skip to main content
research-article

Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints

Authors Info & Claims
Published:04 March 2022Publication History
Skip Abstract Section

Abstract

AntiViruses (AVs) are essential to face the myriad of malware threatening Internet users. AVs operate in two modes: on-demand checks and real-time verification. Software-based real-time AVs intercept system and function calls to execute AV’s inspection routines, resulting in significant performance penalties as the monitoring code runs among the suspicious code. Simultaneously, dark silicon problems push the industry to add more specialized accelerators inside the processor to mitigate these integration problems. In this article, we propose Terminator, an AV-specific coprocessor to assist software AVs by outsourcing their matching procedures to the hardware, thus saving CPU cycles and mitigating performance degradation. We designed Terminator   to be flexible and compatible with existing AVs by using YARA and ClamAVrules. Our experiments show that our approach can save up to 70 million CPU cycles per rule when outsourcing on-demand checks for matching typical, unmodified YARA rules against a dataset of 30 thousand in-the-wild malware samples. Our proposal eliminates the AV’s need for blocking the CPU to perform full system checks, which can now occur in parallel. We also designed a new inspection breakpoint mechanism that signals to the coprocessor the beginning of a monitored region, allowing it to scan the regions in parallel with their execution. Overall, our mechanism mitigated up to 44% of the overhead imposed to execute and monitor the SPEC benchmark applications in the most challenging scenario.

REFERENCES

  1. Aggarwal G., Thaper N., Aggarwal K., Balakrishnan M., and Kumar S.. 1997. A novel reconfigurable co-processor architecture. In Proceedings of the 10th International Conference on VLSI Design. IEEE, 370375. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  2. Alshawabkeh Malak, Jang Byunghyun, and Kaeli David. 2010. Accelerating the local outlier factor algorithm on a GPU for intrusion detection system. In Proceedings of the 3rd Workshop on General-Purpose Computation on Graphics Processing Units. ACM, Article 1, 1 pages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Alves M. A. Z., Villavieja C., Diener M., Moreira F. B., and Navaux P. O. A.. 2015. SiNUCA: A validated micro-architecture simulator. In Proceedings of the 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems. IEEE, Article 1, 1 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Arghire Ionut. 2017. Windows 7 most hit by wannacry ransomware. Retrieved October, 25th 2021 from http://www.securityweek.com/windows-7-most-hit-wannacry-ransomware. (2017).Google ScholarGoogle Scholar
  5. Avast. 2019. YaraMod. Retrieved 25th October, 2021 from https://engineering.avast.io/yaramod-inspect-analyze-and-modify-your-yara-rules-with-ease/. (2019).Google ScholarGoogle Scholar
  6. Avira. 2020. Avira Antivirus: Game Mode explained. Retrieved 25th October, 2021 from https://www.avira.com/en/blog/avira-antivirus-game-mode. (2020).Google ScholarGoogle Scholar
  7. Beppler Tamy, Botacin Marcus, Ceschin Fabrício J. O., Oliveira Luiz E. S., and Grégio André. 2019. L(a)ying in (Test)Bed. In Information Security. Lin Zhiqiang, Papamanthou Charalampos, and Polychronakis Michalis (Eds.). Springer International Publishing, 381401.Google ScholarGoogle Scholar
  8. Botacin Marcus, Falcão Vitor, Grégio André, and Geus Paulo de. 2017. Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario. In Proceedings of the XVII Brazilian Symposium on Information and Systems Security (SBSeg), 2017, Brasilia - DF, Brazil. 14 pages. https://www.lasca.ic.unicamp.br/paulo/papers/2017-SBSeg-marcus.botacin-anti.anti.analysis.evasive.malware.pdf.Google ScholarGoogle Scholar
  9. Botacin M., Galante L., Ceschin F., Santos P. C., Carro L., Geus P. de, Grégio A., and Alves M. A. Z.. 2019. The AV says: Your hardware definitions were updated!. In Proceedings of the 2019 14th International Symposium on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC). IEEE, 2734. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  10. Botacin Marcus, Geus Paulo Lício De, and Grégio André. 2018a. Enhancing branch monitoring for security purposes: From control flow integrity to malware analysis and debugging. ACM Transactions on Privacy and Security 21, 1, (Jan. 2018), 30 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Botacin Marcus, Geus Paulo Lício De, and grégio André. 2018b. Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools, and methods for systems and binary analysis on modern platforms. ACM Computing Surveys 51, 4, (July 2018), 34 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Botacin Marcus, Zanata Marco, and Grégio André. 2020. The self modifying code (SMC)-aware processor (SAP): A security look on architectural impact and support. Journal of Computer Virology and Hacking Techniques 1, 1 (2020), 1–12. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  13. Botacin Marcus Felipe, Geus Paulo Lício de, and Grégio André Ricardo Abed. 2018. The other guys: Automated analysis of marginalized malware. Journal of Computer Virology and Hacking Techniques 14, 1 (Feb. 2018), 8798. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  14. Brengel Michael and Rossow Christian. 2021. YARIX: Scalable YARA-based Malware Intelligence. Retrieved 25th October, 2021 from https://publications.cispa.saarland/3360/. (2021).Google ScholarGoogle Scholar
  15. Bright Peter. 2018. Intel, Microsoft to use GPU to scan memory for malware. Retrieved 25th October, 2021 from https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/. (2018).Google ScholarGoogle Scholar
  16. c9x. 2016. Fast Syscall. Retrieved 25th October, 2021 from https://c9x.me/x86/html/file_module_x86_id_313.html. (2016).Google ScholarGoogle Scholar
  17. Canakci Sadullah, Delshadtehrani Leila, Zhou Boyou, Joshi Ajay, and Egele Manuel. 2020. Efficient context-sensitive CFI enforcement through a hardware monitor. In Detection of Intrusions and Malware, and Vulnerability Assessment. Maurice Clémentine, Bilge Leyla, Stringhini Gianluca, and Neves Nuno (Eds.). Springer International Publishing, 259279.Google ScholarGoogle Scholar
  18. CarbonBlack. 2016. Who Needs Malware? PowerShell and WMI are Already There!Retrieved 25th October, 2021 from https://www.carbonblack.com/2016/04/06/who-needs-malware-powershell-and-wmi-are-already-there/. (2016).Google ScholarGoogle Scholar
  19. Ceschin F., Pinage F., Castilho M., Menotti D., Oliveira L. S., and Gregio A.. 2018. The need for speed: An analysis of brazilian malware classifers. IEEE Security & Privacy 16, 6 (2018), 3141. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Chevalier Ronny, Villatel Maugan, Plaquin David, and Hiet Guillaume. 2017. Co-Processor-Based behavior monitoring: Application to the detection of attacks against the system management mode. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). Association for Computing Machinery, New York, NY, Article 1, 13 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Cho Y. H. and Mangione-Smith W. H.. 2005. A pattern matching co-processor for network security. In Proceedings of the 42nd Design Automation Conference.ACM, 234239. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  22. Constantinou Theofanis, Sazeides Yiannakis, Michaud Pierre, Fetis Damien, and Seznec Andre. 2005. Performance implications of single thread migration on a chip multi-core. ACM SIGARCH Computer Architecture News 33, 4, (Nov. 2005), 12 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Cardoso A. de Vasconcelos, Nedjah N., Mourelle L. de Macedo, and Tavares Y. M.. 2018. Co-design system for template matching using dedicated co-processor and modified elephant herding optimization. In Proceedings of the 2018 IEEE 9th Latin American Symposium on Circuits Systems (LASCAS). IEEE, 14. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  24. Dubois J. and Mattavelli M.. 2003. Embedded co-processor architecture for CMOS based image acquisition. In Proceedings of the 2003 International Conference on Image Processing (Cat. No.03CH37429), Vol. 2. IEEE, II–591. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  25. Esmaeilzadeh H., Blem E., Amant R. S., Sankaralingam K., and Burger D.. 2011. Dark silicon and the end of multicore scaling. In Proceedings of the 2011 38th Annual International Symposium on Computer Architecture (ISCA). ACM/IEEE, 365376.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Gionta Jason, Azab Ahmed, Enck William, Ning Peng, and Zhang Xiaolan. 2014. SEER: Practical memory virus scanning as a service. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC’14). Association for Computing Machinery, New York, NY, Article 1, 10 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. GoDaddy. 2019. ProcFilter. Retrieved 25th October, 2021 from https://godaddy.github.io/procfilter/. (2019).Google ScholarGoogle Scholar
  28. Grégio André Ricardo Abed, Afonso Vitor Monte, Filho Dario Simões Fernandes, Geus Paulo Lício de, and Jino Mario. 2015. Toward a taxonomy of malware behaviors. The Computer Journal 1, 1 (2015), 2758–2777.Google ScholarGoogle Scholar
  29. Grégio André R. A., Filho Dario S. Fernandes, Afonso Vitor M., Santos Rafael D. C., Jino Mario, and Geus Paulo L. de. 2011. Behavioral analysis of malicious code through network traffic and system call monitoring. In Evolutionary and Bio-Inspired Computation: Theory and Applications V. Blowers Misty, O’Donnell Teresa H., and Mendoza-Schrock Olga Lisvet (Eds.), Vol. 8059. SPIE, 180189. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  30. Hsu F., Wu M., Tso C., Hsu C., and Chen C.. 2012. Antivirus software shield against antivirus terminators. IEEE Transactions on Information Forensics and Security 7, 5 (2012), 14391447.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Intel. 2016. Manual. Retrieved 25th October, 2021 from https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-system-programming-manual-325384.pdf. (2016).Google ScholarGoogle Scholar
  32. Intel. 2019. Control-flow Enforcement Technology. Retrieved 25th October, 2021 from http://kib.kiev.ua/x86docs/Intel/CET/334525-003.pdf. (2019).Google ScholarGoogle Scholar
  33. Intel. 2021. Flexible Return and Event Delivery (FRED). Retrieved 25th October, 2021 from https://software.intel.com/content/dam/develop/external/us/en/documents-tps/346446-flexible-return-and-event-delivery.pdf. (2021).Google ScholarGoogle Scholar
  34. Kaspersky. 2020. Gaming Mode On. Retrieved 25th October, 2021 from https://www.kaspersky.co.in/gaming-mode-on/. (2020).Google ScholarGoogle Scholar
  35. Levesque F. L., Somayaji A., Batchelder D., and Fernandez J. M.. 2015. Measuring the health of antivirus ecosystems. In Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE). IEEE, 101109.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. LibreBoot. 2015. Frequently Asked Questions. Retrieved 25th October, 2021 from https://libreboot.org/faq.html. (2015).Google ScholarGoogle Scholar
  37. Luk Chi-Keung, Cohn Robert, Muth Robert, Patil Harish, Klauser Artur, Lowney Geoff, Wallace Steven, Reddi Vijay Janapa, and Hazelwood Kim. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM Programming Language Design and Implementation. ACM, New York, NY, Article 1, 1 pages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Microsoft. 2009. Flow of CreateProcess. Retrieved 25th October, 2021 from https://flylib.com/books/en/4.491.1.52/1/. (2009).Google ScholarGoogle Scholar
  39. Microsoft. 2018. x64 Calling Convention. Retrieved 25th October, 2021 from https://docs.microsoft.com/en-us/cpp/build/x64-calling-convention?view=vs-2019. (2018).Google ScholarGoogle Scholar
  40. Microsoft. 2019. PE Format. Retrieved 25th October, 2021 from https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. (2019).Google ScholarGoogle Scholar
  41. Microsoft. 2020. Meet the Microsoft Pluton processor—The security chip designed for the future of Windows PCs. Retrieved 25th October, 2021 from https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/. (2020).Google ScholarGoogle Scholar
  42. Nabeel M., Ashraf M., Chielle E., Tsoutsos N. G., and Maniatakos M.. 2019. CoPHEE: Co-processor for partially homomorphic encrypted execution. In Proceedings of the 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 131140. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  43. Naik N., Jenkins P., Savage N., Yang L., Naik K., and Song J.. 2019. Augmented YARA rules fused with fuzzy hashing in ransomware triaging. In Proceedings of the 2019 IEEE Symposium Series on Computational Intelligence (SSCI). IEEE, 625632. DOI: Google ScholarGoogle ScholarCross RefCross Ref
  44. Nellans David, Sudan Kshitij, Brunvand Erik, and Balasubramonian Rajeev. 2010. Improving server performance on multi-cores via selective off-loading of OS functionality. In Proceedings of the 2010 International Conference on Computer Architecture (ISCA’10). Springer-Verlag, Berlin, Article 1, 18 pages. DOI: Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Neo23x0. 2020. YARA Performance Guidelines. Retrieved 25th October, 2021 from https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7. (2020).Google ScholarGoogle Scholar
  46. NoVirusThanks. 2018. YaraGuard. Retrieved 25th October, 2021 from https://www.novirusthanks.org/products/yaguard/. (2018).Google ScholarGoogle Scholar
  47. Or N. L., Wang X., and Pao D.. 2016. MEMORY-based hardware architectures to detect ClamAV virus signatures with restricted regular expression features. IEEE Transactions on Computers 65, 4 (2016), 12251238.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Osborne Charlie. 2021. This Linux malware is hijacking supercomputers across the globe. Retrieved 25th October, 2021 from https://www.zdnet.com/article/this-linux-malware-is-hijacking-supercomputers-across-the-globe/. (2021).Google ScholarGoogle Scholar
  49. Patterson David A. and Hennessy John L.. 2016. Computer Organization and Design ARM Edition: The Hardware Software Interface. Morgan kaufmann.Google ScholarGoogle Scholar
  50. Quach Anh, Prakash Aravind, and Yan Lok. 2018. Debloating software through piece-wise compilation and loading. In Proceedings of the 27th USENIX Conference on Security Symposium. USENIX, Article 1.Google ScholarGoogle Scholar
  51. Raveendran A., Patil V., Desalphine V., Sobha P. M., and Selvakumar A. David. 2015. RISC-V out-of-order data conversion co-processor. In Proceedings of the19th International Symposium on VLSI Design and Test on VLSI Design and Test. IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  52. Rossow Christian, Dietrich Christian J., Grier Chris, Kreibich Christian, Paxson Vern, Pohlmann Norbert, Bos Herbert, and Steen Maarten van. 2012. Prudent practices for designing malware experiments: Status quo and outlook. In Proceedings of the 2012 IEEE Symposium on Security and Privacy.IEEE.Google ScholarGoogle Scholar
  53. Sarkar Abhik, Mueller Frank, Ramaprasad Harini, and Mohan Sibin. 2009. Push-assisted migration of real-time tasks in multi-core processors. In Proceedings of the 2009 ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems.Google ScholarGoogle Scholar
  54. Setiawan E. and Adiono T.. 2018. Implementation of systolic co-processor for deep neural network inference based on SoC. In Proceedings of the 2018 International SoC Design Conference (ISOCC). IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  55. Shafir Yarden and Ionescu Alex. 2020. R.I.P ROP: CET Internals in Windows 20H1. Retrieved 25th October, 2021 from https://windows-internals.com/cet-on-windows/. (2020).Google ScholarGoogle Scholar
  56. Singapura Shreyas G., Yang Yi-Hua E., Panangadan Anand, Nemeth Tamas, Ng Peter, and Prasanna Viktor K.. 2016. FPGA-Based acceleration of pattern matching in YARA. In Proceedings of the International Symposium on Applied Reconfigurable Computing. Springer.Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. SPEC. 2006. CPU 2006. Retrieved 25th October, 2021 from https://www.spec.org/cpu2006/. (2006).Google ScholarGoogle Scholar
  58. Sun R., Botacin M., Sapountzis N., Yuan X., Bishop M., Porter D. E., Li X., Gregio A., and Oliveira D.. 2020. A praise for defensive programming: Leveraging uncertainty for effective malware mitigation. IEEE Transactions on Dependable and Secure Computing(2020). https://ieeexplore.ieee.org/document/9061034.Google ScholarGoogle Scholar
  59. Ngoc T. Tran, Hieu T. T., Ishii H., and Tomiyama S.. 2014. Memory-efficient signature matching for ClamAV on FPGA. In Proceedings of the 2014 IEEE 15th International Conference on Communications and Electronics. IEEE.Google ScholarGoogle ScholarCross RefCross Ref
  60. Yara. 2018a. Yara—The pattern matching swiss knife for malware researchers. Retrieved 25th October, 2021 from https://virustotal.github.io/yara/. (2018).Google ScholarGoogle Scholar
  61. Yara. 2018b. Yara—The pattern matching swiss knife for malware researchers. Retrieved 25th October, 2021 from https://github.com/Yara-Rules/rules. (2018).Google ScholarGoogle Scholar
  62. Zhang X. and Shen X.. 2008. A power-efficient floating-point co-processor design. In Proceedings of the 2008 International Conference on Computer Science and Software Engineering.IEEE.Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Zhdanov A.. 2019. Generation of static YARA-Signatures using genetic algorithm. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 25, Issue 2
          May 2022
          263 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3505216
          Issue’s Table of Contents

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 4 March 2022
          • Accepted: 1 October 2021
          • Revised: 1 August 2021
          • Received: 1 March 2021
          Published in tops Volume 25, Issue 2

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Refereed
        • Article Metrics

          • Downloads (Last 12 months)105
          • Downloads (Last 6 weeks)11

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Full Text

        View this article in Full Text.

        View Full Text

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!