Jasper Lake EDS Vol1
Branch Monitoring Counters
Branch monitoring technology allows monitor and detection a set of heuristics within an execution window in a program. This heuristics can be used for detecting abnormal behavior in code execution and signal the anti-malware software of its occurrence.
These technology allows such Anti-Virus software to receive a signal (interrupt) when a counter threshold has been reached. Branch Monitoring allows software to perform non-intrusive runtime analysis of ROP (Return Oriented Programming) attacks on applications.
The heuristics are based on certain performance monitoring statistics, measured dynamically over a short configurable window period. Anti-malware software has the responsibility to configure the Hardware statistics of interest and the Window size via MSR registers. Anti-malware SW is also responsible for post-processing any signaled event due to a detection condition. Such signaling is not considered 100% reliable and thus the anti-malware software is the ultimate decision maker to avoid false positives, while at the same time maintaining sufficient sensitivity for detecting malware.