We applied machine learning to detect changes in state of key registers in digital devices from their analog RF emissions. As digital devices operate, they emit information via analog side channels. We collected the RF side channel with a 500-MHz shielded loop probe from Riscure, placed in the nearfield (<1mm) of the device under test (DuT). We investigated a number of Internet-of-Thing (IoT) DuTs including Arduino Uno and PIC24 processors. Conventional processors implement instructions as a sequence of subtasks. The first subtasks include incrementing the program counter (PC) register and fetching the next instruction from program memory to the instruction register (IR). These two subtasks occur almost every instruction cycle. We ran programs on the DuT and collected the RF emissions. We parsed the object code of the programs to determine the state of key registers including the PC and IR during each instruction cycle and observed that the RF signal of each cycle is strongly correlated with the Hamming Distance (HD) (i.e., the number of bits changing) in the PC and IR registers. Based on this result, we developed classifiers to extract the HD of the PC, IR, as well as the stack pointer (SP). The classification results vary with true HD as some values are rare and have few examples in the training set. The classification accuracy exceeds 99% for the PC and the IR. Due to the relatively few HD in the training set for the SP, its results slightly exceeded 97%.

© (2018) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.

Ronald A. Riley, James T. Graham, Rusty O. Baldwin, and Ashwin Fisher, "Register Hamming distance from side channels," Proc. SPIE 10630, Cyber Sensing 2018, 1063009 (Presented at SPIE Defense + Security: April 17, 2018; Published: 3 May 2018); https://doi.org/10.1117/12.2304449.