that are read from, and written to, at runtime. The model uses a compact representation of n-grams, i.e., short sequences of memory accesses, which can be stored and processed efficiently. Once the system is trained on authorized behavior, it rapidly detects a variety of low-level anomalous behaviors and attacks not otherwise easily discernible at the software level. MARTINI's implementation leverages recent advances in in-cache and in-memory automata for computation, and we present a hardware unit that repurposes a small portion of a last-level cache slice to monitor memory addresses. Our detector directly inspects the addresses of memory accesses, using the pre-constructed automaton to identify anomalies with high accuracy, negligible runtime overhead, and trivial increase in CPU chip area. We present analyses of expected hardware properties based on indicative cache and memory hierarchy simulations and empirical evaluations.

Original languageEnglish (US)
Title of host publicationCCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
PublisherAssociation for Computing Machinery, Inc
Pages77-90
Number of pages14
ISBN (Electronic)9781450380843
DOIs
StatePublished - Nov 9 2020
Event11th ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020 - Virtual, Online, United States
Duration: Nov 9 2020 → …

Publication series

NameCCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

Conference

Conference11th ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020
CountryUnited States
CityVirtual, Online
Period11/9/20 → …

Keywords

  • automata processing
  • intrusion detection
  • side-channel attacks

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'MARTINI: Memory Access Traces to Detect Attacks'. Together they form a unique fingerprint.

Cite this