Investigating Black-Box Function Recognition Using Hardware Performance Counters. / Shepherd, Carlton; Semal, Benjamin; Markantonakis, Konstantinos.


Research output: Contribution to conferencePaper



This paper presents new methods and results for learning information about black-box program functions using hardware performance counters (HPC), where an investigator can only invoke and measure function calls. Important use cases include analysing compiled libraries, e.g. static and dynamic link libraries, and trusted execution environment (TEE) applications. We develop a generic machine learning-based approach to classify a comprehensive set of hardware events, e.g. branch mis-predictions and instruction retirements, to recognise standard benchmarking and cryptographic library functions. This includes various signing, verification and hash functions, and ciphers in numerous modes of operation. Three major architectures are evaluated using off-the-shelf Intel/X86-64, ARM, and RISC-V CPUs. Following this, we develop and evaluate two use cases. Firstly, we show that several known CVE-numbered OpenSSL vulnerabilities can be detected using HPC differences between patched and unpatched library versions. Secondly, we demonstrate that standardised cryptographic functions executing in ARM TrustZone TEE applications can be recognised using non-secure world HPC measurements. High accuracy was achieved in all cases (86.22-99.83%) depending on the application, architectural, and compilation assumptions. Lastly, we discuss mitigations, outstanding challenges, and directions for future research.
Original languageEnglish
Publication statusPublished - 5 May 2022
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 45835679