These are Not Your Grand Daddy's CPU Performance Counters - CPU Hardware Performance Counters for Security

Presented at Black Hat USA 2015, Aug. 5, 2015, 1:50 p.m. (50 minutes).

CPU hardware performance counters allow us to do low latency performance measuring, without special runtime or compile time software instrumentation. It is said "advanced users often rely on those counters to conduct low-level performance analysis or tuning" according to Wikipedia. But is this all we can do? Maybe it is all that they were meant for, faster debugging and profiling. But these days, the performance counters you find in your CPUs are not exactly your grand daddy's CPU performance counters! They can do bigger and better things - even defending against RowHammer! Yes, they can be used to to make platforms more secure!

Okay, so on Intel x86/x64 compatible CPUs, the MSR_DEBUGCTLA MSR (Model Specific Register) can be used for LBR (Last Branch Recording). BTF CPU flag can facilitate "single stepping" on branching rather than just single stepping on every instruction. Clearly many uses. Some of it security related, like the potential for ROP mitigation. These are reasonably well explored. Perhaps not widely discussed though.

Anyway, in this talk, we will be talking about very interesting features that we find today on Intel x86/x64 compatible CPUs that can be leveraged to achieve platform security relevant outcomes that were simply impractical using software only means, or your grandaddy's CPU performance counters. Some of the use cases might surprise you! We will be demonstrating these techniques against real world exploit code, with performance impact numbers to boot!

We might even share our code with those who ask us nicely.


Presenters:

  • Nishad Herath - Qualys, Inc.
    Nishad Herath has been intimately involved with reverse engineering and information security for the better part of the last two decades. He has made many and often pioneering contributions to various sectors in the information security space, covering both offensive and defensive aspects.Nishad is a strong advocate of freedom to reverse engineer, which he considers to be a basic human right. He also advocates his clients to consider risk management as the most important aspect of a digital defense strategy and to explore CNA capabilities as an increasingly vital part of any national security agenda.Beyond his professional obsessions, all personal time his wonderfully supportive family spares him, he dedicates to reverse engineering wetware in the context of traditional martial arts, meditation techniques and healing practices.
  • Anders Fogh - Protect Software GmbH
    Anders Fogh is a co-founder and the vice president of engineering at Protect Software GmbH. He has led numerous low level engineering efforts in the past 10 years. Prior to that he worked at VOB GmbH and Pinnacle System where he was responsible for major developments in video and CD/DVD recording software. Since 1993 he has been an avid malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs as well as devices ranging from DVD players to USB sticks. He holds a Masters degree in economics.

Links:

Similar Presentations: