InstPro: Provenance-Based Transient Execution Attack Detection and Investigation on Instruction Execution Traces

Transient execution attacks (TEAs) are a serious threat to modern computing systems. While software/hardware hardening techniques have been proposed to mitigate the threat, developing detection techniques remains imperative, as they hold promise for flexible extension to address new variants, ease of deployment, and minimal system impact. Existing detection techniques face the following three limitations: unstable information sources, lack of explanation for attack scenarios, and limited training data. To address the limitations, we propose InstPro, a TEA detection system that identifies a TEA program while providing an explanation of the attack scenario, based on instruction execution traces. Specifically, InstPro first extracts principled clues that represent instruction sequences semantically close to attack abstraction. These clues provide high-level visualizations of TEA steps. Then, InstPro correlates the clues into a clue provenance graph by reasoning about their causal dependencies, which provides a concise provenance representation. Finally, InstPro reconstructs a scenario graph by using the InfoSubgraphs that represent the information flows among principled clues. These InfoSubgraphs are more likely to capture a set of crucial principled clues that work together to represent the attack scenario. Our evaluations based on 5 datasets show that InstPro effectively performs TEA detection and investigation.

Journal article