Abstract
The increasing complexity and connectivity of modern embedded systems highlight the importance of runtime monitoring to ensure correctness and security. This poses a significant challenge, since monitoring tools can break extra-functional requirements such as timing constraints. Non-intrusive program tracing through side-channel analysis techniques have recently appeared in the literature and constitute a promising approach. Existing techniques, however, exhibit important limitations. In this paper, we present a novel technique for non-intrusive program tracing from power consumption, based on a signals and system analysis approach: we view the power consumption signal as the output of a system with the power consumption of training samples as input. Using spectral analysis, we compute the impulse response to identify the system; the intuition is that for the correct training sample, the system will appear close to a system that outputs a shifted copy of the input signal, for which the impulse response is an impulse at the position corresponding to the shift. We also use the Control Flow Graph from the source code to constrain the classifier to valid sequences only, leading to substantial performance improvements over previous works. Experimental results confirm the effectiveness of our technique and show its applicability to runtime monitoring. The experiments include tracing programs that execute randomly generated sequences of functions as well as tracing a real application developed with SCADE. The experimental evaluation also includes a case-study as evidence of the usability of our technique to detect anomalous execution through runtime monitoring.
Similar content being viewed by others
Notes
We adopt the electrical engineering convention of using \(\mathrm {j}\) to denote the imaginary unit, to avoid ambiguity with the symbol for electrical current or intensity, i.
Technically, the resulting graph is not a CFG, since the blocks can contain conditionals; however, it maintains the aspect that is relevant to our application: edges indicate the possible sequences during execution.
Notice that this was an issue for the experimental evaluation, since we used long random sequences that made the matching and alignment too costly.
References
Aleph One (1996) Smashing the stack for fun and profit. Phrack magazine
Atmel Corporation (2012) AVR 8-bit and 32-bit microcontrollers. http://www.atmel.com/products/microcontrollers/avr
Bishop M (2003) Computer security: art and science. Addison-Wesley, Boston
Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a survey. ACM Comput Surv (CSUR)
Chen F, Roşu G (2005) Java-MOP: a monitoring oriented programming environment for Java. In: 11th international conference on tools and algorithms for the construction and analysis of systems
Chris Lattner and the LLVM Developer Group: The LLVM compiler infrastructure. http://llvm.org
Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Fu K, Xu W (2013) WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: USENIX workshop on health information technologies. USENIX
Cormen TH, Leiserson CE, Rivest RL, Stein C (2009) Introduction to algorithms, 3rd edn. The MIT Press, Cambridge
Dormoy FX (2008) SCADE 6: a model based solution for safety critical software development. In: Proceedings of the 4th European congress on embedded real time software (ERTS’08)
Eisenbarth T, Paar C, Weghenkel B (2010) Building a side channel based disassembler. In: Transactions on computational science X, pp. 78–99. Springer, Berlin
Frigo M, Johnson SG (2005) The design and implementation of FFTW3. In: Proceedings of the IEEE. Special issue on “program generation, optimization, and platform adaptation”
Guthaus MR, Ringenberg JS, Ernst D, Austin TM, Mudge T, Brown RB (2001) MiBench: a free, commercially representative embedded benchmark suite. In: Proceedings of the workload characterization. IEEE Computer Society
Havelund K (2008) Runtime verification of C programs. In: International conference on testing of software and communicating systems
Havelund K, Roşu G (2001) Monitoring Java programs with Java PathExplorer. Electronic Notes in Theoretical Computer Science 55(2):200–217. RV’2001, Runtime Verification
Kim M, Viswanathan M, Kannan S, Lee I, Sokolsky O (2004) Java-MaC: a run-time assurance approach for Java programs. Formal Methods Syst Des 24(2):129–155
Knuth DE (1998) The art of computer programming. Volume 2: seminumerical algorithms, 3rd edn. Addison-Wesley, Boston
Liu Y, Wei L, Zhou Z, Zhang K, Xu W, Xu Q (2016) On code execution tracking via power side-channel. In: ACM conference on computer and communications security. ACM, pp. 1019–1031
Moreno C (2013) Side-channel analysis: countermeasures and application to embedded systems debugging. Ph.D. Thesis, University of Waterloo
Moreno C, Fischmeister S (2016) Non-intrusive runtime monitoring through power consumption: a signals and system analysis approach to reconstruct the trace. In: International conference on runtime verification. Springer, pp. 268–284
Moreno C, Fischmeister S (2017) On the security of safety-critical embedded systems: who watches the watchers? Who reprograms the watchers? In: 3rd international conference on information systems security and privacy
Moreno C, Fischmeister S, Hasan MA (2013) Non-intrusive program tracing and debugging of deployed embedded systems through side-channel analysis. In: Conference on languages, compilers and tools for embedded systems, pp 77–88
Moreno C, Kauffman S, Fischmeister S (2016) Efficient program tracing and monitoring through power consumption—with a little help from the compiler. In: Design, automation, and test (DATE)
Msgna M, Markantonakis K, Mayes K (2013) The B-side of side channel leakage: control flow security in embedded systems. In: International conference on security and privacy in communication systems. Springer, pp 288–304
Navabpour S, Joshi Y, Wu W, Berkovich S, Medhat R, Bonakdarpour B, Fischmeister S (2013) RiTHM: a tool for enabling time-triggered runtime verification for C programs. In: Foundations of software engineering. ACM, pp 603–606
Pnueli A, Zacks A (2006) PSL model checking and run-time verification via testers. In: 14th international symposium on formal methods
Press W, Teukolsky S, Vetterling W, Flannery B (1992) Numerical recipes in C, 2nd edn. Cambridge University Press, Cambridge
Proakis JG, Manolakis DG (2006) Digital signal processing: principles, algorithms, and applications, 4th edn. Prentice Hall, Upper Saddle River
Seyster J, Dixit K, Huang X, Grosu R, Havelund K, Smolka SA, Stoller SD, Zadok E (2010) Aspect-oriented instrumentation with GCC, In: RV. Springer, pp 405–420
Solar Designer (1997) “return-to-libc” attack. Bugtraq
Webb AR, Copsey KD (2011) Statistical pattern recognition, 3rd edn. Wiley, New York
Weiss MA (2006) Data structures and algorithm analysis in C++, 3rd edn. Addison-Wesley, Boston
Acknowledgements
The authors would like to thank Pansy Arafa, Hany Kashif, and Samaneh Navabpour for their valuable assistance with the CFG and instrumentation infrastructure as well as related discussions. This research was supported in part by the Natural Sciences and Engineering Research Council of Canada and the Ontario Research Fund.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Instrumentation of the source code
Below are examples of the two instrumented versions of the source code for the case of the ADPCM coder.
Appendix B: Randomized sequences of functions
Below is an example of a randomized sequence of functions. The program running on Workstation 1 randomly chooses the 64-bit seed for the rnd64 PRNG, as well as the choice of functions at each step (for example, encrypt and crc32buf were randomly chosen for the first step, sha_update and adpcm_coder for the second step, and so on).
The function randomize_data uses rnd64 to generate pseudorandom input data for the functions. Every eight steps (eight if statements) we re-randomize and assign a new random value into rnd, since each step consumes one of its eight random bits.
Rights and permissions
About this article
Cite this article
Moreno, C., Fischmeister, S. Non-intrusive runtime monitoring through power consumption to enforce safety and security properties in embedded systems. Form Methods Syst Des 53, 113–137 (2018). https://doi.org/10.1007/s10703-017-0298-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-017-0298-3