Abstract: A system for detecting malware includes a processor to collect processor trace information corresponding to an application being executed by the processor (202). The processor can also detect an invalid indirect branch instruction from the processor trace information (204) and detect at least one malware instruction being executed by the application in response to analyzing modified memory values corresponding to the invalid indirect branch (206). Additionally, the processor can block the application from accessing or modifying memory (208).

Abstract: Embodiments described herein provide for a computing device comprising a hardware processor including a processor trace module to generate trace data indicative of an order of instructions executed by the processor, wherein the processor trace module is configurable to selectively output a processor trace packet associated with execution of a selected non-deterministic control flow transfer instruction.

Abstract: Technologies for control flow validation a computing device having a processor with real-time instruction tracing support. The processor generates trace data indicative of control flow of a protected application. The computing device identifies an indirect branch target based on the trace data and determines whether the indirect branch target is included in the same module as a previous indirect branch target. If the indirect branch target and the previous indirect branch target are not included in the same module, the computing device determines whether an inter-module transfer policy is satisfied. If satisfied, the indirect branch target is stored as the previous indirect branch target and the protected application continues to execute. If the policy is not satisfied, the computing device generates an exception. The policy may be satisfied, for example, if the indirect branch target is an exported function. Other embodiments are described and claimed.

Abstract: One embodiment provides an accelerator circuitry. The accelerator circuitry includes accelerator processor circuitry; accelerator memory circuitry; processor trace (PT) decoder circuitry and control flow integrity (CFI) checker circuitry. The PT decoder circuitry is to at least one of receive and/or retrieve PT data from a host device. The PT decoder circuitry is further to extract a target instruction pointer (TIP) packet from the PT data and to decode the TIP packet to yield a runtime target address. The CFI checker circuitry is to determine, at runtime, whether a control flow transfer of an indirect branch instruction to the runtime target address corresponds to a control flow violation based, at least in part, on control flow (CF) information (info) stored to an accelerator CF info store.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for anomalous memory access pattern detection for translational lookaside buffers. An example apparatus includes a communication interface to retrieve a first eviction data set from a translational lookaside buffer associated with a central processing unit; a machine learning engine to: generate an anomaly detection model based upon at least one of a second eviction data set not including an anomaly and a third eviction data set including the anomaly; and determine whether the anomaly is present in the first eviction data set based on the anomaly detection model; and an alert generator to at least one of modify a bit value or terminate memory access operations when the anomaly is determined to be present.

Abstract: Methods, systems, articles of manufacture and apparatus to detect process hijacking are disclosed herein. An example apparatus to detect control flow anomalies includes a parsing engine to compare a target instruction pointer (TIP) address to a dynamic link library (DLL) module list, and in response to detecting a match of the TIP address to a DLL in the DLL module list, set a first portion of a normalized TIP address to a value equal to an identifier of the DLL. The example apparatus disclosed herein also includes a DLL entry point analyzer to set a second portion of the normalized TIP address based on a comparison between the TIP address and an entry point of the DLL, and a model compliance engine to generate a flow validity decision based on a comparison between (a) the first and second portion of the normalized TIP address and (b) a control flow integrity model.

Abstract: Methods, apparatus, systems and articles of manufacture for detecting a side channel attack are disclosed. An example apparatus includes a histogram generator to generate a histogram representing cache access activities. A histogram analyzer is to determine at least one statistic based on the histogram. A machine learning model processor is to apply a machine learning model to the at least one statistic to attempt to identify a side channel attack. A multiple hypothesis tester to perform multiple hypothesis testing to determine a probability of the cache access activities being benign. An anomaly detection orchestrator is to, in response to the machine learning model processor identifying that the at least one statistic is indicative of the side channel attack and the probability not satisfying a similarity threshold, cause the performance of a responsive action to mitigate the side channel attack.

Abstract: Methods, apparatus, systems and articles of manufacture for detecting a side channel attack using hardware performance counters are disclosed. An example apparatus includes a hardware performance counter data organizer to collect a first value of a hardware performance counter at a first time and a second value of the hardware performance counter at a second time. A machine learning model processor is to apply a machine learning model to predict a third value corresponding to the second time. An error vector generator is to generate an error vector representing a difference between the second value and the third value. An error vector analyzer is to determine a probability of the error vector indicating an anomaly. An anomaly detection orchestrator is to, in response to the probability satisfying a threshold, cause the performance of a responsive action to mitigate the side channel anomaly.

Abstract: The present disclosure is directed to systems and methods of detecting a side-channel attack using hardware counter anomaly detection circuitry to select a subset of HPCs demonstrating anomalous behavior in response to a side-channel attack. The hardware counter anomaly detection circuitry includes data collection circuitry to collect data from a plurality of HPCs, time/frequency domain transform circuitry to transform the collected data to the frequency domain, one-class support vector anomaly detection circuitry to detect anomalous or aberrant behavior by the HPCs. The hardware counter anomaly detection circuitry selects the HPCs having reliable and consistent anomalous activity or behavior in response to a side-channel attack and groups those HPCs into a side-channel attack detection HPC sub-set that may be communicated to one or more external devices.

Abstract: Technologies for control flow validation a computing device having a processor with real-time instruction tracing support. The processor generates trace data indicative of control flow of a protected application. The computing device identifies an indirect branch target based on the trace data and determines whether the indirect branch target is included in the same module as a previous indirect branch target. If the indirect branch target and the previous indirect branch target are not included in the same module, the computing device determines whether an inter-module transfer policy is satisfied. If satisfied, the indirect branch target is stored as the previous indirect branch target and the protected application continues to execute. If the policy is not satisfied, the computing device generates an exception. The policy may be satisfied, for example, if the indirect branch target is an exported function. Other embodiments are described and claimed.

Abstract: One embodiment provides an apparatus. The apparatus includes collector circuitry to capture processor trace (PT) data from a PT driver. The PT data includes a first target instruction pointer (TIP) packet including a first runtime target address of an indirect branch instruction of an executing target application. The apparatus further includes decoder circuitry to extract the first TIP packet from the PT data and to decode the first TIP packet to yield the first runtime target address. The apparatus further includes control flow validator circuitry to determine whether a control flow transfer to the first runtime target address corresponds to a control flow violation based, at least in part, on a control flow graph (CFG). The CFG including a plurality of nodes, each node including a start address of a first basic block, an end address of the first basic block and a next possible address of a second basic block or a not found tag.

Abstract: Technologies disclosed herein provide for converting a first data of a first control flow packet to a first pixel, where the first data indicates one or more branches taken during a known execution of an application, generating an array of pixels using the first pixel and one or more other pixels associated with one or more other control flow packets generated from the known execution, transforming the array of pixels into a series of images, and using a machine learning algorithm with inputs to train a behavior model to identify a malicious behavior in an unknown execution of the application. The inputs include one or more images of the series of images and respective image labels assigned to the one or more images. More specific embodiments include extracting the first control flow packet from an execution trace representing at least part of the known execution.

Abstract: Described herein are techniques for dealing with the problem of security vulnerabilities in computer software due to undefined behavior that may be exploited by attackers. A machine learning (ML) model is used for detecting an exploit execution within a given trace of application execution. In a specific embodiment, the ML model identifies whether there is any gadget or gadget-chain execution at branch points of a subject program.

Abstract: One embodiment provides an accelerator circuitry. The accelerator circuitry includes accelerator processor circuitry; accelerator memory circuitry; processor trace (PT) decoder circuitry and control flow integrity (CFI) checker circuitry. The PT decoder circuitry is to at least one of receive and/or retrieve PT data from a host device. The PT decoder circuitry is further to extract a target instruction pointer (TIP) packet from the PT data and to decode the TIP packet to yield a runtime target address. The CFI checker circuitry is to determine, at runtime, whether a control flow transfer of an indirect branch instruction to the runtime target address corresponds to a control flow violation based, at least in part, on control flow (CF) information (info) stored to an accelerator CF info store.

Abstract: In one embodiment, a processor comprises: a first storage including a plurality of entries to store an address of a portion of a memory in which information has been modified; a second storage to store an identifier of a process for which information is to be stored into the first storage; and a first logic to identify a modification to a first portion of the memory and store a first address of the first portion of the memory in a first entry of the first storage, responsive to a determination that a current identifier of a current process corresponds to the identifier stored in the second storage. Other embodiments are described and claimed.

Abstract: One embodiment provides an apparatus. The apparatus includes collector circuitry to capture processor trace (PT) data from a PT driver. The PT data includes a first target instruction pointer (TIP) packet including a first runtime target address of an indirect branch instruction of an executing target application. The apparatus further includes decoder circuitry to extract the first TIP packet from the PT data and to decode the first TIP packet to yield the first runtime target address. The apparatus further includes control flow validator circuitry to determine whether a control flow transfer to the first runtime target address corresponds to a control flow violation based, at least in part, on a control flow graph (CFG). The CFG including a plurality of nodes, each node including a start address of a first basic block, an end address of the first basic block and a next possible address of a second basic block or a not found tag.

Abstract: In one embodiment, a processor comprises: a first storage including a plurality of entries to store an address of a portion of a memory in which information has been modified; a second storage to store an identifier of a process for which information is to be stored into the first storage; and a first logic to identify a modification to a first portion of the memory and store a first address of the first portion of the memory in a first entry of the first storage, responsive to a determination that a current identifier of a current process corresponds to the identifier stored in the second storage. Other embodiments are described and claimed.