Classifying Co-Resident Computer Programs Using Information Revealed by Resource Contention
Document Type
Article
Publication Date
6-2023
Abstract
Modern computer architectures are complex, containing numerous components that can unintentionally reveal system operating properties. Defensive security professionals seek to minimize this kind of exposure while adversaries can leverage the data to attain an advantage. This paper presents a novel covert interrogator program technique using light-weight sensor programs to target integer, floating point, and memory units within a computer’s architecture to collect data which can be used to match a running program to a known set of programs with up to 100% accuracy under simultaneous multithreading conditions. This technique is applicable to a broad spectrum of architectural components, does not rely on specific vulnerabilities, nor requires elevated privileges. Furthermore, this research demonstrates the technique in a system with operating system containers intended to provide isolation guarantees which limit a user’s ability to observe the activity of other users. In essence, this research exploits observable noise that is present whenever a program executes on a modern computer. This paper presents interrogator program design considerations, a machine learning approach to identify models with high classification accuracy, and measures the effectiveness of the approach under a variety of program execution scenarios.
DOI
Source Publication
Digital Threats: Research and Practice
Recommended Citation
Langehaug, T., Borghetti, B., & Graham, S. (2023). Classifying Co-resident Computer Programs Using Information Revealed by Resource Contention. Digital Threats: Research and Practice, 4(2), 1–29. https://doi.org/10.1145/3464306
Comments
The "Link to Full Text" on this page loads the PDF of the open access article (the published version of record), as hosted at the ACM Digital Library website.
This paper is authored by employees of the United States Government and is in the public domain. Non-exclusive copying or redistribution is allowed, provided that the article citation is given and the authors and agency are clearly identified as its source.
An accepted manuscript version was posted here before the article was formally published in an issue. The article was published online February 7, 2022.