Investigating Black-Box Function Recognition Using Hardware Performance Counters

We present new methods and results for discovering information about black-box program functions using hardware performance counters (HPC), where an investigator can only invoke and measure the results of function calls. Important use cases include analysing compiled libraries, e.g. static and dynamic link libraries, and trusted execution environment (TEE) applications. Drawing inspiration from recent literature on malware classification, we develop and evaluate a machine learning-based approach using information from HPCs for function recognition. We use this to classify a comprehensive set of HPC events, including L1 instruction cache accesses, TLB misses, and instruction retirements, to recognise functions from standard benchmarking and cryptographic libraries. This includes various ciphers in different modes of operation, e.g. AES-CTR vs. AES-ECB; signing, verification, and hashing algorithms; and more. Three major architectures are evaluated using off-the-shelf Intel/X86-64, ARM, and RISC-V CPUs under various compilation assumptions. Following this, we develop and evaluate two novel use cases. Firstly, we show that several known CVE-numbered OpenSSL vulnerabilities can be detected using HPC differences between patched and unpatched library versions. Secondly, we develop a proof-of-concept for recognising standardised cryptographic functions within ARM TrustZone TEE applications using the open-source OP-TEE framework. In all cases, HPCs could be used with significant accuracy (86.22-99.83%) depending on the target architecture and application. Lastly, we discuss mitigations, outstanding challenges, and directions for future research.