CR-Spectre: Defense-Aware ROP Injected Code-Reuse Based Dynamic Spectre
Abhijitt Dhavlle1,a, Setareh Rafatirad2,c, Houman Homayoun2,d and Sai Manoj Pudukotai Dinakarrao1,b
1George Mason University, Fairfax, VA, USA
aadhavlleg@gmu.edu
bspudukotg@gmu.edu
2University of California Davis, Davis, CA, USA
csrafatirad@ucdavis.edu
dhhomayoun@ucdavis.edu
ABSTRACT
Side-channel attacks have been a constant threat to computing systems. In recent times, vulnerabilities in the architecture were discovered and exploited to mount and execute a state-of-the-art attack such as Spectre. The Spectre attack exploits a vulnerability in the Intel-based processors to leak confidential data through the covert channel. There exist some defenses to mitigate the Spectre attack. Among multiple defenses, hardware-assisted attack/intrusion detection (HID) systems have received overwhelming response due to its low overhead and efficient attack detection. The HID systems deploy machine learning (ML) classifiers to perform anomaly detection to determine whether the system is under attack. For this purpose, a performance monitoring tool profiles the applications to record hardware performance counters (HPC), utilized for anomaly detection. Previous HID systems assume that the Spectre is executed as a standalone application. In contrast, we propose an attack that dynamically generates variations in the injected code to evade detection. The attack is injected into a benign application. In this manner, the attack conceals itself as a benign application and generates perturbations to avoid detection. For the attack injection, we exploit a return-oriented programming (ROP)-based code-injection technique that reuses the code, called gadgets, present in the exploited victim’s (host) memory to execute the attack, which, in our case, is the CRSpectre attack to steal sensitive data from a target victim (target) application. Our work focuses on proposing a dynamic attack that can evade HID detection by injecting perturbations, and its dynamically generated variations thereof, under the cloak of a benign application. We evaluate the proposed attack on the MiBench suite as the host. From our experiments, the HID performance degrades from 90% to 16%, indicating our Spectre- CR attack avoids detection successfully.
