Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.6.1365

Detecting Meltdown and Spectre Malware through Binary Pattern Analysis  

Kim, Moon-sun (Hannam University)
Lee, Man-hee (Hannam University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.6, 2019 , pp. 1365-1373 More about this Journal
Abstract
Meltdown and Spectre are vulnerabilities that exploit out-of-order execution and speculative execution techniques to read memory regions that are not accessible with user privileges. OS patches were released to prevent this attack, but older systems without appropriate patches are still vulnerable. Currently, there are some research to detect Meltdown and Spectre attacks, but most of them proposed dynamic analysis methods. Therefore, this paper proposes a binary signature that can be used to detect Meltdown and Spectre malware without executing them. For this, we collected 13 malicious codes from GitHub and performed binary pattern analysis. Based on this, we proposed a static detection method for Meltdown and Spectre malware. Our results showed that the method identified all the 19 attack files with 0.94% false positive rate when applied to 2,317 normal files.
Keywords
Meltdown; Spectre; Binary Pattern Analysis; Malware Detection;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Hass, S. Mangard, P. Kocher, D. Genkin, Y. Yarom and M. Hamburg, "Meltdown: Reading Kernel Memory from User Space," the 27th USENIX Security Symposium, pp. 973-990, Aug. 2018.
2 P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, "Spectre attacks: Exploiting speculative execution," 2019 IEEE Symposium on Security and Privacy, pp. 1-19, May. 2019.
3 A. Fog, "The Microarchitecture of Intel, AMD and VIA CPUs: An optimization guide for assembly programmers and compiler makers" https://www.agner.org/optimize/microarchitecture.pdf, Sep. 2018.
4 M. Low, "Overview of Meltdown and Spectre patches and their impacts," WAMOS 2018, pp. 53-61, Jul. 2018.
5 J. Corbet, "Kaiser: hiding the kernel from user space" LWN.net, https://lwn.net/Articles/738975/, Nov. 2017.
6 Microsoft, "Protect your Windows devices against speculative execution side-channel attacks" https://support.microsoft.com/en-us/help/4073757/protectwindows-devices-from-speculative-execution-side-channel-attack/, Sep. 2019.
7 NetMarketShare, "market share report" https://netmarketshare.com/, Aug. 2019.
8 C. Canella, J. Van Bulck, M. Schwarz, M. Lipp, B. von Berg, P. Ortner, F. Piessens, D. Evtyushkin and D. Gruss, "A systematic evaluation of transient execution attacks and defenses," the 28th USENIX Security Symposium, pp. 249-266, Aug. 2019.
9 C. LI and JL. Gaudiot, "Online Detection of Spectre Attacks Using Microarchitectural Traces from Performance Counters," 30th IEEE International Symposium on Computer Architecture and High Performance Computing, pp. 25-28, Sep. 2018.
10 J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, S. Sethumadhavan and S. Stolfo, "On the feasibility of online malware detection with performance counters," ACM SIGARCH Computer Architecture News, 41(3), pp. 559-570, Jun. 2013.   DOI
11 J. Depoix and P. Altmeyer, "Detecting Spectre Attacks by identifying Cache Side-Channel Attacks using Machine Learning," WAMOS 2018, pp. 75-85, Jul. 2018.
12 Lee Jaekyu and Lee Hyungwoo, "Meltdown Threat Dynamic Detection Mechanism using Decision-Tree based Machine Learning Method," Journal of Convergence for Information Technology, pp. 209-215, Dec. 2018.
13 Y. Yarom and K. Falkner, "FLUSH+ RELOAD: a high resolution, low noise, L3 cache side-channel attack," 23rd USENIX Security Symposium, pp. 719-732, Aug. 2014.
14 Intel, "Intel(R) 64 and IA-32 Architectures Software Developer's Manual" https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf, Sep. 2016.
15 J. Corbet, "Meltdown/Spectre mitigation for 4.15 and beyond" LWN.net https://lwn.net/Articles/744287/, Jan. 2018.
16 Microsoft Docs, "Programming reference for Windows API" https://docs.microsoft.com/en-us/windows/win32/api/, Sep. 2019.
17 Kim Moonsun and Lee Manhee, "Meltdown Attack Identification Using Binary Pattern Analysis," CISC-W'19, pp. 374-377, Jun. 2019.