research-article

ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters

Authors:

Charalambos Konstantinou,

Michail Maniatakos,

Ramesh KarriAuthors Info & Claims

2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)

Pages 544 - 551

https://doi.org/10.1109/ICCAD.2015.7372617

Published: 01 November 2015 Publication History

Abstract

Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate that ConFirm can detect all the tested modifications with low performance overhead.

References

[1]

J. Holler, V. Tsiatsis et al., From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence. Academic Press, 2014.

Digital Library

[2]

IDC Research Company, “Intelligent Systems to Exceed $1 Trillion in 2019 as the Market Continues to Disrupt Traditional Industries Including Manufacturing, Energy, and Transportation”, [Online]: http://www.idc.com.

[3]

L. Atzori, A. Iera, and G. Morabito, “The internet of things: A survey”, Computer Networks, vol. 54, no. 15, pp. 2787–2805, 2010.

Digital Library

[4]

“OProfile, statistical profiler for Linux systems”, [Online]: http://oprofile.sourceforge.net/.

[5]

“Hardware performance counters”, [Online]: http://en.wikipedia.org/wiki/Hardware_performance_counter.

[6]

“Intel 64 and IA-32 Architectures Developer's Manual”, [Online]: http://www.intel.com.

[7]

“ARM Cortex-A53 Processor Technical Reference Manual”, [Online]: http://infocenter.arm.com/.

[8]

“4th generation of 32-bit PowerPC microprocessors”, [Online]: https://en.wikipedia.org/wiki/PowerPC_G4.

[9]

J. Petroni, L. Nick, and M. Hicks, “Automated detection of persistent kernel control-flow attacks”, in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ‘07. New York, NY, USA: ACM, 2007, pp. 103–115.

[10]

J. Pincus and B. Baker, “Beyond stack smashing: recent advances in exploiting buffer overruns”, Security Privacy, IEEE, vol. 2, no. 4, pp. 20–27, July 2004.

Digital Library

[11]

U. Erlingsson, “Low-Level Software Security, Attacks and Defenses”, in Foundations of Security Analysis and Design IV, ser. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2007, vol. 4677, pp. 92–134.

[12]

B. Zeng, G. Tan, and G. Morrisett, “Combining control-flow integrity and static analysis for efficient and validated data sandboxing”, in Proceedings of the 18th ACM conference on Computer and Communications Security, 2011, pp. 29–40.

[13]

M. Abadi, M. Budiu et al., “Control-flow integrity”, in Proceedings of the 12th ACM conference on Computer and Communications Security, 2005, pp. 340–353.

Digital Library

[14]

B. Niu and G. Tan, “Modular control-flow integrity”, in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, ser. PLDI ‘14. New York, NY, USA: ACM, 2014, pp. 577–587.

[15]

Wikipedia the free encyclopedia, “Booting”, [Online]: http://en.wikipedia.org/wikiiBooting.

[16]

G. Hunt and D. Brubacher, “Detours: binary interception of win32 functions”, in Proceedings of the 3rd conference on USENIX Windows NT Symposium, ser. WINSYM'99, July 1999.

[17]

“Arndale Board”, [Online]: http://www.arndaleboard.org/wikilindex.php/WiKi.

[18]

“MPC8308RDB Reference Platform”, [Online]: http://www.freescale.com/.

[19]

“Cortex-A15 Technical Reference Manual”, [Online]: http://infocenter.arm.com/.

[20]

“e300 Power Architecture Core Family Reference Manual”, [Online]: http://cache.freescale.com/.

[21]

“VxWorks: The Real-Time Operating System for the Internet of Things”, [Online]: http://www.windriver.com/products/vxworks/.

[22]

V. Durcekova, L. Schwartz, and N. Shahmehri, “Sophisticated denial of service attacks aimed at application layer”, in ELEKTRO, 2012, May 2012, pp. 55–60.

[23]

“U-Boot”, [Online]: http://www.stlinux.com/u-boot.

[24]

E. Godoy, A. Celaya et al., “Tutorial on Single-Pole Tripping and Reclosing”, in Western Protective Relay Conference, 2012, pp. 1–21.

[25]

A. Ornaghi and M. Valleri, “Man in the middle attacks”, [Online]: https://www.blackhat.com/. 2003.

[26]

C. Miller, “Battery Firmware Hacking”, in DEF CON 19, 2011.

[27]

A. Cui, M. Costello, and S. J. Stolfo, “When Firmware Modifications Attack: A Case Study of Embedded Exploitation”, in NDSS. The Internet Society, 2013.

[28]

A. A. Costin, J. Zaddach et al., “A Large-Scale Analysis of the Security of Embedded Firmwares”, in 23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA: USENIX Association, Aug. 2014, pp. 95–110.

[29]

K. Chen, “Reversing and exploiting an Apple firmware update”, 2009.

[30]

Z. Basnight, J. Butts et al., “Firmware Modification Attacks on Programmable Logic Controllers”, International Journal of Critical Infrastructure Protection, 2013.

[31]

D. Peck and D. Peterson, “Leveraging ethernet card vulnerabilities in field devices”, in SCADA Security Scientific Symposium, 2009, pp. 1–19.

[32]

Y. Li, J. M. McCune, and A. Perrig, “VIPER: Verifying the Integrity of PERipherals' Firmware”, in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS ‘11. New York, NY, USA: ACM, 2011, pp. 3–16.

[33]

F. Zhang, H. Wang, and others, “A framework to secure peripherals at runtime”, in Computer Security - ESORICS 2014, ser. Lecture Notes in Computer Science. Springer International Publishing, 2014, vol. 8712, pp. 219–238.

[34]

M. LeMay and C. A. Gunter, “Cumulative attestation kernels for embedded systems.” IEEE Trans. Smart Grid, vol. 3, no. 2, pp. 744–760, 2012.

[35]

D. Schellekens, P. Tuyls, and B. Preneel, “Embedded Trusted Computing with Authenticated Non-volatile Memory”, in TRUST, ser. Lecture Notes in Computer Science, vol. 4968. Springer, 2008, pp. 60–74.

[36]

J. Maskiewicz, B. Ellis et al., “Mouse trap: Exploiting firmware updates in usb peripherals”, in Proceedings of the 8th USENIX Conference on Offensive Technologies, ser. WOOT'14. Berkeley, CA, USA: USENIX Association, 2014, pp. 12–12.

[37]

D. Morais, J. Lange et al., “Use of hashing in a secure boot loader”, 2010, uS Patent 7, 676, 840.

[38]

ARXAN Technologies, “Guarding Technology”, [Online]: https://www.arxan.com/why/guarding-technology/.

[39]

[email protected], “Developing a Trojaned Firmware for Juniper ScreenOS Platforms”, The Circle of Lost Hackers, vol. 0×0d, no. 0×42, pp. 223–246, 2009.

[40]

C. Brunschwiler, “Energy Fraud and Orchestrated Blackouts - Issues with Wireless Metering Protocols (wM-Bus)”, 2013.

[41]

A. M. J. Garcia, “Firmware Modification Analysis in Programmable Logic Controllers”, Ph.D. dissertation, Air Force Institute of Technology, 2014.

[42]

L. K. Shade, “Implementing Secure Remote Firmware Updates”, 2011.

[43]

V. Zimmer and M. Rothman, “Method for performing a trusted firmware/bios update”, 2005, uS Patent App. 10/607, 367.

Cited By

Bhade PPaturel JSentieys OSinha S(2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3663673
Langehaug TGraham S(2024)CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and ClassificationDigital Threats: Research and Practice10.1145/36528615:3(1-22)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3652861
Li Calsi DZaccaria V(2023)Interruptible Remote Attestation of Low-end IoT Microcontrollers via Performance CountersACM Transactions on Embedded Computing Systems10.1145/361167422:5(1-19)Online publication date: 26-Sep-2023
https://dl.acm.org/doi/10.1145/3611674
Show More Cited By

Index Terms

ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters

Index terms have been assigned to the content through auto-classification.

Recommendations

ConFirm: Detecting Firmware Modifications in Embedded Systems using Hardware Performance Counters
ICCAD '15: Proceedings of the IEEE/ACM International Conference on Computer-Aided Design

Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and ...
Detecting return-oriented programming on firmware-only embedded devices using hardware performance counters
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Return-oriented programming (ROP) relies on in-memory code sequences ending in return instructions to chain together arbitrary malware. ROP is one of the most dangerous security exploits because, if wittingly crafted, it can be used to wreak havoc on the ...
Performance improvements from partitioning applications to FPGA hardware in embedded SoCs

A hardware/software partitioning methodology for improving performance in single-chip systems composed by processor and Field Programmable Gate Array reconfigurable logic is presented. Speedups are achieved by executing critical software parts on the ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)

929 pages

Copyright © 2015.

Publisher

IEEE Press

Publication History

Published: 01 November 2015

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bhade PPaturel JSentieys OSinha S(2024)Lightweight Hardware-Based Cache Side-Channel Attack Detection for Edge Devices (Edge-CaSCADe)ACM Transactions on Embedded Computing Systems10.1145/366367323:4(1-27)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3663673
Langehaug TGraham S(2024)CuMONITOR: Continuous Monitoring of Microarchitecture for Software Task Identification and ClassificationDigital Threats: Research and Practice10.1145/36528615:3(1-22)Online publication date: 28-Mar-2024
https://dl.acm.org/doi/10.1145/3652861
Li Calsi DZaccaria V(2023)Interruptible Remote Attestation of Low-end IoT Microcontrollers via Performance CountersACM Transactions on Embedded Computing Systems10.1145/361167422:5(1-19)Online publication date: 26-Sep-2023
https://dl.acm.org/doi/10.1145/3611674
He ZHu GLee RShehab MFernandez MLi N(2023)CloudShield: Real-time Anomaly Detection in the CloudProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583639(91-102)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583639
Carnà SFerracci SQuaglia FPellegrini A(2023)Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance CountersDigital Threats: Research and Practice10.1145/35196014:1(1-24)Online publication date: 7-Mar-2023
https://dl.acm.org/doi/10.1145/3519601
Pashrashid AHajiabadi ACarlson TMitra TYoung EXiong J(2022)Fast, Robust and Accurate Detection of Cache-Based Spectre Attack PhasesProceedings of the 41st IEEE/ACM International Conference on Computer-Aided Design10.1145/3508352.3549330(1-9)Online publication date: 30-Oct-2022
https://dl.acm.org/doi/10.1145/3508352.3549330
Alam MBhattacharya SMukhopadhyay D(2021)Victims Can Be SaviorsACM Journal on Emerging Technologies in Computing Systems10.1145/343918917:2(1-31)Online publication date: 29-Jan-2021
https://dl.acm.org/doi/10.1145/3439189
Wang XChai SIsnardi MLim SKarri R(2016)Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive SensingACM Transactions on Architecture and Code Optimization10.1145/285705513:1(1-23)Online publication date: 28-Mar-2016
https://dl.acm.org/doi/10.1145/2857055

View Options

View options

Figures

Tables

Media

View Table of Conten