REMOTE: Robust External Malware Detection Framework by Using Electromagnetic Signals

Cyber-physical systems (CPS) are controlling many critical and sensitive aspects of our physical world while being continuously exposed to potential cyber-attacks. These systems typically have limited performance, memory, and energy reserves, which limits their ability to run existing advanced malware protection, and that, in turn, makes securing them very challenging. To tackle these problems, this paper proposes, <italic/><sc>Remote</sc><italic/>, a new robust framework to detect malware by externally observing Electromagnetic (EM) signals emitted by an electronic computing device (e.g., a microprocessor) while running a known application, in real-time and with a low detection latency, and without any a priori knowledge of the malware. <sc>Remote</sc> does not require any resources or infrastructure on, or any modifications to, the monitored system itself, which makes <sc>Remote</sc> especially suitable for malware detection on resource-constrained devices such as embedded devices, CPSs, and Internet of Things (IoT) devices where hardware and energy resources may be limited. To demonstrate the usability of <sc>Remote</sc> in real-world scenarios, we port <italic>two</italic> real-world programs (an embedded medical device and an industrial PID controller), each with a meaningful attack (a code-reuse and a code-injection attack), to <italic>four</italic> different hardware platforms. We also port shellcode-based DDoS and Ransomware attacks to <italic>five</italic> different standard applications on an embedded system. To further demonstrate the applicability of <sc>Remote</sc> to commercial CPS, we use <sc>Remote</sc> to monitor a <italic>Robotic Arm</italic>. Our results on all these different hardware platforms show that, for all attacks on each of the platforms, <sc>Remote</sc> successfully detects each instance of an attack and has <inline-formula><tex-math notation="LaTeX">$<$</tex-math><alternatives><mml:math><mml:mo><</mml:mo></mml:math><inline-graphic xlink:href="sehatbakhsh-ieq1-2945767.gif"/></alternatives></inline-formula>0.1 percent false positives. We also systematically evaluate the robustness of <sc>Remote</sc> to interrupts and other system activity, to signal variation among different physical instances of the same device design, to changes over time, and to plastic enclosures and nearby electronic devices. This evaluation includes hundreds of measurements and shows that <sc>Remote</sc> achieves excellent accuracy (<inline-formula><tex-math notation="LaTeX">$<$</tex-math><alternatives><mml:math><mml:mo><</mml:mo></mml:math><inline-graphic xlink:href="sehatbakhsh-ieq2-2945767.gif"/></alternatives></inline-formula>0.1 percent false positive and <inline-formula><tex-math notation="LaTeX">$>$</tex-math><alternatives><mml:math><mml:mo>></mml:mo></mml:math><inline-graphic xlink:href="sehatbakhsh-ieq3-2945767.gif"/></alternatives></inline-formula>99.9 percent true positive rates) under all these conditions. We also compare <sc>Remote</sc> to prior work <italic>EDDIE</italic> <xref ref-type="bibr" rid="ref1">[1]</xref> and <italic>SYNDROME</italic> <xref ref-type="bibr" rid="ref2">[2]</xref>, and demonstrate that these prior work are unable to achieve high accuracy under these variations.

[1]  Avesta Sasan,et al.  Ensemble Learning for Effective Run-Time Hardware-Based Malware Detection: A Comprehensive Analysis and Classification , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[2]  Lei Liu,et al.  VirusMeter: Preventing Your Cellphone from Spies , 2009, RAID.

[3]  Vijay Janapa Reddi,et al.  Quantifying and improving the efficiency of hardware-based mobile malware detectors , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[4]  Manos Antonakakis,et al.  SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[5]  Shidhartha Das,et al.  Leveraging CPU Electromagnetic Emanations for Voltage Noise Characterization , 2018, 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[6]  Nael B. Abu-Ghazaleh,et al.  Malware-aware processors: A framework for efficient online malware detection , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[7]  Joshua M. Pearce,et al.  Open-Source Syringe Pump Library , 2014, PloS one.

[8]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[9]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[10]  Clifford Neuman,et al.  Deconstructing the Assessment of Anomaly-based Intrusion Detectors , 2013, RAID.

[11]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[12]  Avesta Sasan,et al.  Adversarial Attack on Microarchitectural Events based Malware Detectors , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[13]  Arie Yeredor,et al.  IDEA: Intrusion Detection through Electromagnetic-Signal Analysis for Critical Embedded and Cyber-Physical Systems , 2019, IEEE Transactions on Dependable and Secure Computing.

[14]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[15]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[16]  Swarup Bhunia,et al.  Scalable Test Generation for Trojan Detection Using Side Channel Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[17]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[18]  Milos Prvulovic,et al.  EDDIE: EM-based detection of deviations in program execution , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[19]  Alessandro Orso,et al.  Zero-overhead profiling via EM emanations , 2016, ISSTA.

[20]  Daniel Genkin,et al.  Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation , 2015, CHES.

[21]  Ken Dunham Evaluating Anti-Virus Software: Which Is Best? , 2003, Inf. Secur. J. A Glob. Perspect..

[22]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[23]  Brent ByungHoon Kang,et al.  Dynamic Malware Analysis , 2011, Encyclopedia of Cryptography and Security.

[24]  Wenyuan Xu,et al.  On Code Execution Tracking via Power Side-Channel , 2016, CCS.

[25]  Y. Hayashi,et al.  Efficient Evaluation of EM Radiation Associated With Information Leakage From Cryptographic Devices , 2013, IEEE Transactions on Electromagnetic Compatibility.

[26]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[27]  Milos Prvulovic,et al.  Syndrome: Spectral analysis for anomaly detection on medical IoT and embedded devices , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[28]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[29]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[30]  R Aguayo GonzálezCarlos,et al.  Power fingerprinting in SDR integrity assessment for security and regulatory compliance , 2011 .

[31]  Nael B. Abu-Ghazaleh,et al.  Hardware-Based Malware Detection Using Low-Level Architectural Features , 2016, IEEE Transactions on Computers.

[32]  Milos Prvulovic,et al.  FASE: Finding Amplitude-modulated Side-channel Emanations , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[33]  Christof Paar,et al.  SCANDALee: A side-ChANnel-based DisAssembLer using local electromagnetic emanations , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[34]  Felix Wortmann,et al.  Internet of Things , 2015, Business & Information Systems Engineering.

[35]  Ankur Srivastava,et al.  Temperature Tracking: Toward Robust Run-Time Detection of Hardware Trojans , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[36]  Alexandros G. Dimakis,et al.  Understanding contention-based channels and using them for defense , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[37]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[38]  Laura J. Mariano,et al.  Classification of Electronic Devices and Software Processes via Unintentional Electronic Emissions With Neural Decoding Algorithms , 2020, IEEE Transactions on Electromagnetic Compatibility.

[39]  Milos Prvulovic,et al.  Creating a Backscattering Side Channel to Enable Detection of Dormant Hardware Trojans , 2019, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[40]  Yingxu Wang,et al.  Transactions on Computational Science V , 2009, Lecture Notes in Computer Science.

[41]  Milos Prvulovic,et al.  A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[42]  Andrea Maria Zanchettin,et al.  An Experimental Security Analysis of an Industrial Robot Controller , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[43]  Ahmad-Reza Sadeghi,et al.  C-FLAT: Control-Flow Attestation for Embedded Systems Software , 2016, CCS.

[44]  Hua Liu,et al.  Watch Me, but Don't Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations , 2017, CCS.

[45]  Nael B. Abu-Ghazaleh,et al.  RHMD: Evasion-Resilient Hardware Malware Detectors , 2017, 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[46]  Yiqiang Zhao,et al.  Hardware Trojan Detection Through Chip-Free Electromagnetic Side-Channel Statistical Analysis , 2017, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[47]  Kang G. Shin,et al.  Detecting energy-greedy anomalies and mobile malware variants , 2008, MobiSys '08.

[48]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2014, Journal of Cryptographic Engineering.

[49]  Mathias Payer,et al.  DataShield: Configurable Data Confidentiality and Integrity , 2017, AsiaCCS.

[50]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[51]  Milos Prvulovic,et al.  Spectral profiling: Observer-effect-free profiling by monitoring EM emanations , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[52]  Keith Mayes,et al.  Precise Instruction-Level Side Channel Profiling of Embedded Processors , 2014, ISPEC.

[53]  Jean-Jacques Quisquater,et al.  Automatic Code Recognition for Smartcards Using a Kohonen Neural Network , 2002, CARDIS.

[54]  Jan Sölter,et al.  Efficient Power and Timing Side Channels for Physical Unclonable Functions , 2014, CHES.