Classifying Co-Resident Computer Programs Using Information Revealed by Resource Contention

Modern computer architectures are complex, containing numerous components that can unintentionally reveal system operating properties. Defensive security professionals seek to minimize this kind of exposure while adversaries can leverage the data to attain an advantage. This paper presents a novel covert interrogator program technique using light-weight sensor programs to target integer, floating point, and memory units within a computer’s architecture to collect data which can be used to match a running program to a known set of programs with up to 100% accuracy under simultaneous multithreading conditions. This technique is applicable to a broad spectrum of architectural components, does not rely on specific vulnerabilities, nor requires elevated privileges. Furthermore, this research demonstrates the technique in a system with operating system containers intended to provide isolation guarantees which limit a user’s ability to observe the activity of other users. In essence, this research exploits observable noise that is present whenever a program executes on a modern computer. This paper presents interrogator program design considerations, a machine learning approach to identify models with high classification accuracy, and measures the effectiveness of the approach under a variety of program execution scenarios.