Skip to main content
SpringerLink
Log in

Non-intrusive runtime monitoring through power consumption to enforce safety and security properties in embedded systems

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

The increasing complexity and connectivity of modern embedded systems highlight the importance of runtime monitoring to ensure correctness and security. This poses a significant challenge, since monitoring tools can break extra-functional requirements such as timing constraints. Non-intrusive program tracing through side-channel analysis techniques have recently appeared in the literature and constitute a promising approach. Existing techniques, however, exhibit important limitations. In this paper, we present a novel technique for non-intrusive program tracing from power consumption, based on a signals and system analysis approach: we view the power consumption signal as the output of a system with the power consumption of training samples as input. Using spectral analysis, we compute the impulse response to identify the system; the intuition is that for the correct training sample, the system will appear close to a system that outputs a shifted copy of the input signal, for which the impulse response is an impulse at the position corresponding to the shift. We also use the Control Flow Graph from the source code to constrain the classifier to valid sequences only, leading to substantial performance improvements over previous works. Experimental results confirm the effectiveness of our technique and show its applicability to runtime monitoring. The experiments include tracing programs that execute randomly generated sequences of functions as well as tracing a real application developed with SCADE. The experimental evaluation also includes a case-study as evidence of the usability of our technique to detect anomalous execution through runtime monitoring.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Notes

  1.  We adopt the electrical engineering convention of using \(\mathrm {j}\) to denote the imaginary unit, to avoid ambiguity with the symbol for electrical current or intensity, i.

  2.  Technically, the resulting graph is not a CFG, since the blocks can contain conditionals; however, it maintains the aspect that is relevant to our application: edges indicate the possible sequences during execution.

  3.  Notice that this was an issue for the experimental evaluation, since we used long random sequences that made the matching and alignment too costly.

References

  1. Aleph One (1996) Smashing the stack for fun and profit. Phrack magazine

  2. Atmel Corporation (2012) AVR 8-bit and 32-bit microcontrollers. http://www.atmel.com/products/microcontrollers/avr

  3. Bishop M (2003) Computer security: art and science. Addison-Wesley, Boston

    Google Scholar 

  4. Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a survey. ACM Comput Surv (CSUR)

  5. Chen F, Roşu G (2005) Java-MOP: a monitoring oriented programming environment for Java. In: 11th international conference on tools and algorithms for the construction and analysis of systems

  6. Chris Lattner and the LLVM Developer Group: The LLVM compiler infrastructure. http://llvm.org

  7. Clark SS, Ransford B, Rahmati A, Guineau S, Sorber J, Fu K, Xu W (2013) WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices. In: USENIX workshop on health information technologies. USENIX

  8. Cormen TH, Leiserson CE, Rivest RL, Stein C (2009) Introduction to algorithms, 3rd edn. The MIT Press, Cambridge

    MATH  Google Scholar 

  9. Dormoy FX (2008) SCADE 6: a model based solution for safety critical software development. In: Proceedings of the 4th European congress on embedded real time software (ERTS’08)

  10. Eisenbarth T, Paar C, Weghenkel B (2010) Building a side channel based disassembler. In: Transactions on computational science X, pp. 78–99. Springer, Berlin

  11. Frigo M, Johnson SG (2005) The design and implementation of FFTW3. In: Proceedings of the IEEE. Special issue on “program generation, optimization, and platform adaptation”

  12. Guthaus MR, Ringenberg JS, Ernst D, Austin TM, Mudge T, Brown RB (2001) MiBench: a free, commercially representative embedded benchmark suite. In: Proceedings of the workload characterization. IEEE Computer Society

  13. Havelund K (2008) Runtime verification of C programs. In: International conference on testing of software and communicating systems

  14. Havelund K, Roşu G (2001) Monitoring Java programs with Java PathExplorer. Electronic Notes in Theoretical Computer Science 55(2):200–217. RV’2001, Runtime Verification

  15. Kim M, Viswanathan M, Kannan S, Lee I, Sokolsky O (2004) Java-MaC: a run-time assurance approach for Java programs. Formal Methods Syst Des 24(2):129–155

    Article  MATH  Google Scholar 

  16. Knuth DE (1998) The art of computer programming. Volume 2: seminumerical algorithms, 3rd edn. Addison-Wesley, Boston

    MATH  Google Scholar 

  17. Liu Y, Wei L, Zhou Z, Zhang K, Xu W, Xu Q (2016) On code execution tracking via power side-channel. In: ACM conference on computer and communications security. ACM, pp. 1019–1031

  18. Moreno C (2013) Side-channel analysis: countermeasures and application to embedded systems debugging. Ph.D. Thesis, University of Waterloo

  19. Moreno C, Fischmeister S (2016) Non-intrusive runtime monitoring through power consumption: a signals and system analysis approach to reconstruct the trace. In: International conference on runtime verification. Springer, pp. 268–284

  20. Moreno C, Fischmeister S (2017) On the security of safety-critical embedded systems: who watches the watchers? Who reprograms the watchers? In: 3rd international conference on information systems security and privacy

  21. Moreno C, Fischmeister S, Hasan MA (2013) Non-intrusive program tracing and debugging of deployed embedded systems through side-channel analysis. In: Conference on languages, compilers and tools for embedded systems, pp 77–88

  22. Moreno C, Kauffman S, Fischmeister S (2016) Efficient program tracing and monitoring through power consumption—with a little help from the compiler. In: Design, automation, and test (DATE)

  23. Msgna M, Markantonakis K, Mayes K (2013) The B-side of side channel leakage: control flow security in embedded systems. In: International conference on security and privacy in communication systems. Springer, pp 288–304

  24. Navabpour S, Joshi Y, Wu W, Berkovich S, Medhat R, Bonakdarpour B, Fischmeister S (2013) RiTHM: a tool for enabling time-triggered runtime verification for C programs. In: Foundations of software engineering. ACM, pp 603–606

  25. Pnueli A, Zacks A (2006) PSL model checking and run-time verification via testers. In: 14th international symposium on formal methods

  26. Press W, Teukolsky S, Vetterling W, Flannery B (1992) Numerical recipes in C, 2nd edn. Cambridge University Press, Cambridge

    MATH  Google Scholar 

  27. Proakis JG, Manolakis DG (2006) Digital signal processing: principles, algorithms, and applications, 4th edn. Prentice Hall, Upper Saddle River

    Google Scholar 

  28. Seyster J, Dixit K, Huang X, Grosu R, Havelund K, Smolka SA, Stoller SD, Zadok E (2010) Aspect-oriented instrumentation with GCC, In: RV. Springer, pp 405–420

  29. Solar Designer (1997) “return-to-libc” attack. Bugtraq

  30. Webb AR, Copsey KD (2011) Statistical pattern recognition, 3rd edn. Wiley, New York

    Book  MATH  Google Scholar 

  31. Weiss MA (2006) Data structures and algorithm analysis in C++, 3rd edn. Addison-Wesley, Boston

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank Pansy Arafa, Hany Kashif, and Samaneh Navabpour for their valuable assistance with the CFG and instrumentation infrastructure as well as related discussions. This research was supported in part by the Natural Sciences and Engineering Research Council of Canada and the Ontario Research Fund.

Author information

Authors and Affiliations

  1. Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, Canada

    Carlos Moreno & Sebastian Fischmeister

Authors
  1. Carlos Moreno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Fischmeister
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carlos Moreno.

Appendices

Appendix A: Instrumentation of the source code

Below are examples of the two instrumented versions of the source code for the case of the ADPCM coder.

figure f
figure g

Appendix B: Randomized sequences of functions

Below is an example of a randomized sequence of functions. The program running on Workstation 1 randomly chooses the 64-bit seed for the rnd64 PRNG, as well as the choice of functions at each step (for example, encrypt and crc32buf were randomly chosen for the first step, sha_update and adpcm_coder for the second step, and so on).

The function randomize_data uses rnd64 to generate pseudorandom input data for the functions. Every eight steps (eight if statements) we re-randomize and assign a new random value into rnd, since each step consumes one of its eight random bits.

figure h

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Moreno, C., Fischmeister, S. Non-intrusive runtime monitoring through power consumption to enforce safety and security properties in embedded systems. Form Methods Syst Des 53, 113–137 (2018). https://doi.org/10.1007/s10703-017-0298-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-017-0298-3

Keywords

Search

Navigation