Hardware-based Workload Forensics and Malware Detection in Microprocessors

We investigate the possibility of performing workload forensics and/or malware detection in microprocessors through exclusively hardware-based methodologies. Specifically, we first introduce a general architecture which a hardware-based forensics or malware detection method would need to follow, as well as the various processor-level information which could potentially be harnessed to ensure system security and/or integrity. In contrast to traditional forensics and/or malware detection methods implemented at the operating system (OS) and/or the hypervisor level, whose data logging and monitoring systems are vulnerable to spoofing attacks at the same level, moving implementation to hardware ensures immunity to such attacks. This work focuses on two recent incarnations of this general concept, illustrating the effectiveness of hardware-based forensics and/or malware detection. Several other recent methods related to this topic are also discussed. Experimental results corroborate that even a low-cost hardware implementation can facilitate highly successful forensics analysis and/or malware detection, while taking advantage of its innate immunity to software-based attacks.