Investigating Black-Box Function Recognition Using Hardware Performance Counters

TL;DR

This paper introduces a method to recognize black-box functions using hardware performance counters across multiple architectures, achieving high accuracy in identifying cryptographic and library functions, including in trusted execution environments.

Contribution

The paper presents a novel, architecture-agnostic approach for classifying hardware events to recognize various functions, including cryptographic and library functions, in black-box scenarios.

Findings

High recognition accuracy (86.22-99.83%) across architectures.

Detection of known OpenSSL vulnerabilities via HPC differences.

Recognition of cryptographic functions in TEE using non-secure measurements.

Abstract

This paper presents new methods and results for recognising black-box program functions using hardware performance counters (HPC), where an investigator can invoke and measure function calls. Important use cases include analysing compiled libraries, e.g. static and dynamic link libraries, and trusted execution environment (TEE) applications. We develop a generic approach to classify a comprehensive set of hardware events, e.g. branch mis-predictions and instruction retirements, to recognise standard benchmarking and cryptographic library functions. This includes various signing, verification and hash functions, and ciphers in numerous modes of operation. Three architectures are evaluated using off-the-shelf Intel/X86-64, ARM, and RISC-V CPUs. Next, we show that several known CVE-numbered OpenSSL vulnerabilities can be detected using HPC differences between patched and unpatched library versions. Further, we demonstrate that standardised cryptographic functions within ARM TrustZone TEE applications can be recognised using non-secure world HPC measurements, applying to platforms that insecurely perturb the performance monitoring unit (PMU) during TEE execution. High accuracy was achieved in all cases (86.22-99.83%) depending on the application, architectural, and compilation assumptions. Lastly, we discuss mitigations, outstanding challenges, and directions for future research.