CPU hardware performance counters allow us to do low latency performance measuring, without special runtime or compile time software instrumentation. It is said "advanced users often rely on those counters to conduct low-level performance analysis or tuning" according to Wikipedia. But is this all we can do? Maybe it is all that they were meant for, faster debugging and profiling. But these days, the performance counters you find in your CPUs are not exactly your grand daddy's CPU performance counters! They can do bigger and better things - even defending against RowHammer! Yes, they can be used to to make platforms more secure!
Okay, so on Intel x86/x64 compatible CPUs, the MSR_DEBUGCTLA MSR (Model Specific Register) can be used for LBR (Last Branch Recording). BTF CPU flag can facilitate "single stepping" on branching rather than just single stepping on every instruction. Clearly many uses. Some of it security related, like the potential for ROP mitigation. These are reasonably well explored. Perhaps not widely discussed though.Anyway, in this talk, we will be talking about very interesting features that we find today on Intel x86/x64 compatible CPUs that can be leveraged to achieve platform security relevant outcomes that were simply impractical using software only means, or your grandaddy's CPU performance counters. Some of the use cases might surprise you! We will be demonstrating these techniques against real world exploit code, with performance impact numbers to boot!We might even share our code with those who ask us nicely.