CPU hardware performance counters for security

In this podcast recorded at Black Hat USA 2015, Nishad Herath, Principal Anti-Malware Technologist at Qualys, talks about CPU hardware performance counters, which allow us to do low latency performance measuring, without special runtime or compile time software instrumentation. It is said “advanced users often rely on those counters to conduct low-level performance analysis or tuning” according to Wikipedia.

But is this all we can do? Maybe it is all that they were meant for, faster debugging and profiling. But these days, the performance counters you find in your CPUs are not exactly your grand daddy’s CPU performance counters! They can do bigger and better things – even defending against RowHammer! Yes, they can be used to to make platforms more secure!

On Intel x86/x64 compatible CPUs, the MSR_DEBUGCTLA MSR (Model Specific Register) can be used for LBR (Last Branch Recording). BTF CPU flag can facilitate “single stepping” on branching rather than just single stepping on every instruction. Clearly many uses. Some of it security related, like the potential for ROP mitigation.

Share this