research-article

Open access

FreeEM: Uncovering Parallel Memory EMR Covert Communication in Volatile Environments

Authors:

Linke GuoAuthors Info & Claims

MOBISYS '24: Proceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services

Pages 372 - 384

https://doi.org/10.1145/3643832.3661870

Published: 04 June 2024 Publication History

Abstract

Memory Electromagnetic Radiation (EMR) allows attackers to manipulate the DRAM of infiltrated systems to leak sensitive secret information. Although most of the existing works have demonstrated its feasibility, practical concerns, such as the ideal electromagnetic environment and stationary attacking layout, make the covert channel attack less convincing, especially in vulnerable sites such as offices and data centers. This work removes the above impractical assumptions to uncover the potential of memory EMR by proposing the first parallel EMR covert communication protocol. Our design reshapes the current "1-to-1" covert communication mode to "n-to-1" mode via a novel pattern-based 2-dimensional symbol encoding scheme, allowing multiple victim computers to simultaneously perform data exfiltration to one attacker (the receiver) without mutual interference. Meanwhile, this novel scheme design also enables the very first mobile attacker, i.e., a smartphone connected to a software-defined radio (SDR) dongle, to capture parallel memory EMR signals in a volatile environment. Extensive experiments are conducted to verify the performance in a volatile environment with different parameter configurations, distances, motion modes, shielding materials, orientations, hardware configurations, and SDR platforms. Our experimental results demonstrate that FreeEM can support up to 4 parallel memory EMR transmissions to achieve an overall throughput of 625Kbps and a decoding accuracy of 96.88%. The maximum communication distance can reach up to 20 meters.

References

[1]

Aloÿs Augustin, Jiazi Yi, Thomas Clausen, and William Mark Townsley. A study of lora: Long range & low power networks for the internet of things. Sensors, 16(9):1466, 2016.

[2]

Robert Callan, Alenka Zajic, and Milos Prvulovic. A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events. In 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture, pages 242--254. IEEE, 2014.

Digital Library

[3]

Giovanni Camurati and Aurélien Francillon. Noise-sdr: Arbitrary modulation of electromagnetic noise from unprivileged software and its impact on emission security. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1193--1210. IEEE, 2022.

[4]

Brent Carrara and Carlisle Adams. On acoustic covert channels between air-gapped systems. In International Symposium on Foundations and Practice of Security, pages 3--16. Springer, 2014.

[5]

Paizhuo Chen, Lei Li, and Zhice Yang. {Cross-VM} and {Cross-Processor} covert channels exploiting processor idle power management. In 30th USENIX Security Symposium (USENIX Security 21), pages 733--750, 2021.

[6]

Chaojie Gu, Jiale Chen, Rui Tan, and Linshan Jiang. An electromagnetic covert channel based on neural network architecture. In 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS), pages 177--184. IEEE, 2021.

[7]

Mordechai Guri. Magneto: Covert channel between air-gapped systems and nearby smartphones via cpu-generated magnetic fields. Future Generation Computer Systems, 115:115--125, 2021.

Digital Library

[8]

Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici. {GSMem}: Data exfiltration from {Air-Gapped} computers over {GSM} frequencies. In 24th USENIX Security Symposium (USENIX Security 15), pages 849--864, 2015.

[9]

Mordechai Guri, Gabi Kedma, Assaf Kachlon, and Yuval Elovici. Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), pages 58--67. IEEE, 2014.

[10]

Mordechai Guri, Matan Monitz, and Yuval Elovici. Usbee: Air-gap covert-channel via electromagnetic emission from usb. In 2016 14th Annual Conference on Privacy, Security and Trust (PST), pages 264--268. IEEE, 2016.

[11]

Mordechai Guri, Matan Monitz, Yisroel Mirski, and Yuval Elovici. Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In 2015 IEEE 28th Computer Security Foundations Symposium, pages 276--289. IEEE, 2015.

Digital Library

[12]

Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici. Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise ('diskfiltration'). In European symposium on research in computer security, pages 98--115. Springer, 2017.

[13]

Mordechai Guri, Boris Zadov, and Yuval Elovici. Led-it-go: Leaking (a lot of) data from air-gapped computers via the (small) hard drive led. In International conference on detection of intrusions and malware, and vulnerability assessment, pages 161--184. Springer, 2017.

[14]

Mordechai Guri, Boris Zadov, and Yuval Elovici. Odini: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields. IEEE Transactions on Information Forensics and Security, 15:1190--1203, 2019.

[15]

Markus G Kuhn and Ross J Anderson. Soft tempest: Hidden data transmission using electromagnetic emanations. In International Workshop on Information Hiding, pages 124--142. Springer, 1998.

[16]

Butler W Lampson. A note on the confinement problem. Communications of the ACM, 16(10):613--615, 1973.

Digital Library

[17]

Sami M Lasassmeh and James M Conrad. Time synchronization in wireless sensor networks: A survey. In Proceedings of the IEEE SoutheastCon 2010 (SoutheastCon), pages 242--245. IEEE, 2010.

[18]

Corentin Lavaud, Robin Gerzaguet, Matthieu Gautier, Olivier Berder, Erwan Nogues, and Stephane Molton. Whispering devices: A survey on how side-channels lead to compromised information. Journal of Hardware and Systems Security, 5(2):143--168, 2021.

[19]

Zhengxiong Li, Baicheng Chen, Xingyu Chen, Huining Li, Chenhan Xu, Feng Lin, Chris Xiaoxuan Lu, Kui Ren, and Wenyao Xu. Spiralspy: Exploring a stealthy and practical covert channel to attack air-gapped computing devices via mmwave sensing. In The 29th Network and Distributed System Security (NDSS) Symposium 2022. The Internet Society, 2022.

[20]

Meinard Müller. Dynamic time warping. Information retrieval for music and motion, pages 69--84, 2007.

[21]

Bushra Sabir, Faheem Ullah, M Ali Babar, and Raj Gaire. Machine learning for detecting data exfiltration: A review. ACM Computing Surveys (CSUR), 54(3):1--47, 2021.

[22]

Fatima Salahdine and Naima Kaabouch. Social engineering attacks: A survey. Future Internet, 11(4):89, 2019.

[23]

Nader Sehatbakhsh, Baki Berkay Yilmaz, Alenka Zajic, and Milos Prvulovic. A new side-channel vulnerability on modern computers by exploiting electromagnetic emanations from the power management unit. In 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA), pages 123--138. IEEE, 2020.

[24]

Vitali Sepetnitsky, Mordechai Guri, and Yuval Elovici. Exfiltration of information from air-gapped machines using monitor's led indicator. In 2014 IEEE Joint Intelligence and Security Informatics Conference, pages 264--267. IEEE, 2014.

Digital Library

[25]

Cheng Shen, Tian Liu, Jun Huang, and Rui Tan. When lora meets emr: Electromagnetic covert channels can be super resilient. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1304--1317. IEEE, 2021.

[26]

Lanqing Yang, Xinqi Chen, Xiangyong Jian, Leping Yang, Yijie Li, Qianfei Ren, Yi-Chao Chen, Guangtao Xue, and Xiaoyu Ji. Remote attacks on speech recognition systems using sound from power supply. In The 32th USENIX Security Symposium (USENIX Security '23), 2023.

[27]

Alenka Zajić and Milos Prvulovic. Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Transactions on Electromagnetic Compatibility, 56(4):885--893, 2014.

[28]

Zihao Zhan, Zhenkai Zhang, and Xenofon Koutsoukos. Bitjabber: The world's fastest electromagnetic covert channel. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 35--45. IEEE, 2020.

[29]

Zihao Zhan, Zhenkai Zhang, and Xenofon Koutsoukos. A high-speed, longdistance and wall-penetrating covert channel based on em emanations from dram clock. Journal of Hardware and Systems Security, 6(1):47--65, 2022.

[30]

Zihao Zhan, Zhenkai Zhang, Sisheng Liang, Fan Yao, and Xenofon Koutsoukos. Graphics peeping unit: Exploiting em side-channel information of gpus to eavesdrop on your neighbors. In 2022 IEEE Symposium on Security and Privacy (SP), 2022.

[31]

Zhenkai Zhang, Zihao Zhan, Daniel Balasubramanian, Bo Li, Peter Volgyesi, and Xenofon Koutsoukos. Leveraging em side-channel information to detect rowhammer attacks. In 2020 IEEE Symposium on Security and Privacy (SP), pages 729--746. IEEE, 2020.

Cited By

Basfar RDahab MAli AEassa FBajunaied K(2024)Enhanced Intrusion Detection in Software-Defined Networking using Advanced Feature Selection: The EMRMR ApproachEngineering, Technology & Applied Science Research10.48084/etasr.925614:6(19001-19008)Online publication date: 2-Dec-2024
https://doi.org/10.48084/etasr.9256

Index Terms

FreeEM: Uncovering Parallel Memory EMR Covert Communication in Volatile Environments
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Security in hardware
    1. Hardware attacks and countermeasures
      1. Side-channel analysis and countermeasures

Recommendations

Power management of hybrid DRAM/PRAM-based main memory
DAC '11: Proceedings of the 48th Design Automation Conference

Hybrid main memory consisting of DRAM and non-volatile memory is attractive since the non-volatile memory can give the advantage of low standby power while DRAM provides high performance and better active power. In this work, we address the power ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MOBISYS '24: Proceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services

June 2024

778 pages

ISBN:9798400705816

DOI:10.1145/3643832

Chairs:
Tadashi Okoshi,
JeongGil Ko,
Program Chair:
Robert LiKamWa

Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

In-Cooperation

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2024

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

MOBISYS '24

Sponsor:

SIGMOBILE

MOBISYS '24: 22nd Annual International Conference on Mobile Systems, Applications and Services

June 3 - 7, 2024

Minato-ku, Tokyo, Japan

Acceptance Rates

Overall Acceptance Rate 274 of 1,679 submissions, 16%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
364
Total Downloads

Downloads (Last 12 months)364
Downloads (Last 6 weeks)74

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Basfar RDahab MAli AEassa FBajunaied K(2024)Enhanced Intrusion Detection in Software-Defined Networking using Advanced Feature Selection: The EMRMR ApproachEngineering, Technology & Applied Science Research10.48084/etasr.925614:6(19001-19008)Online publication date: 2-Dec-2024
https://doi.org/10.48084/etasr.9256

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents