- The paper presents a hardware-based mechanism that leverages micro-architecture events to detect stack buffer overflow attacks in RISC-V systems.
- It employs semi-supervised anomaly detection with classifiers like LOF, achieving over 95% accuracy with minimal malicious function size.
- The study’s PULP platform simulations demonstrate that integrating hardware defenses can reduce runtime overhead and mitigate zero-day vulnerabilities.
Hardware-based Stack Buffer Overflow Attack Detection on RISC-V Architectures
This paper presents an evaluation of hardware-based mechanisms to detect stack buffer overflow (SBO) attacks on RISC-V systems. The research focuses on leveraging micro-architecture events and employing semi-supervised anomaly detection techniques to improve security in these systems. The authors conducted extensive simulations using the Parallel Ultra Low Power (PULP) platform, examining the efficacy of this approach.
Introduction and Background
Cybersecurity remains a critical global issue, with threats like memory-corruption vulnerabilities posing significant risks to software systems. SBO attacks, where unvalidated input overflows a buffer in the memory stack, are a particularly dangerous form of such vulnerabilities. This attack often results in the execution flow being redirected to malicious code. Traditional methods for detecting such breaches often rely on software-based techniques, but this work investigates the feasibility of hardware-based detection, with an emphasis on semi-supervised learning algorithms.
Methodology
The methodology consists of simulating target applications on the PULP platform using the GVSoC simulator and injecting SBO attacks. The micro-architecture events, or hardware performance counters (HPCs), are recorded at the end of application executions. The target applications encompass benchmarks such as Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA) encryption, Secure Hash Algorithm (SHA), and Dijkstra's algorithm, all of which were artificially endowed with buffer overflow vulnerabilities. Through these simulations, a dataset was created, and feature selection techniques were applied to ensure relevance and efficacy.
The paper explores four classification algorithms—One-class Support Vector Machines (OC-SVM), Local Outlier Factor (LOF), Isolation Forest (IF), and Elliptic Envelope (EE). Additionally, an autoencoder neural network was used to determine if these methods could enhance traditional ML algorithms' detection capabilities.
Experimental Results
The results indicate that hardware-based detection of SBO attacks is viable. The paper details the performance of various classification algorithms relative to the size of the malicious function inserted during an attack. Notably, without using the autoencoder, the LOF classifier demonstrated superior performance, achieving over 95% accuracy with only a 1% malicious function size and a single HPC recorded. The RSA algorithm, due to its inherent variability during key generation, presented more challenges but still achieved high detection accuracies under certain conditions.
Implications and Future Directions
This work provides valuable insights into hardware-based detection's potential within RISC-V architectures. The primary benefit of this approach lies in its runtime detection capabilities, adaptability to different code variants and zero-day vulnerabilities, and a reduced performance overhead on the host system. The findings support the notion that integrating hardware and software-based detectors could significantly improve security, with hardware defenses serving as a primary line of defense.
Future research could focus on refining these models further and exploring additional HPCs to enhance detection accuracy across more complex and diverse application scenarios. The results suggest a promising avenue for developing more robust and efficient cybersecurity mechanisms in RISC-V systems and potentially other architectures.
In conclusion, this paper provides a substantive contribution to the field of hardware-based security, demonstrating the practical and theoretical underpinnings necessary for advancing this technology. The application of ML techniques in this context not only highlights the flexibility and robustness of such approaches but also sets the stage for future developments in AI-driven cybersecurity solutions.