CN117951434A - Reverse engineering method for hiding counter of processor and utilization method thereof - Google Patents
Reverse engineering method for hiding counter of processor and utilization method thereof Download PDFInfo
- Publication number
- CN117951434A CN117951434A CN202410205376.XA CN202410205376A CN117951434A CN 117951434 A CN117951434 A CN 117951434A CN 202410205376 A CN202410205376 A CN 202410205376A CN 117951434 A CN117951434 A CN 117951434A
- Authority
- CN
- China
- Prior art keywords
- counter
- reverse engineering
- engineering method
- processor
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 94
- 238000012407 engineering method Methods 0.000 title claims abstract description 44
- 230000006870 function Effects 0.000 claims abstract description 80
- 230000008569 process Effects 0.000 claims abstract description 61
- 230000007246 mechanism Effects 0.000 claims abstract description 24
- 238000005070 sampling Methods 0.000 claims abstract description 19
- 230000007704 transition Effects 0.000 claims abstract description 16
- 238000012549 training Methods 0.000 claims abstract description 10
- 230000008520 organization Effects 0.000 claims abstract description 5
- 238000012216 screening Methods 0.000 claims abstract description 5
- 238000013145 classification model Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims description 5
- 238000002474 experimental method Methods 0.000 claims description 5
- 230000008859 change Effects 0.000 claims description 4
- 229910002056 binary alloy Inorganic materials 0.000 claims description 2
- 230000001960 triggered effect Effects 0.000 claims 3
- 239000000523 sample Substances 0.000 claims 2
- 238000001514 detection method Methods 0.000 claims 1
- 238000001914 filtration Methods 0.000 claims 1
- 230000001360 synchronised effect Effects 0.000 claims 1
- 238000013461 design Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000004075 alteration Effects 0.000 description 2
- 230000001934 delay Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Abstract
The invention discloses a reverse engineering method for hiding a counter in a processor high-performance mechanism implementation mode and a process fingerprint attack method based on the hiding counter. The counter-oriented reverse engineering method comprises a counter state and state transition reverse engineering method, a table item selection mode reverse engineering method, a counter function reverse engineering method, a table item organization reverse engineering method and a counter sharing reverse engineering method; the process fingerprint attack method based on the hidden counter utilizes the fact that different processes have differences on the use condition of the hidden counter, and comprises four steps of process counter use feature sampling, sampling result analysis and screening, sample feature classification training and actual attack. By applying the invention, the hidden counter in the high-performance mechanism implementation mode of the processor can be subjected to detailed reverse engineering. By applying the invention, the process fingerprint attack can be developed based on the hidden counter by utilizing the reverse engineering result, and the non-privileged attacker in the operating system is allowed to acquire the process information of the victim in the system running in the current system and the program using habit of the victim in the system.
Description
Technical Field
The invention relates to the field of computers, in particular to a reverse engineering method for hiding a counter in a processor high-performance mechanism implementation mode in a computer system structure and a process fingerprint attack method based on the hiding counter.
Background
With the rapid development of computer science, the performance of processors has become a key to improving computing efficiency. To address the physical limitations and design challenges to processor performance, various processor prediction techniques have emerged. The aim of these techniques is to reduce the delay that a processor encounters in executing a program by predicting future operations, thereby improving its execution efficiency. The processor prediction technology mainly comprises branch prediction, memory disambiguation prediction and the like. Branch prediction aims at predicting the path that a conditional branch (e.g., if-else statement) in a program will execute, while memory disambiguation prediction aims at predicting potential data dependencies between instructions to overcome the delay caused by an uncertainty in the memory access order.
These prediction techniques improve performance by optimizing the pipelined execution process of the processor. Pipelining is an important technique in modern processors that allows multiple instructions to be processed simultaneously, thereby improving the throughput of the processor. By using branch prediction, a processor may load and execute instructions on a predicted branch path ahead of time without having fully determined the branch outcome. If the prediction is accurate, this will significantly reduce the time to wait for the branch to resolve, thereby improving the efficiency of the pipeline. Similarly, memory disambiguation prediction allows the processor to more efficiently manage memory accesses and cache utilization by predicting data dependencies and access patterns, reducing delays caused by data loading, and further improving the execution speed of the processor and pipeline performance.
The implementation of branch prediction and memory disambiguation prediction depends on the design of the hardware mechanism. Branch prediction typically employs prediction tables based on historical information, such as direct branch prediction, indirect branch prediction. Memory disambiguation prediction relies on identifying data dependency patterns and memory access sequences in the program, using previous data dependency histories to pre-infer potential data conflicts. By predicting and optimizing instruction execution paths and data accesses on a hardware level, the techniques greatly improve the execution efficiency of a processor and the running speed of a program.
Processor reverse engineering refers to that the processor behavior is observed by inputting instructions through a manual or automatic method, and the implementation details of hardware design, architecture and the like in the processor are known. Since the design details of the mainstream processor are not disclosed at present, reverse engineering becomes a key step and method for researching the architecture of the processor.
Disclosure of Invention
The invention aims to design a reverse engineering method aiming at a hidden counter in a high-performance mechanism implementation mode of a processor, and develop an attack method based on a process fingerprint attack of the hidden counter by utilizing the result. The counter is hidden in the implementation mode of the high-performance mechanism of the processor by applying a reverse engineering method, so that the existence and various implementation details of the counter in the high-performance mechanism of the processor can be known. By applying the process fingerprint attack method, a non-privileged attacker in an operating system can be allowed to know the use condition and the use habit of a victim on a program.
In order to achieve the above object, the present invention provides the following technical solutions:
S1, designing an objective function according to a target high-performance mechanism, wherein the objective function is capable of triggering related events. The validity of the objective function and the presence of the counter are determined by repeatedly executing and respectively timing the objective function.
S2, constructing a test case by utilizing an objective function, observing the processor behavior, identifying all states of the counter, and summarizing a state transition mode of the counter, namely a state machine.
And S3, summarizing all possible variables in the objective function, ensuring that other variables are unchanged each time, and modifying one variable in the objective function, such as a function instruction address, a function parameter and the like. And respectively executing objective functions before and after modification, observing state transition behaviors of the objective functions, and trying to trigger hash collision among the objective functions with different variables. And collecting a plurality of variable values triggering hash collision, searching rules, and determining an item selection mechanism and a hash function in the item selection mechanism.
S4, using a processor performance monitoring unit to monitor execution of the objective function under different counter states. Screening out monitoring events with differences, and analyzing the counting function of the counter.
S5, constructing a plurality of objective functions indexed to different table entries according to a table entry selection mechanism, controlling the number of the objective functions from small to large, calling the first objective function again after calling all the objective functions each time, and observing the state change of the counter corresponding to the first objective function. The number of objective functions is gradually increased to observe when an eviction phenomenon starts to occur. The number of objective functions is then reduced by one to be the total number of entries.
S6, respectively declaring an objective function with the same hash value and indexed to the same table item in the two processes. The system call is used for binding the system call and the target function to the different physical cores, the semaphore is used for controlling the synchronization among the processes, and the call objective function is used for observing whether one process can influence the state transition of the other process. If one process can affect the state transition of another process, the counter can be considered shared among different physical cores. Using similar experiments to bind two processes to different logical cores of the same physical core, the sharing of counters among different logical cores to the same physical core can be appreciated. Binding two processes to the same core using similar experimentation can see if counter state would be preserved in context switch.
Further, when the control variable in step S3 is the function instruction address, a continuous heap memory may be applied, and the binary system of the objective function may be written into different locations of the memory and given executable authority.
On the other hand, the invention provides a process fingerprint attack method based on a hidden counter, which is used for utilizing the counter implementation details obtained through all the above items. The purpose is to obtain the type and habit of the victim's running program.
Further, the process fingerprint attack method comprises the following steps:
s1, for each victim process, sampling the use conditions of the counters at different index positions for a plurality of times until the use conditions of the counters at all index positions are acquired.
S2, screening the sampling results of the index positions, and removing the index positions with the same sampling results in different processes.
S3, selecting the table items which are not more than the total number of the table items, and training the classification model by taking the table items as a training set.
S4, sampling the victim progress, and classifying the sampling result by applying a trained model to obtain a classification result.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments will be briefly described below. It is apparent that the drawings in the following description are only some embodiments described in the present application, and that other drawings may be obtained from these drawings by those of ordinary skill in the art.
Fig. 1 is an overview of the reverse engineering method provided by the present invention for hiding counters in processor high-performance mechanism implementations.
FIG. 2 is an objective function used in an embodiment of the present invention, written in AT & T style assembly language.
FIG. 3 shows experimental results of timing the execution of an objective function in counter state and state transition mode reverse engineering in accordance with an embodiment of the present invention.
FIG. 4 is an overview of the reverse engineering results of the form selection in an embodiment of the present invention.
Fig. 5 is an overview of counter function reverse engineering results in an embodiment of the present invention.
FIG. 6 is an overview of counter entry count reverse engineering results in an embodiment of the present invention.
Fig. 7 is a general flow overview of a process fingerprint attack provided by the present invention.
Detailed Description
In order to better understand the technical solution, the technical solution in the embodiment of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiment of the present application. It will be apparent that the described examples are only some embodiments, but not all embodiments, of the present application. Based on the embodiments of the present application, all other embodiments obtained by the person skilled in the art based on the present application are included in the scope of protection of the present application.
The invention provides a reverse engineering method for a counter in a processor prediction mechanism, which is shown on the left side of fig. 1. The method is used for carrying out experiments on different characteristics of the counter, so that the aim of knowing the internal implementation details of the counter is fulfilled. Wherein:
The reverse engineering method for hiding the counter in the processor high-performance mechanism implementation mode comprises a counter state and state transition mode reverse engineering method, a table item selection mode reverse engineering method, a counter function reverse engineering method, a table item organization mode and table item number reverse engineering method and a counter sharing reverse engineering method.
Embodiments of the present invention are described below in connection with an AMD processor.
The counter state and state transition mode reverse engineering method is applied to ensure that the parameters of the objective function shown in fig. 2 are unchanged, and the objective function is continuously executed and respectively timed. The results are shown in fig. 3, and the results show that the processor changes the execution strategy after the objective function is executed 7 times, so that the execution time is shortened. This demonstrates that there is a 3bit saturation counter.
The method of reverse engineering in form of selecting list item is applied to control each variable of objective function and to find out objective function capable of mutually influencing state transition. In controlling the change of the instruction address of the objective function, the same objective functions of the lower 12 bits of the instruction address can mutually influence the state transition of each other. A single nop instruction is inserted at different locations of the objective function to affect the instruction address. The result shows that only the low 12 bits of the instruction address of the load instruction participate in entry selection, as shown in FIG. 4.
The counter function reverse engineering method is applied, and the execution of the objective function under different counter states is monitored by using a processor performance monitoring unit. Monitoring events with differences were screened out, the results are shown in fig. 5. This indicates that the counter is related to the prediction of RAW data correlation by the processor.
And defining a plurality of objective functions respectively indexing different counters by applying a table entry organization mode and a table entry number reverse engineering method. These objective functions are performed in turn to train the different counters. The number of objective functions is gradually increased, with the result that an eviction phenomenon occurs when the number reaches 9, and the result is shown in fig. 6. This indicates that the number of entries should be 8. Modifying the order in which the objective functions are performed may prove that the entry replacement policy is first in first out.
By applying the counter sharing reverse engineering method, two processes with the same index objective function are respectively bound to different physical cores and try to mutually influence state transition, and the result shows that the counter is not shared among different physical cores. The modification experiment binds the process to different logic cores of the same physical core, and the result shows that the counter is not shared among different logic cores of the same physical core. Modification experiments bind processes to the same core for context switching, and the result indicates that the counter state is preserved during the context switching.
The invention also provides a process fingerprint attack method based on the hidden counter. The method allows a non-privileged attacker in the operating system to acquire the program usage and usage habits of the victim. Wherein:
The process fingerprint attack method comprises four steps, as shown in fig. 7.
The following describes specific embodiments of the present invention with reference to the results of the above-described specific embodiments.
And combining the implementation results of the implementation, applying a process fingerprint attack method to sample the counter states of the victim process at all index positions, wherein the method is that an attacker actively binds the counter state to the same core as the victim, and then actively gives up the cpu through usleep () to schedule the process.
And screening by combining the counter state sampling result of the embodiment, and reserving table entries with differences among different processes, wherein hash index values of the selected table entries are respectively.
And combining the filtered sampling results of the embodiment, and training the SVM classification model by taking the sampling results as a training set.
And (3) combining the obtained SVM classification model, and inputting a sampling result into the model to recover the type of the victim process.
Various modifications and alterations of this invention may be made by those skilled in the art without departing from the spirit and scope of this invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (12)
1. The reverse engineering method for hiding the counter in the high-performance mechanism implementation mode of the processor is characterized in that the existence and a plurality of implementation details of the hidden counter in the high-performance mechanism implementation mode of the processor can be known by utilizing the reverse engineering method. The reverse engineering method comprises the following steps:
Counter state and state transition reverse engineering method, list item selection reverse engineering method, counter function reverse engineering method, list item organization method and list item number reverse engineering method, and counter sharing reverse engineering method.
2. The reverse engineering method for hiding a counter in an implementation manner of a high performance mechanism of a processor according to claim 1, wherein the counter state and state transition manner reverse engineering method is characterized in that the state machine can be obtained by repeatedly executing and respectively timing the execution of functions possibly related to the target high performance mechanism, observing the execution time change, summarizing the change rule, and knowing the existence of the counter, the state number and the state transition manner in the implementation manner of the target high performance mechanism of the processor.
3. The reverse engineering method for hiding a counter in a high performance mechanism implementation manner of a processor according to claim 1, wherein the counter entry selection manner is reverse engineering method, and a hash collision is detected between different functions related to a target high performance mechanism by controlling a variable manner so as to know the entry selection manner. The implementation process is specifically as follows: first, the differences between functions include differences in instruction addresses and differences in function parameters. For different function parameters, the parameter values of the reference function can be simply kept unchanged, the parameter values of other functions are continuously updated, and the Hash collision is attempted to be triggered among the functions. For different instruction addresses, a mode of scrolling the array can be adopted, the instruction address of the reference function is kept unchanged, the binary system of the update function is copied into the array, the executable authority is given to the update function, and the hash collision is attempted to be triggered. The function instruction address is changed each time the starting position of the function in the array is changed. The specific collision detection method is designed with reference to the state transition mode of the counter, and is not developed here. After a large number of instruction addresses or parameter values which collide are collected, rules can be summarized, and a hash index function is obtained.
4. The reverse engineering method for hiding counters in a high performance mechanism implementation manner of a processor according to claim 1, wherein the counter function reverse engineering method is used for knowing the counting function of the counter by analyzing the execution difference of the objective function in different counter states. The objective function refers to a specific function capable of triggering state transition of the counter, and is characterized in that an event is triggered stably inside, and the event is a recording event of the counter. The counter function reverse engineering method comprises the following specific implementation processes: first, the counter is trained to different states according to counter state machine reverse engineering results. And then using a processor performance monitoring unit (Performance Monitoring Uint, PMU) to respectively read readings of different performance monitoring events before and after the execution of the objective function, screening out the events with stable difference of the readings under different counter states, combining the behavior of the objective function, and obtaining the influence of the counter on the function of the processor through brief analysis.
5. The reverse engineering method for hiding counters in a high-performance mechanism implementation manner of a processor according to claim 1, wherein the table entry organization manner and the table entry number reverse engineering method are used for filling the counter table entries in a table entry expelling manner and observing the behaviors of the table entries in the process. The implementation process is specifically as follows: having knowledge of the way the counters are selected, we can simply define a number of objective functions that are respectively indexed to the different counters. These objective functions are performed in turn to train the different counters. The total number of the table entries can be known by observing when the first trained counter generates the table entry eviction by gradually increasing the number of the objective functions, and the number of the table entries is always reduced by one by the number of the objective functions when the table entry is always evicted. In addition, by changing the order in which the objective functions are trained, the replacement strategy of the entries can also be known. Common table entry replacement strategies are least recently Used (LEAST RECENTLY Used), first-in first-Out (FIRSTIN FIRST Out), and the like. If no eviction is observed, it should be considered that the entries are not fully associative, but rather that each entry may be selected only by a portion of the hash index. At this point, the total number of items should not be large, limited by the processor area.
6. The reverse engineering method for hiding a counter in a high-performance mechanism implementation manner of a processor according to claim 1, wherein the counter sharing reverse engineering method is characterized in that two processes accessing the same table entry are respectively bound to two designated cores through a system call provided by Linux, and the shareability of the two processes can be known by synchronizing the two processes by using a semaphore. We consider a processor scenario that supports multi-core and synchronous multithreading. Binding the two processes to different physical cores respectively, and switching to another process after training the counter by one process through the semaphore to try to observe the trained condition of the counter under the same index. If a trained situation can be observed that attempts to observe a counter under the same index, this counter is illustrated as being shared among different physical cores. Modifying system call parameters, binding the process to two logic cores of the same physical core or the same logic core respectively, and using a similar method, also knowing whether the state of the counter is reserved when sharing or context switching is performed on the two logic cores of the same physical core.
7. The reverse engineering method of claim 1, wherein the counter is a 3-bit saturation counter for 8 states, and each execution of the objective function increases the counter count by one until saturation is reached. The counter is periodically reset to an initial zero state. And the processor selects an item according to the hash index selected by using the lower 12 bits of the instruction address of the load instruction in the objective function. The counter prediction function is related to RAW data dependency. The counter initially adopts one prediction strategy and after saturation is reached, another prediction strategy is used instead. The total number of the table entries is 8, and the replacement strategy is first-in first-out by adopting a fully-associative mode. The counter is not shared between different physical cores or different logical cores of the same physical core, i.e. different cores have 8 independent entries. The counter state is not refreshed during a context switch and can therefore be shared among processes that were scheduled to the same core before and after.
8. The reverse engineering experiment result according to claim 7, wherein the hidden-counter-based process fingerprint attack method designed on the AMD processor is characterized in that the hidden-counter-based process fingerprint attack method designed on the AMD processor comprises a counter sampling stage, a sampling result manual analysis stage, a classification model training stage and an actual attack stage; by applying the process fingerprint attack method, the use condition and the use habit of the victim user on the program in the operating system can be obtained.
9. The hidden counter based process fingerprint attack method of claim 8, wherein in the counter sampling stage, since an attacker cannot acquire counter information of all index values by performing sampling at one time, it is necessary to modify the probe index value for a plurality of times until the counter information of all index values is acquired. The implementation method is that an attacker process binds the attacker process to the same core as a victim process through system call, calls usleep () to actively give up the cpu to perform context switching, and calls an objective function to sample every time the cpu is obtained. If there are multiple victim processes, this process needs to be repeated.
10. The hidden counter based process fingerprint attack method of claim 8, wherein in the stage of manual analysis of sampling results, filtering of sampling results obtained for different victim processes is required, and table entries of index positions with the same counter usage among different victims are removed. Then, entries are manually selected having a number not greater than the total number of entries, the criteria for selection being that there is at least one victim process for which the usage pattern is different from the other victim processes. It should be noted that the number of tags classified cannot be greater than the total number of entries.
11. A hidden counter based process fingerprint attack method according to claim 8 and wherein during the classification model training phase, a suitable classification model, such as SVM, is applied. And inputting the screened sampling result as a training set, and training the classification model.
12. The hidden counter-based process fingerprint attack method of claim 8, wherein in an actual attack stage, only the filtered entries are sampled, and a result of the single sampling is transmitted as an input to a trained classification model, so that a single attack of the process fingerprint attack can be completed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410205376.XA CN117951434A (en) | 2024-02-23 | 2024-02-23 | Reverse engineering method for hiding counter of processor and utilization method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410205376.XA CN117951434A (en) | 2024-02-23 | 2024-02-23 | Reverse engineering method for hiding counter of processor and utilization method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117951434A true CN117951434A (en) | 2024-04-30 |
Family
ID=90792334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410205376.XA Pending CN117951434A (en) | 2024-02-23 | 2024-02-23 | Reverse engineering method for hiding counter of processor and utilization method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117951434A (en) |
-
2024
- 2024-02-23 CN CN202410205376.XA patent/CN117951434A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Thesing | Safe and precise WCET determination by abstract interpretation of pipeline models | |
| Lupon et al. | A dynamically adaptable hardware transactional memory | |
| TWI525541B (en) | Method and system for outputting reliably predictable instruction sequences and microprocessor for implementing a method of identifying instructions | |
| US7516306B2 (en) | Computer program instruction architecture, system and process using partial ordering for adaptive response to memory latencies | |
| US8595744B2 (en) | Anticipatory helper thread based code execution | |
| US8898434B2 (en) | Optimizing system throughput by automatically altering thread co-execution based on operating system directives | |
| CN104583957B (en) | With the speculative instructions sequence without the rearrangement for disambiguating out of order load store queue | |
| TWI564718B (en) | Multi-mode set associative cache memory dynamically configurable to selectively allocate into all or a subset of its ways depending on the mode | |
| JPH11272519A (en) | Method and device for monitoring computer system for introducing optimization | |
| US9201806B2 (en) | Anticipatorily loading a page of memory | |
| GB2520731A (en) | Soft-partitioning of a register file cache | |
| Rughetti et al. | Automatic tuning of the parallelism degree in hardware transactional memory | |
| Bera et al. | Hermes: Accelerating long-latency load requests via perceptron-based off-chip load prediction | |
| WO2014205334A1 (en) | System and methods for processor-based memory scheduling | |
| US20160092182A1 (en) | Methods and systems for optimizing execution of a program in a parallel processing environment | |
| Guan | Techniques for building timing-predictable embedded systems | |
| US7779230B2 (en) | Data flow execution of methods in sequential programs | |
| CN117951434A (en) | Reverse engineering method for hiding counter of processor and utilization method thereof | |
| Baier et al. | Locks: Picking key methods for a scalable quantitative analysis | |
| Zhao et al. | SEL-TM: Selective eager-lazy management for improved concurrency in transactional memory | |
| US10372453B2 (en) | Fetching instructions in an instruction fetch unit | |
| CN103514107B (en) | High-performance data caching system and method | |
| Choi et al. | Conflict avoidance scheduling using grouping list for transactional memory | |
| Subramanian | Architectural techniques to unlock ordered and nested speculative parallelism. | |
| Ainsworth | Prefetching for complex memory access patterns |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |