Identification of Return-Oriented Programming Attacks Using RISC-V Instruction Trace Data

An increasing number of embedded systems include dedicated neural hardware. To benefit from this specialized hardware, deep learning techniques to discover malware on are needed. This effort evaluated candidate machine detection for distinguishing exploited non-exploited RISC-V program behavior using execution traces. We first developed a dataset traces containing Return Oriented Programming (ROP) exploitation the Instruction Set Architecture (ISA) and then several bidirectional Long Short-Term Memory (LSTM) models capable traces, each subsets features objective was evaluate which (instruction addresses immediate values) an trace application-specific, (opcodes operands) application-agnostic, how these affect model performance. Application-agnostic allow generalize its capability detecting ROP in previously unseen applications. The opcode operand sequences obtained 98.21% cross validation accuracy 97.94% test accuracy. In contrast, address values 92.79% with 99.59% set research also analyzed whether ROPs significantly affects branch prediction; experimental evidence suggests that it does. Thus, prediction could be valuable feature exploits.