Abstract
AntiViruses (AVs) are essential to face the myriad of malware threatening Internet users. AVs operate in two modes: on-demand checks and real-time verification. Software-based real-time AVs intercept system and function calls to execute AV’s inspection routines, resulting in significant performance penalties as the monitoring code runs among the suspicious code. Simultaneously, dark silicon problems push the industry to add more specialized accelerators inside the processor to mitigate these integration problems. In this article, we propose Terminator, an AV-specific coprocessor to assist software AVs by outsourcing their matching procedures to the hardware, thus saving CPU cycles and mitigating performance degradation. We designed Terminator to be flexible and compatible with existing AVs by using
- . 1997. A novel reconfigurable co-processor architecture. In Proceedings of the 10th International Conference on VLSI Design. IEEE, 370–375.
DOI : Google ScholarCross Ref
- . 2010. Accelerating the local outlier factor algorithm on a GPU for intrusion detection system. In Proceedings of the 3rd Workshop on General-Purpose Computation on Graphics Processing Units. ACM, Article
1 , 1 pages.Google ScholarDigital Library
- . 2015. SiNUCA: A validated micro-architecture simulator. In Proceedings of the 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems. IEEE, Article
1 , 1 pages.DOI : Google ScholarDigital Library
- . 2017. Windows 7 most hit by wannacry ransomware. Retrieved October, 25th 2021 from http://www.securityweek.com/windows-7-most-hit-wannacry-ransomware. (2017).Google Scholar
- . 2019. YaraMod. Retrieved 25th October, 2021 from https://engineering.avast.io/yaramod-inspect-analyze-and-modify-your-yara-rules-with-ease/. (2019).Google Scholar
- . 2020. Avira Antivirus: Game Mode explained. Retrieved 25th October, 2021 from https://www.avira.com/en/blog/avira-antivirus-game-mode. (2020).Google Scholar
- . 2019. L(a)ying in (Test)Bed. In Information Security. , , and (Eds.). Springer International Publishing, 381–401.Google Scholar
- . 2017. Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario. In Proceedings of the XVII Brazilian Symposium on Information and Systems Security (SBSeg), 2017, Brasilia - DF, Brazil. 14 pages. https://www.lasca.ic.unicamp.br/paulo/papers/2017-SBSeg-marcus.botacin-anti.anti.analysis.evasive.malware.pdf.Google Scholar
- . 2019. The AV says: Your hardware definitions were updated!. In Proceedings of the 2019 14th International Symposium on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC). IEEE, 27–34.
DOI : Google ScholarCross Ref
- . 2018a. Enhancing branch monitoring for security purposes: From control flow integrity to malware analysis and debugging. ACM Transactions on Privacy and Security 21, 1, (
Jan. 2018), 30 pages.DOI : Google ScholarDigital Library
- . 2018b. Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools, and methods for systems and binary analysis on modern platforms. ACM Computing Surveys 51, 4, (
July 2018), 34 pages.DOI : Google ScholarDigital Library
- . 2020. The self modifying code (SMC)-aware processor (SAP): A security look on architectural impact and support. Journal of Computer Virology and Hacking Techniques 1, 1 (2020), 1–12.
DOI : Google ScholarCross Ref
- . 2018. The other guys: Automated analysis of marginalized malware. Journal of Computer Virology and Hacking Techniques 14, 1 (
Feb. 2018), 87–98.DOI : Google ScholarCross Ref
- . 2021. YARIX: Scalable YARA-based Malware Intelligence. Retrieved 25th October, 2021 from https://publications.cispa.saarland/3360/. (2021).Google Scholar
- . 2018. Intel, Microsoft to use GPU to scan memory for malware. Retrieved 25th October, 2021 from https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/. (2018).Google Scholar
- . 2016. Fast Syscall. Retrieved 25th October, 2021 from https://c9x.me/x86/html/file_module_x86_id_313.html. (2016).Google Scholar
- . 2020. Efficient context-sensitive CFI enforcement through a hardware monitor. In Detection of Intrusions and Malware, and Vulnerability Assessment. , , , and (Eds.). Springer International Publishing, 259–279.Google Scholar
- . 2016. Who Needs Malware? PowerShell and WMI are Already There!Retrieved 25th October, 2021 from https://www.carbonblack.com/2016/04/06/who-needs-malware-powershell-and-wmi-are-already-there/. (2016).Google Scholar
- . 2018. The need for speed: An analysis of brazilian malware classifers. IEEE Security & Privacy 16, 6 (2018), 31–41.
DOI : Google ScholarDigital Library
- . 2017. Co-Processor-Based behavior monitoring: Application to the detection of attacks against the system management mode. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery, New York, NY, Article
1 , 13 pages.DOI : Google ScholarDigital Library
- . 2005. A pattern matching co-processor for network security. In Proceedings of the 42nd Design Automation Conference.ACM, 234–239.
DOI : Google ScholarCross Ref
- . 2005. Performance implications of single thread migration on a chip multi-core. ACM SIGARCH Computer Architecture News 33, 4, (
Nov. 2005), 12 pages.DOI : Google ScholarDigital Library
- . 2018. Co-design system for template matching using dedicated co-processor and modified elephant herding optimization. In Proceedings of the 2018 IEEE 9th Latin American Symposium on Circuits Systems (LASCAS). IEEE, 1–4.
DOI : Google ScholarCross Ref
- . 2003. Embedded co-processor architecture for CMOS based image acquisition. In Proceedings of the 2003 International Conference on Image Processing (Cat. No.03CH37429), Vol. 2. IEEE, II–591.
DOI : Google ScholarCross Ref
- . 2011. Dark silicon and the end of multicore scaling. In Proceedings of the 2011 38th Annual International Symposium on Computer Architecture (ISCA). ACM/IEEE, 365–376.Google Scholar
Digital Library
- . 2014. SEER: Practical memory virus scanning as a service. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC’14). Association for Computing Machinery, New York, NY, Article
1 , 10 pages.DOI : Google ScholarDigital Library
- . 2019. ProcFilter. Retrieved 25th October, 2021 from https://godaddy.github.io/procfilter/. (2019).Google Scholar
- . 2015. Toward a taxonomy of malware behaviors. The Computer Journal 1, 1 (2015), 2758–2777.Google Scholar
- . 2011. Behavioral analysis of malicious code through network traffic and system call monitoring. In Evolutionary and Bio-Inspired Computation: Theory and Applications V. , , and (Eds.), Vol. 8059. SPIE, 180–189.
DOI : Google ScholarCross Ref
- . 2012. Antivirus software shield against antivirus terminators. IEEE Transactions on Information Forensics and Security 7, 5 (2012), 1439–1447.Google Scholar
Digital Library
- . 2016. Manual. Retrieved 25th October, 2021 from https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-system-programming-manual-325384.pdf. (2016).Google Scholar
- . 2019. Control-flow Enforcement Technology. Retrieved 25th October, 2021 from http://kib.kiev.ua/x86docs/Intel/CET/334525-003.pdf. (2019).Google Scholar
- . 2021. Flexible Return and Event Delivery (FRED). Retrieved 25th October, 2021 from https://software.intel.com/content/dam/develop/external/us/en/documents-tps/346446-flexible-return-and-event-delivery.pdf. (2021).Google Scholar
- . 2020. Gaming Mode On. Retrieved 25th October, 2021 from https://www.kaspersky.co.in/gaming-mode-on/. (2020).Google Scholar
- . 2015. Measuring the health of antivirus ecosystems. In Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 101–109.Google Scholar
Digital Library
- . 2015. Frequently Asked Questions. Retrieved 25th October, 2021 from https://libreboot.org/faq.html. (2015).Google Scholar
- . 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM Programming Language Design and Implementation. ACM, New York, NY, Article
1 , 1 pages.Google ScholarDigital Library
- . 2009. Flow of CreateProcess. Retrieved 25th October, 2021 from https://flylib.com/books/en/4.491.1.52/1/. (2009).Google Scholar
- . 2018. x64 Calling Convention. Retrieved 25th October, 2021 from https://docs.microsoft.com/en-us/cpp/build/x64-calling-convention?view=vs-2019. (2018).Google Scholar
- . 2019. PE Format. Retrieved 25th October, 2021 from https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. (2019).Google Scholar
- . 2020. Meet the Microsoft Pluton processor—The security chip designed for the future of Windows PCs. Retrieved 25th October, 2021 from https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/. (2020).Google Scholar
- . 2019. CoPHEE: Co-processor for partially homomorphic encrypted execution. In Proceedings of the 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 131–140.
DOI : Google ScholarCross Ref
- . 2019. Augmented YARA rules fused with fuzzy hashing in ransomware triaging. In Proceedings of the 2019 IEEE Symposium Series on Computational Intelligence (SSCI). IEEE, 625–632.
DOI : Google ScholarCross Ref
- . 2010. Improving server performance on multi-cores via selective off-loading of OS functionality. In Proceedings of the 2010 International Conference on Computer Architecture (ISCA’10). Springer-Verlag, Berlin, Article
1 , 18 pages.DOI : Google ScholarDigital Library
- . 2020. YARA Performance Guidelines. Retrieved 25th October, 2021 from https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7. (2020).Google Scholar
- . 2018. YaraGuard. Retrieved 25th October, 2021 from https://www.novirusthanks.org/products/yaguard/. (2018).Google Scholar
- . 2016. MEMORY-based hardware architectures to detect ClamAV virus signatures with restricted regular expression features. IEEE Transactions on Computers 65, 4 (2016), 1225–1238.Google Scholar
Digital Library
- . 2021. This Linux malware is hijacking supercomputers across the globe. Retrieved 25th October, 2021 from https://www.zdnet.com/article/this-linux-malware-is-hijacking-supercomputers-across-the-globe/. (2021).Google Scholar
- . 2016. Computer Organization and Design ARM Edition: The Hardware Software Interface. Morgan kaufmann.Google Scholar
- . 2018. Debloating software through piece-wise compilation and loading. In Proceedings of the 27th USENIX Conference on Security Symposium. USENIX, Article
1 .Google Scholar - . 2015. RISC-V out-of-order data conversion co-processor. In Proceedings of the19th International Symposium on VLSI Design and Test on VLSI Design and Test. IEEE.Google Scholar
Cross Ref
- . 2012. Prudent practices for designing malware experiments: Status quo and outlook. In Proceedings of the 2012 IEEE Symposium on Security and Privacy.IEEE.Google Scholar
- . 2009. Push-assisted migration of real-time tasks in multi-core processors. In Proceedings of the 2009 ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems.Google Scholar
- . 2018. Implementation of systolic co-processor for deep neural network inference based on SoC. In Proceedings of the 2018 International SoC Design Conference (ISOCC). IEEE.Google Scholar
Cross Ref
- . 2020. R.I.P ROP: CET Internals in Windows 20H1. Retrieved 25th October, 2021 from https://windows-internals.com/cet-on-windows/. (2020).Google Scholar
- . 2016. FPGA-Based acceleration of pattern matching in YARA. In Proceedings of the International Symposium on Applied Reconfigurable Computing. Springer.Google Scholar
Digital Library
- . 2006. CPU 2006. Retrieved 25th October, 2021 from https://www.spec.org/cpu2006/. (2006).Google Scholar
- . 2020. A praise for defensive programming: Leveraging uncertainty for effective malware mitigation. IEEE Transactions on Dependable and Secure Computing(2020). https://ieeexplore.ieee.org/document/9061034.Google Scholar
- . 2014. Memory-efficient signature matching for ClamAV on FPGA. In Proceedings of the 2014 IEEE 15th International Conference on Communications and Electronics. IEEE.Google Scholar
Cross Ref
- . 2018a. Yara—The pattern matching swiss knife for malware researchers. Retrieved 25th October, 2021 from https://virustotal.github.io/yara/. (2018).Google Scholar
- . 2018b. Yara—The pattern matching swiss knife for malware researchers. Retrieved 25th October, 2021 from https://github.com/Yara-Rules/rules. (2018).Google Scholar
- . 2008. A power-efficient floating-point co-processor design. In Proceedings of the 2008 International Conference on Computer Science and Software Engineering.IEEE.Google Scholar
Digital Library
- . 2019. Generation of static YARA-Signatures using genetic algorithm. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE.Google Scholar
Cross Ref
Index Terms
Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints
Recommendations
Antivirus security: naked during updates
The security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti-malware research community, development of techniques for evading detection by antivirus software is an active research ...
Mobile Guard Demo: Network Based Malware Detection
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01The growing trend of data traffic in mobile networks brings new security threats such as malwares, botnets, premium SMS frauds etc, and these threats affect the network resources in terms of revenue as well as performance. Some end user devices are ...
Using many-core coprocessor to boost up Erlang VM
Erlang '13: Proceedings of the twelfth ACM SIGPLAN workshop on ErlangThe trend in processor design is to build more cores on a single chip. Commercial many-core processor is emerging these years. Intel Xeon Phi coprocessor , which is equipped with at least 60 relatively slow cores, is the first commercial many-core ...






Comments