Real-time instruction-level verification of remote IoT/CPS devices via side channels
Tóm tắt
In recent years, with the rise of IoT technology, wireless Cyber-Physical Systems (CPS) have become widely deployed in critical infrastructure, including power generation, military systems, and autonomous and unmanned vehicles. The introduction of network connectivity for data transfer, cloud support, etc., into CPS, can lead to malware injection. Meanwhile, outsourcing of advanced technology node fabrication overseas makes it difficult to protect these devices from malicious modification and hardware Trojans. For solving these issues, traditional anomaly detection methods insert monitoring circuits or software into the target device but come with high overhead and power consumption. Alternative anomaly detection methods occur offline and use large equipment like oscilloscopes and PCs to collect and process side-channel traces. While they can achieve high accuracy in detecting various anomalies, they are difficult to use in practice due to their large, expensive setups. In this paper, we introduce a new instruction-level verification methodology that uses a low-cost, external add-on to monitor the power traces of a target device. This methodology possesses fine-grained granularity and could protect the target device from any malware or hardware Trojans that alter even a single instruction inside the target device. The hardware used is a tiny (20
$$\times $$
20 mm), custom-designed PCB called RASC that collects power traces, performs real-time malware detection, and transmits outcomes to security administrators via Bluetooth. The proposed methodology is demonstrated on 6 benchmarks with two types of malware on an Atmel AVR device, and the accuracy between offline and real-time malware detection is compared.
Tài liệu tham khảo
Luo Y, Xiao Y, Cheng L, Peng G, Yao D. Deep learning-based anomaly detection in cyber-physical systems: progress and opportunities. ACM Comput Surveys. 2021;54:1–36. https://doi.org/10.1145/3453155.
Lee I, Sokolsky O, Chen S, Hatcliff J, Jee E, Kim B, King A, Mullen-Fortino M, Park S, Roederer A, Venkatasubramanian KK. Challenges and research directions in medical cyber-physical systems. Proc IEEE. 2012;100(1):75–90. https://doi.org/10.1109/JPROC.2011.2165270.
High-Assurance Cyber Military Systems (HACMS) (Archived). https://www.darpa.mil/program/high-assurance-cyber-military-systems.
Self-driving car. https://en.wikipedia.org/w/index.php?title=Self-driving_car&oldid%24=%24928100815#Incidents.
Cárdenas AA, Amin S, Lin Z-S, Huang Y-L, Huang C-Y, Sastry S. Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ASIACCS ’11, pp. 355–366. Association for Computing Machinery, New York, NY, USA (2011). https://doi.org/10.1145/1966913.1966959.
Stuxnet: A Breakthrough. https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=550505c5-c38a-4e0c-b590-f731bb3a60ad&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments.
Genkin D, Pachmanov L, Pipman I, Tromer E. Stealing keys from pcs using a radio: Cheap electromagnetic attacks on windowed exponentiation. In: International Workshop on Cryptographic Hardware and Embedded Systems, pp. 207–228 (2015). Springer.
Yaqoob I, Ahmed E, ur Rehman MH, Ahmed AIA, Al-garadi MA, Imran M, Guizani M. The rise of ransomware and emerging security challenges in the internet of things. Comput Netw. 2017;129:444–58.
Richardson R, North MM. Ransomware: evolution, mitigation and prevention. Int Manag Rev. 2017;13(1):10.
Brewer R. Ransomware attacks: detection, prevention and cure. Netw Secur. 2016;2016(9):5–9.
GPcode. AK Ransomware (2008). https://www.knowbe4.com/gpcodeak-ransomware Accessed 2021.
A View Into The Top 20 Cyber Attacks on ICS Networks (2020). https://www.fireeye.com/products/industrial-systems-and-critical-infrastructure-security/wp-top-20-cyberattacks.html.
Return-Oriented Programming: Exploits Without Code Injection (2021). https://hovav.net/ucsd/talks/blackhat08.html Accessed 2021.
Getting around non-executable stack (and fix) (2021). https://seclists.org/bugtraq/1997/Aug/63 Accessed 2021.
Code injection (2021). https://en.wikipedia.org/wiki/Code_injection Accessed 2021.
OWASP Top Ten (2021). https://owasp.org/www-project-top-ten/ Accessed 2021.
SQL Injection Prevention Cheat Sheet (2021). https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html Accessed 2021.
Kruegel C, Toth T. Using decision trees to improve signature-based intrusion detection. In: International Workshop on Recent Advances in Intrusion Detection, pp. 173–191 (2003). Springer.
What is the difference between signature-based and behavior-based intrusion detection systems? (2021). https://accedian.com/blog/what-is-the-difference-between-signature-based-and-behavior-based-ids/ Accessed 2021.
Liu L, Yan G, Zhang X, Chen S. Virusmeter: Preventing your cellphone from spies. In: International Workshop on Recent Advances in Intrusion Detection, pp. 244–264 (2009). Springer.
Buennemeyer TK, Nelson TM, Clagett LM, Dunning JP, Marchany RC, Tront JG. Mobile device profiling and intrusion detection using smart batteries. In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), pp. 296–296 (2008). https://doi.org/10.1109/HICSS.2008.319.
Callan R, Behrang F, Zajic A, Prvulovic M, Orso A. Zero-overhead profiling via em emanations. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 401–412 (2016).
Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Xu W, Fu K. Wattsupdoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: 2013 USENIX Workshop on Health Information Technologies (HealthTech 13). USENIX Association, Washington, D.C. (2013). https://www.usenix.org/conference/healthtech13/workshop-program/presentation/clark.
González CRA, Reed JH. Power fingerprinting in sdr integrity assessment for security and regulatory compliance. Analog integrated circuits signal processing. 2011;69:307–27.
Park J, Rahman F, Vassilev A, Forte D, Tehranipoor M. Leveraging side-channel information for disassembly and security. ACM J Emerging Technol Comput Syst (JETC). 2019;16(1):1–21.
Nazari A, Sehatbakhsh N, Alam M, Zajic A, Prvulovic M. Eddie: Em-based detection of deviations in program execution. In: Proceedings of the 44th Annual International Symposium on Computer Architecture. ISCA ’17, pp. 333–346. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3079856.3080223.
Sehatbakhsh N, Alam M, Nazari A, Zajic A, Prvulovic M. Syndrome: Spectral analysis for anomaly detection on medical iot and embedded devices. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 1–8 (2018). https://doi.org/10.1109/HST.2018.8383884.
Sehatbakhsh N, Nazari A, Zajic A, Prvulovic M. Spectral profiling: Observer-effect-free profiling by monitoring em emanations. In: 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pp. 1–11 (2016). https://doi.org/10.1109/MICRO.2016.7783762.
Khan HA, Sehatbakhsh N, Nguyen LN, Prvulovic M, Zajić A. Malware detection in embedded systems using neural network model for electromagnetic side-channel signals. J Hardware Syst Secur. 2019;3(4):305–18.
Eisenbarth T, Paar C, Weghenkel B. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Building a Side Channel Based Disassembler, pp. 78–99. Springer, Berlin, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17499-5_4.
Msgna M, Markantonakis K, Mayes K. Precise instruction-level side channel profiling of embedded processors. In: International Conference on Information Security Practice and Experience, pp. 129–143 (2014). Springer.
Park J, Xu X, Jin Y, Forte D, Tehranipoor M. Power-based side-channel instruction-level disassembler. In: 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC), pp. 1–6 (2018). https://doi.org/10.1109/DAC.2018.8465848.
Xilinx: Spartan-3E FPGA Family Data Sheet. (2018). Xilinx.
Texas instruments: ADC08200 8-Bit, 20 Msps to 200 Msps, Low Power A/D Converter with Internal Sampleand-Hold. (2013). Texas instruments.
Technology, N. ChipWhisperer-Lite XMEGA. https://www.newae.com/chipwhisperer.
Robertson J, Riley M. The big hack: How china used a tiny chip to infiltrate us companies. Bloomberg Businessweek. 2018;4(2018).
Shen H, Rahman MT, Asadizanjani N, Tehranipoor M, Bhunia S. Coating-based pcb protection against tampering, snooping, em attack, and x-ray reverse engineering. In: ISTFA 2018: Proceedings from the 44th International Symposium for Testing and Failure Analysis, p. 290 (2018). ASM International.
Immler V, Obermaier J, Ng KK, Ke FX, Lee J, Lim YP, Oh WK, Wee KH, Sigl G. Secure physical enclosures from covers with tamper-resistance. IACR Trans Cryptogr Hardw Embed Syst. 2019;2019:51–96.
Jolliffe I. Principal component analysis. Encyclopedia of statistics in behavioral science (2005).
Bishop CM. Pattern recognition and machine learning (Information Science and Statistics). Berlin, Heidelberg: Springer; 2006.
Matlab: PCA. https://www.mathworks.com/help/stats/pca.html.
Matlab: Discriminant Analysis. https://www.mathworks.com/help/stats/prediction-using-discriminant-analysis-models.html.
Matlab: fitcsvm. https://www.mathworks.com/help/stats/fitcsvm.html#d123e338948.
Matlab: fitcnv. https://www.https://www.mathworks.com/help/stats/fitcnb.html.
Liu Y, Wei L, Zhou Z, Zhang K, Xu W, Xu Q. On code execution tracking via power side-channel. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS ’16, pp. 1019–1031. Association for Computing Machinery, New York, NY, USA (2016). https://doi.org/10.1145/2976749.2978299.
Xiao Y-J, Xu W-Y, Jia Z-H, Ma Z-R, Qi D-l. Nipad: a non-invasive power-based anomaly detection scheme for programmable logic controllers. Front Inf Technol Electron Eng. 2017;18(4):519–34.
Kim H, Smith J, Shin KG. Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services, pp. 239–252 (2008).
Banga M, Hsiao MS. A region based approach for the identification of hardware trojans. In: 2008 IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 40–47 (2008). https://doi.org/10.1109/HST.2008.4559047.
Rad R, Plusquellic J, Tehranipoor M. A sensitivity analysis of power signal methods for detecting hardware trojans under real process and environmental conditions. IEEE Trans Very Large Scale Integr (VLSI) Syst. 2010;18(12):1735–44. https://doi.org/10.1109/TVLSI.2009.2029117.
Köse S, Wang L, DeMara RF. On-chip sensor circle distribution technique for real-time hardware trojan detection. In: Government Microcircuit Applications and Critical Technology Conference (GOMACTech), pp. 1–4 (2017).
He J, Guo X, Ma H, Liu Y, Zhao Y, Jin Y. Runtime trust evaluation and hardware trojan detection using on-chip em sensors. In: 2020 57th ACM/IEEE Design Automation Conference (DAC), pp. 1–6 (2020). IEEE.
Forte D, Bao C, Srivastava A. Temperature tracking: an innovative run-time approach for hardware trojan detection. In: 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 532–539 (2013). IEEE.
Stern A, Yang K, Vosatka J, Duncan A, Park J, Forte D, Tehranipoor M. Rasc: Enabling remote access to side-channels for mission critical systems. In: GOMACTech (2019).