Hardware-Based Workload Forensics and Malware Detection in Modern Microprocessors

Traditional computer forensics and/or malware detection methods are generally implemented at the operating system (OS) or the hypervisor level, which benefits from abundant software semantics and implementation flexibility. Nevertheless, the data logging and monitoring systems involved in these methods are vulnerable to spoofing attacks at the same level, which undermine their effectiveness. In this dissertation, the hardware-based methodologies are proposed to perform workload forensics and/or malware detection in microprocessors. In contrast to the software-based counterparts, a hardware-based implementation ensures the immunity to software tampering. Specifically, a generic architecture is introduced which a hardware-based forensic analysis or a malware detection method needs to follow, as well as the various architecture-level information which could potentially be harnessed to ensure system security and/or integrity. To illustrate the proposed concept, two incarnations, i.e., hardware-based workload forensics and hardware-based rootkit detection are present. Experimental results corroborate that even a low-cost hardware implementation can facilitate highly successful forensics analysis and/or malware detection, while taking advantage of its innate immunity to software-based attacks.