Abstract:This work evaluates how well hardware-based approaches detect stack buffer overflow (SBO) attacks in RISC-V systems. We conducted simulations on the PULP platform and examined micro-architecture events using semi-supervised anomaly detection techniques. The findings showed the challenge of detection performance. Thus, a potential solution combines software and hardware-based detectors concurrently, with hardware as the primary defense. The hardware-based approaches present compelling benefits that could enhance RISC-V-based architectures.
What problem does this paper attempt to address?
This paper aims to address the effectiveness of hardware - based methods in detecting Stack Buffer Overflow (SBO) attacks in the RISC - V architecture. Specifically, the paper explores the following points:
1. **Background of SBO Attacks**:
- Stack buffer overflow attacks are a common way of exploiting memory corruption vulnerabilities. By overflowing the buffers allocated in the stack with unvalidated input, they overwrite the function return addresses, thus redirecting the program execution flow to malicious code.
- This attack method is widely used in security threats to modern software systems.
2. **Advantages of Hardware - Event Detection**:
- Previous research has proposed security vulnerability detection methods based on hardware events. These methods use machine - learning algorithms to dynamically analyze the micro - architecture events of the processor.
- Hardware - event detection has the advantages of real - time detection, adaptation to code variants and zero - day attacks, resistance to bypassing protection mechanisms, and reduction of detection costs.
3. **Research Objectives**:
- The paper evaluates the effectiveness of hardware methods in detecting SBO attacks in RISC - V systems.
- In particular, a semi - supervised anomaly detection technique is adopted. This method does not require a security vulnerability data set for training and can detect unknown zero - day attacks.
4. **Experimental Setup**:
- The PULP platform is used for simulation experiments, and the micro - architecture events reflected by Hardware Performance Counters (HPCs) are recorded.
- The experiments include four benchmark applications: AES, RSA, SHA, and Dijkstra's algorithm. Artificially - created buffer overflow vulnerabilities are inserted into these applications to simulate potential memory corruption vulnerabilities.
- Each target application is executed 10,000 times without attacks (to construct the training data set) and 10,000 times with a mixture of non - attack and attack executions (to construct the test data set).
5. **Classification Models and Autoencoders**:
- Four classification models are used: One - class Support Vector Machines (OC - SVM), Local Outlier Factor (LOF), Isolation Forest (IF), and Elliptic Envelope (EE).
- An autoencoder, which is a feed - forward neural network, is also introduced to learn the most significant features in the data and improve the detection effectiveness of traditional machine - learning algorithms.
6. **Experimental Results**:
- The results show that in some cases (such as AES, RSA with fixed primes, SHA, and Dijkstra), when the size of the malicious function is 1% of the number of instructions in the benchmark application, the detection accuracy exceeds 90%.
- The LOF classifier performs particularly well. In the case of using only one HPC, when the size of the malicious function is 1% for some applications (AES, RSA with fixed primes, SHA), the accuracy reaches at least 95%.
- For the complete RSA algorithm, due to the influence of random prime number searches when generating public and private keys, the detection performance is degraded.
7. **Final Considerations**:
- Security vulnerability detection based on hardware events is an open research area with significant advantages, such as real - time detection, adaptation to code variants and zero - day attacks, resistance to attacks, and reduction of detection costs.
- Detection performance is the main challenge of current methods. Therefore, a solution combining software and hardware detectors is proposed, with hardware as the primary defense means.
In summary, this paper attempts to improve the detection ability of stack buffer overflow attacks in the RISC - V architecture through hardware - based detection methods, especially in terms of real - time and adaptability.