Leveraging Side-Channel Information for Disassembly and Security

With the rise of Internet of Things (IoT), devices such as smartphones, embedded medical devices, smart home appliances, as well as traditional computing platforms such as personal computers and servers have been increasingly targeted with a variety of cyber attacks. Due to limited hardware resources for embedded devices and difficulty in wide-coverage and on-time software updates, software-only cyber defense techniques, such as traditional anti-virus and malware detectors, do not offer a silver-bullet solution. Hardware-based security monitoring and protection techniques, therefore, have gained significant attention. Monitoring devices using side-channel leakage information, e.g., power supply variation and electromagnetic (EM) radiation, is a promising avenue that promotes multiple directions in security and trust applications. In this article, we provide a taxonomy of hardware-based monitoring techniques against different cyber and hardware attacks, highlight the potentials and unique challenges, and display how power-based side-channel instruction-level monitoring can offer suitable solutions to prevailing embedded device security issues. Further, we delineate approaches for future research directions.

[1]  Yu Liu,et al.  Hardware Trojans in wireless cryptographic ICs: Silicon demonstration & detection method evaluation , 2013, 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[2]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[3]  Eleftherios Kofidis,et al.  Blind Source Separation: Fundamentals and Recent Advances (A Tutorial Overview Presented at SBrT-2001) , 2016, ArXiv.

[4]  Shiyan Hu,et al.  Introduction to Cyber-Physical System Security: A Cross-Layer Perspective , 2017, IEEE Transactions on Multi-Scale Computing Systems.

[5]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[6]  Ahmad-Reza Sadeghi,et al.  Hardware-assisted fine-grained control-flow integrity: Towards efficient protection of embedded systems against software exploitation , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[7]  Michail Maniatakos,et al.  Impact of firmware modification attacks on power systems field devices , 2015, 2015 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[8]  Lu Zhang,et al.  Power Side Channels in Security ICs: Hardware Countermeasures , 2016, ArXiv.

[9]  Michael Hutter,et al.  The Temperature Side Channel and Heating Fault Attacks , 2013, CARDIS.

[10]  Amir Moradi,et al.  Leakage assessment methodology , 2016, Journal of Cryptographic Engineering.

[11]  Mark Mohammad Tehranipoor,et al.  SMA: A System-Level Mutual Authentication for Protecting Electronic Hardware and Firmware , 2017, IEEE Transactions on Dependable and Secure Computing.

[12]  Srdjan Capkun,et al.  Attacks on physical-layer identification , 2010, WiSec '10.

[13]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[14]  Joos Vandewalle,et al.  Machine learning in side-channel analysis: a first study , 2011, Journal of Cryptographic Engineering.

[15]  Domenic Forte,et al.  Power-based Side-Channel Instruction-level Disassembler , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[16]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[17]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[18]  Stefan Mangard,et al.  SoK: Systematic Classification of Side-Channel Attacks on Mobile Devices , 2016, ArXiv.

[19]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[20]  Debdeep Mukhopadhyay,et al.  Performance Counters to Rescue: A Machine Learning based safeguard against Micro-architectural Side-Channel-Attacks , 2017, IACR Cryptol. ePrint Arch..

[21]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[22]  Bart Preneel,et al.  Mutual Information Analysis , 2008, CHES.

[23]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS.

[24]  Markus G. Kuhn,et al.  Template Attacks on Different Devices , 2014, COSADE.

[25]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[26]  Xuxian Jiang,et al.  Code-reuse attacks: new frontiers and defenses , 2011 .

[27]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[28]  Sylvain Guilley,et al.  Side-channel analysis and machine learning: A practical perspective , 2017, 2017 International Joint Conference on Neural Networks (IJCNN).

[29]  Salvatore J. Stolfo,et al.  CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management , 2017, USENIX Security Symposium.

[30]  Ian G. Harris,et al.  Control-flow checking for intrusion detection via a real-time debug interface , 2014, 2014 International Conference on Smart Computing Workshops.

[31]  Ingrid Verbauwhede,et al.  An In-depth and Black-box Characterization of the Effects of Clock Glitches on 8-bit MCUs , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[32]  Thomas Unterluggauer,et al.  Sponge-Based Control-Flow Protection for IoT Devices , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[33]  François-Xavier Standaert,et al.  Blind Source Separation from Single Measurements Using Singular Spectrum Analysis , 2015, CHES.

[34]  Sayak Ray,et al.  Malware detection using machine learning based analysis of virtual memory access patterns , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[35]  Sotiris Ioannidis,et al.  HCFI: Hardware-enforced Control-Flow Integrity , 2016, CODASPY.

[36]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[37]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[38]  Hannes Holm,et al.  Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter? , 2014, 2014 47th Hawaii International Conference on System Sciences.

[39]  Avesta Sasan,et al.  Analyzing hardware based malware detectors , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[40]  Marc F. Witteman,et al.  Reverse Engineering Java Card Applets Using Power Analysis , 2007, WISTP.

[41]  Milos Prvulovic,et al.  Spectral profiling: Observer-effect-free profiling by monitoring EM emanations , 2016, 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[42]  Keith Mayes,et al.  Precise Instruction-Level Side Channel Profiling of Embedded Processors , 2014, ISPEC.

[43]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[44]  Motoaki Kawanabe,et al.  Machine Learning in Non-Stationary Environments - Introduction to Covariate Shift Adaptation , 2012, Adaptive computation and machine learning.

[45]  Milos Prvulovic,et al.  EDDIE: EM-based detection of deviations in program execution , 2017, 2017 ACM/IEEE 44th Annual International Symposium on Computer Architecture (ISCA).

[46]  Michael Tunstall,et al.  SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip , 2015, CHES.

[47]  Lui Sha,et al.  Memory Heat Map: Anomaly detection in real-time embedded systems using memory behavior , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[48]  Stephen Taylor,et al.  Memory encryption , 2014, ACM Comput. Surv..

[49]  Ingrid Verbauwhede,et al.  A survey of Hardware-based Control Flow Integrity (CFI) , 2017, ArXiv.

[50]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[51]  Mehdi Baradaran Tahoori,et al.  ExtraTime: Modeling and analysis of wearout due to transistor aging at microarchitecture-level , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[52]  Christof Paar,et al.  SCANDALee: A side-ChANnel-based DisAssembLer using local electromagnetic emanations , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[53]  Christof Paar,et al.  Building a Side Channel Based Disassembler , 2010, Trans. Comput. Sci..

[54]  Emmanuel Prouff,et al.  A Generic Method for Secure SBox Implementation , 2007, WISA.

[55]  Michail Maniatakos,et al.  Malicious Firmware Detection with Hardware Performance Counters , 2016, IEEE Transactions on Multi-Scale Computing Systems.

[56]  P. Rohatgi,et al.  A testing methodology for side channel resistance , 2011 .

[57]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[58]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[59]  Wenyuan Xu,et al.  On Code Execution Tracking via Power Side-Channel , 2016, CCS.

[60]  Bo Yang,et al.  Statistical prediction of circuit aging under process variations , 2008, 2008 IEEE Custom Integrated Circuits Conference.

[61]  Stefan Mangard,et al.  KASLR is Dead: Long Live KASLR , 2017, ESSoS.

[62]  Lilian Bossuet,et al.  IP watermark verification based on power consumption analysis , 2014, 2014 27th IEEE International System-on-Chip Conference (SOCC).

[63]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..