As one of the fundamental approaches for code optimization and performance analysis, profiling software activities can provide information on the existence of malware, code execution problems, etc. In this paper, we propose a methodology to profile a system with no overhead. The approach leverages electromagnetic (EM) emanations while executing a program, and exploits its flow diagram by constructing a Markov model. The states of the model are considered as the heavily executed blocks (called hot paths) of the program, and the transition between any two states is possible only if there exists a branching operation which enables execution of corresponding states without any intermediate state. To identify the state of the program, we utilize a supervised learning method. To do so, we first collect signals for each state, extract features, and generate a dictionary. The features are considered as the activated frequencies when the program is executed. The assumption here is that there exists at least one unique frequency component that is only active for one unique state. Moreover, to degrade the e↵ect of interruptions and other signals emanated from other parts of the device, and to obtain signals with high Signal-to-Noise Ratio (SNR), we average the output of Short-Time Fourier Transform (STFT). After extracting features, we apply Principle Component Analysis (PCA) for dimension reduction which helps monitoring systems in real time. Finally, we describe experimental setup and show results to demonstrate that the proposed methodology can detect malware activity with high accuracy.
Over the past few years, globalization of the semiconductor supply chain has led companies to outsource much of the production cycle for integrated circuits (ICs). While outsourcing helps companies significantly reduce their cost and time-to-market, it also introduces concerns about the trustworthiness of an IC. One of the most serious problems is counterfeiting of ICs, which not only negatively impacts innovation and economic growth of the IC industry, but also creates serious threats and risks for systems that incorporate those counterfeit ICs. This paper proposes a novel method that uses the backscattering side-channel to cluster ICs such that counterfeits are separated from legitimate ICs. The backscattering side-channel, which has been introduced only recently, has been proven to outperform other side-channels in detecting hardware Trojan horses (HTs), i.e. ICs where additional logic gates (and connections to existing logic gates) have been added. In this work we use it to robustly separate ICs into legitimate and counterfeit ones, even when only layout or placement of the IC has changed, without any added logic or connections. We evalute our technique on a set of ten boards over six different counterfeit IC designs, and find that our technique tolerates manufacturing variations among different hardware instances, detecting counterfeit ICs with 100% accuracy and 0% false positives.
Monitoring computer system activities on the instruction level provides more resilience to malware attacks because these attacks can be analyzed better by observing the changes on the instruction level. Assuming the source code is available, many training signals can be collected to track the instruction sequence to detect whether a malware is injected or the system works properly. However, training signals have to be collected with high sampling rate to ensure that the significant features of these signals do not vanish. Since the clock frequencies of the current computer systems are extremely high, we need to have a commercial device with high sampling rate, i.e. 10GHz, which either costs remarkably high, or does not exist. To eliminate the deficiencies regarding the insufficient sampling rate, we propose a method to increase the sampling rate with the moderate commercial devices for training symbols. In that respect, we first generate some random instruction sequences which exist in the inspected source code. Then, these sequences are executed in a for-loop, and emanated electromagnetic (EM) signals from the processor are collected by a commercially available device with moderate sampling rate, i.e. sampling rate is much smaller than the clock frequency. Lastly, we apply a mapping of the gathered samples by utilizing modulo of their timings with respect to execution time of overall instruction sequence. As the final step, we provide some experimental results to illustrate that we successfully track the instruction sequence by applying the proposed approach.