research-article

Public Access

On Code Execution Tracking via Power Side-Channel

Authors:

Qiang XuAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1019 - 1031

https://doi.org/10.1145/2976749.2978299

Published: 24 October 2016 Publication History

Abstract

With the proliferation of Internet of Things, there is a growing interest in embedded system attacks, e.g., key extraction attacks and firmware modification attacks. Code execution tracking, as the first step to locate vulnerable instruction pieces for key extraction attacks and to conduct control-flow integrity checking against firmware modification attacks, is therefore of great value. Because embedded systems, especially legacy embedded systems, have limited resources and may not support software or hardware update, it is important to design low-cost code execution tracking methods that require as little system modification as possible. In this work, we propose a non-intrusive code execution tracking solution via power-side channel, wherein we represent the code execution and its power consumption with a revised hidden Markov model and recover the most likely executed instruction sequence with a revised Viterbi algorithm. By observing the power consumption of the microcontroller unit during execution, we are able to recover the program execution flow with a high accuracy and detect abnormal code execution behavior even when only a single instruction is modified.

References

[1]

P. C. Kocher, phet al. Differential power analysis. In Proc. of Advances in Cryptology (CRYPTO), 1999.

Digital Library

[2]

P. Dusart, phet al. Differential fault analysis on A.E.S. In Proc. of Applied Cryptography and Network Security (ACNS), 2003.

[3]

A. Cui, phet al. When firmware modifications attack: A case study of embedded exploitation. In NDSS, 2013.

[4]

A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In Proc. of Conference on Computer and Communications Security (CCS), 2008.

Digital Library

[5]

T. Goodspeed. Exploiting wireless sensor networks over 802.15. 4. In Texas Instruments Developper Conference, 2008.

[6]

M. Abadi, phet al. Control-flow integrity. In Proc. of Conference on Computer and Communications Security (CCS), 2005.

Digital Library

[7]

Ú. Erlingsson, et al. XFI: software guards for system address spaces. In Proc.s of Symposium on Operating Systems Design and Implementation (OSDI), 2006.

Digital Library

[8]

Y. Cheng, et al. Ropecker: A generic and practical approach for defending against ROP attacks. In Proc. of Network and Distributed System Security Symposium (NDSS), 2014.

[9]

V. Pappas, phet al. Transparent ROP exploit mitigation using indirect branch tracing. In Proc. of USENIX Security Symposium (USENIX Security), 2013.

Digital Library

[10]

L. Davi, et al. HAFIX: hardware-assisted flow integrity extension. In Proc. of Design Automation Conference (DAC), 2015.

Digital Library

[11]

M. Milenkovic, et al. Hardware support for code integrity in embedded processors. In Proc. of International Conference on Compilers, Architecture, and Synthesis for Embedded Systems (CASES), 2005.

Digital Library

[12]

F. A. T. Abad, et al. On-chip control flow integrity check for real time embedded systems. In Proc. of Cyber-Physical Systems, Networks, and Applications (CPSNA), 2013.

[13]

T. Eisenbarth, et al. Building a side channel based disassembler. Transactions on Computational Science, 2010.

Digital Library

[14]

OpenSSL. https://www.openssl.org/.

[15]

D. Genkin, et al. RSA key extraction via low-bandwidth acoustic cryptanalysis. In Proc. of Advances in Cryptology (CRYPTO), 2014.

[16]

N. Benhadjyoussef, et al. The research of correlation power analysis on a aes implementations. Journal of Intelligent Computing Volume, 2011.

[17]

E. Brier, et al. Correlation power analysis with a leakage model. In Proc. of Cryptographic Hardware and Embedded Systems (CHES), 2004.

[18]

J. Balasch, et al. An in-depth and black-box characterization of the effects of clock glitches on 8-bit mcus. In Proc. of Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2011.

Digital Library

[19]

A. Dehbaoui, et al. Electromagnetic transient faults injection on a hardware and a software implementations of AES. In Proc. of Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2012.

Digital Library

[20]

NIST FIPS Pub. Advanced encryption standard (AES). Federal Information Processing Standards Publication, 2001.

[21]

P. Derbez, et al. Meet-in-the-middle and impossible differential fault analysis on AES. In Proc. of Cryptographic Hardware and Embedded Systems (CHES), 2011.

Digital Library

[22]

Y. Liu, et al. DERA: yet another differential fault attack on cryptographic devices based on error rate analysis. In Proc. of Design Automation Conference (DAC), 2015.

Digital Library

[23]

R. Lashermes, et al. A DFA on AES based on the entropy of error distributions. In Proc. of Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), 2012.

Digital Library

[24]

A. Moradi, et al. A generalized method of differential fault attack against AES cryptosystem. In Proc. of Cryptographic Hardware and Embedded Systems (CHES), 2006.

Digital Library

[25]

N. Carlini and D. Wagner. ROP is still dangerous: breaking modern defenses. In Proc. of USENIX Security Symposium (USENIX Security), 2014.

Digital Library

[26]

T. K. Bletsch, et al. Jump-oriented programming: a new class of code-reuse attack. In Proc. of Symposium on Information, Computer and Communications Security (ASIACCS), 2011.

Digital Library

[27]

A. One. Smashing the stack for fun and profit. Phrack magazine, 1996.

[28]

N. Carlini, et al. Control-flow bending: On the effectiveness of control-flow integrity. In Proc. of USENIX Security Symposium (USENIX Security), 2015.

Digital Library

[29]

F. E. Allen. Control flow analysis. In ACM Sigplan Notices, 1970.

Digital Library

[30]

L. R. Rabiner. A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 1989.

[31]

C. Zhang, et al. Practical control flow integrity and randomization for binary executables. In Proc. of Symposium on Security and Privacy (SP), 2013.

Digital Library

[32]

M. Msgna, et al. The b-side of side channel leakage: Control flow security in embedded systems. In Proc. of Security and Privacy in Communication Networks (ICST), 2013.

[33]

I. Jolliffe. Principal component analysis. 2002.

[34]

I. S. MacKenzie. The 8051 microcontroller. 1998.

Digital Library

[35]

UCR Dalton Project. http://www.cs.ucr.edu/ dalton/.%%

[36]

%M. Dietrich and J. Haase. Process Variations and Probabilistic Integrated Circuit Design. 2011.

Digital Library

[37]

Embedded Trace Macrocells. http://www.arm.com/products/system-ip/debug-trace/trace-macrocells-etm/.

[38]

C. R. A. González and J. H. Reed. Detecting unauthorized software execution in sdr using power fingerprinting. In MILITARY COMMUNICATIONS CONFERENCE, 2010-MILCOM 2010, 2010.

[39]

C. R. A. Gonzalez and J. H. Reed. Power fingerprinting in sdr integrity assessment for security and regulatory compliance. Analog Integrated Circuits and Signal Processing, 2011.

Digital Library

[40]

S. Stone and M. Temple. Radio-frequency-based anomaly detection for programmable logic controllers in the critical infrastructure. International Journal of Critical Infrastructure Protection, 2012.

[41]

S. J. Stone, et al. Detecting anomalous programmable logic controller behavior using rf-based hilbert transform features and a correlation-based verification process. International Journal of Critical Infrastructure Protection, 2015.

Digital Library

[42]

S. S. Clark, et al. Wattsupdoc: Power side channels to nonintrusively discover untargeted malware on embedded medical devices. In 2013 USENIX Workshop on Health Information Technologies, HealthTech '13, 2013.

Digital Library

[43]

D. Vermoen, et al. Reverse engineering java card applets using power analysis. In Proc. of Information Security Theory and Practices (WISTP), 2007.

Digital Library

[44]

R. Novak. Side-channel attack on substitution blocks. In Proc. of Applied Cryptography and Network Security (ACNS), 2003.

[45]

C. Clavier. Side channel analysis for reverse engineering (SCARE) - an improved attack against a secret A3/A8 GSM algorithm. IACR Cryptology ePrint Archive, 2004.

[46]

M. Goldack and I. C. Paar. Side-channel based reverse engineering for microcontrollers. Master's thesis, Ruhr-Universitat Bochum, Germany, 2008.

Cited By

He DWang HDeng TLiu JWang J(2025)Improving IIoT security: Unveiling threats through advanced side-channel analysisComputers & Security10.1016/j.cose.2024.104135148(104135)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104135
Cathis ALi GWei SOrshansky MTiwari MGerstlauer A(2024)SoK Paper: Power Side-Channel Malware DetectionProceedings of the 13th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3696843.3696849(1-9)Online publication date: 2-Nov-2024
https://dl.acm.org/doi/10.1145/3696843.3696849
Vedros KKolias CBarbara DIvans R(2024)From Code to EM Signals: A Generative Approach to Side Channel Analysis-based Anomaly DetectionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664520(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664520
Show More Cited By

Index Terms

On Code Execution Tracking via Power Side-Channel
1. Security and privacy
  1. Security in hardware

Recommendations

Power-based side-channel instruction-level disassembler
DAC '18: Proceedings of the 55th Annual Design Automation Conference

Modern embedded computing devices are vulnerable against malware and software piracy due to insufficient security scrutiny and the complications of continuous patching. To detect malicious activity as well as protecting the integrity of executable ...
Side-channel analysis of MAC-Keccak hardware implementations
HASP '15: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy

As Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent works have shown the feasibility of side-channel ...
Detecting Privileged Side-Channel Attacks in Shielded Execution with Déjà Vu
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Intel Software Guard Extension (SGX) protects the confidentiality and integrity of an unprivileged program running inside a secure enclave from a privileged attacker who has full control of the entire operating system (OS). Program execution inside this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

The Chinese University of Hong Kong
National Science Foundation
Hong Kong S.A.R. Research Grants Council
National Natural Science Foundation of China

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

61
Total Citations
View Citations
1,862
Total Downloads

Downloads (Last 12 months)213
Downloads (Last 6 weeks)32

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

He DWang HDeng TLiu JWang J(2025)Improving IIoT security: Unveiling threats through advanced side-channel analysisComputers & Security10.1016/j.cose.2024.104135148(104135)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104135
Cathis ALi GWei SOrshansky MTiwari MGerstlauer A(2024)SoK Paper: Power Side-Channel Malware DetectionProceedings of the 13th International Workshop on Hardware and Architectural Support for Security and Privacy10.1145/3696843.3696849(1-9)Online publication date: 2-Nov-2024
https://dl.acm.org/doi/10.1145/3696843.3696849
Vedros KKolias CBarbara DIvans R(2024)From Code to EM Signals: A Generative Approach to Side Channel Analysis-based Anomaly DetectionProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664520(1-10)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664520
Ji XZhang JZou SChen YQu GXu W(2024)MagView++: Data Exfiltration via CPU Magnetic Signals Under Video DecodingIEEE Transactions on Mobile Computing10.1109/TMC.2023.326240023:3(2486-2503)Online publication date: Mar-2024
https://doi.org/10.1109/TMC.2023.3262400
Wüstrich LGallenmüller SGünther SCarle GPahl M(2024)Shells Bells: Cyber-Physical Anomaly Detection in Data CentersNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575124(1-10)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575124
Forte DAmaba BRichards CDaniels J(2024)Nowhere to Hide: Monitoring Side Channels for Supply Chain ResiliencyIEEE Reliability Magazine10.1109/MRL.2024.33884081:2(27-34)Online publication date: Jun-2024
https://doi.org/10.1109/MRL.2024.3388408
Amar MNavanesan LSayakkara AOren Y(2024)Waves of Knowledge: A Comparative Study of Electromagnetic and Power Side-Channel Monitoring in Embedded SystemsSecurity and Privacy in Cyber-Physical Systems and Smart Vehicles10.1007/978-3-031-51630-6_11(158-170)Online publication date: 5-Feb-2024
https://doi.org/10.1007/978-3-031-51630-6_11
Li ZWei QMa RGeng YYang YLv Z(2023)DpGuard: A Lightweight Attack Detection Method for an Industrial Bus NetworkElectronics10.3390/electronics1205112112:5(1121)Online publication date: 24-Feb-2023
https://doi.org/10.3390/electronics12051121
Mei WLiu WChen JLi K(2023)A physical signal-based anomaly detection for industrial terminalProceedings of the 2023 7th International Conference on Electronic Information Technology and Computer Engineering10.1145/3650400.3650508(651-658)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3650400.3650508
Wei JZhang XWang LWei Z(2023)Fastensor: Optimise the Tensor I/O Path from SSD to GPU for Deep Learning TrainingACM Transactions on Architecture and Code Optimization10.1145/3630108Online publication date: 25-Oct-2023
https://dl.acm.org/doi/10.1145/3630108
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents