DynHaMo: Dynamic Hardware-Based Monitoring Dedicated to Attacks Detection

Numerous attacks compromising processor security have been developed over decades, including some targeting the microarchitecture, such as side-channel or transient attacks, or control-flow hijacking attacks. As these attacks target processor microarchitectural features and bypass software-level mitigation techniques, they are considered a serious threat. In order to mitigate these attacks while limiting the impact on performance, various detection methods have been proposed. Indeed, detection techniques offer solutions to limit the execution of costly countermeasures, only after attacks detection, limiting the induced performance overhead. However, detection techniques in the literature suffer from several drawbacks, including non-real-time detection, significant increase in execution time, or make the hypothesis of a trusted Operating System (OS). In this work, we introduce DynHaMo that addresses these issues by detecting attacks targeting the microarchitecture, such as Cache-based Side-Channel Attacks (CSCAs) and Return-Oriented Programming (ROP) attacks, at run-time by taking advantage of dynamic instruction insertion at the hardware level. DynHaMo, is a light-weight hardware micro-decoding unit capable of monitoring microarchitectural events on the fly. For evaluation purposes, DynHaMo has been integrated into a RISC-V core, assessed through multiple benchmarks and attack codes, and implemented on an FPGA platform. We evaluated our solution under high workloads to demonstrate the efficiency of the approach and its robustness to noise. The evaluation results show a detection accuracy of 99.3% on average, with 0.7% false negative and 1.2% false positive on average.