Abstract
In the last few decades embedded processors have invaded the modern lifestyle. Embedded systems have hardware and software components. Assuring the integrity of the software is very important as it is the component that controls what the hardware does through its instructions. Although there exist a number of software integrity verification techniques, they often fail to work in embedded environment. One main reason is, the memory read protection, frequently implemented in today’s microprocessors, that prevent the verifier from reading out the necessary software parts. In this paper we show that side channel leakage (power consumption) can be used to verify the integrity of the software component without prior knowledge of the software code. Our approach uses instruction-level power consumption templates to extract information about executed instructions by the processor. Then this information together with pre-computed signatures are used to verify the integrity of the executed application using RSA signature screening algorithm. The instruction-level templates are constructed ahead of time using few authentic reference processors.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Defense Advanced Research Projects Agency: Darpa baa06-40, a trust for integrated circuits, Visited, May 2013. https://www.fbo.gov/index?s=opportunity&mode=form&id=db4ea611cad3764814b6937fcab2180a&tab=core&_cview=1
Lieberman, J.I.: The national security aspects of the global migration of the U.S. semiconductor industry, Visited, May 2013. http://www.fas.org/irp/congress/2003_cr/s060503.html
Defense Science Board Task Force: High performance microchip supply, Visited, May 2013. http://www.acq.osd.mil/dsb/reports/ADA435563.pdf
U.S. Department of Commerce: Defense industrial base assessment: counterfeit electronics. Technical report, Bureau of Industry and Security, Office of Technology Evaluation, January 2010. http://www.bis.doc.gov/defenseindustrialbaseprograms/osies/defmarketresearchrpts/final_counterfeit_electronics_report.pdf
Koushanfar, F., Sadeghi, A.-R., Seudie, H.: EDA for secure and dependable cybercars: challenges and opportunities. In: 2012 49th ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 220–228 (2012)
Larson, J.: The Cardio-pneumo-psychogram in deception. J. Exp. Psychol. 6(6), 420–454 (1923). http://books.google.co.uk/books?id=b6appwAACAAJ
Wei, S., Nahapetian, A., Potkonjak, M.: Robust passive hardware metering. In: International Conference on Computer-Aided Design (ICCAD), 7–10 November 2011, pp. 802–809. IEEE (2011)
Chakravarthi, S., Krishnan, A.T., Reddy, V., Machala, C.F., Krishnan, S.: A comprehensive framework for predictive modeling of negative bias temperature instability. In: 2004 IEEE International Reliability Physics Symposium Proceedings 42nd Annual, pp. 273–282 (2004)
Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using IC fingerprinting. In: IEEE Symposium on Security and Privacy 2007, SP ’07, pp. 296–310 (2007)
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Dhem, J.-F., Koeune, F., Leroux, P.-A., Mestré, P., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820. Springer, Heidelberg (2000)
Arnaud, C., Fouque, P.-A.: Timing attack against protected RSA-CRT implementation used in PolarSSL. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 18–33. Springer, Heidelberg (2013)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)
Popp, T., Mangard, S., Oswald, E.: Power analysis attacks and countermeasures. IEEE Des. Test Comput. 24(6), 535–543 (2007)
Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of cryptographic implementations. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 231–244. Springer, Heidelberg (2012)
Gu, K., Wu, L., Li, X., Zhang, X.: Design and implementation of an electromagnetic analysis system for smart cards. In: Wang, Y., Cheung, Y., Guo, P., Wei, P., (eds) CIS, Sanya, Hainan, China, 3–4 December 2011, pp. 653–656. IEEE (2011)
Van Eck, W., Laborato, N.: Electromagnetic radiation from video display units: an eavesdropping risk? Comput. Secur. 4, 269–286 (1985)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, New York (2002)
Tuchman, W.: A brief history of the data encryption standard. In: Denning, D., Denning, P. (eds.) Internet Besieged, pp. 275–280. ACM Press, New York (1998)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Oswald, D., Paar, C.: Breaking mifare DESFire MF3ICD40: power analysis and templates in the real world. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 207–222. Springer, Heidelberg (2011)
Vermoen, D., Witteman, M., Gaydadjiev, G.N.: Reverse engineering Java Card applets using power analysis. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 138–149. Springer, Heidelberg (2007)
Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. Trans. Comput. Sci. 6340, 78–99 (2010)
Clavier, C.: Side channel analysis for reverse engineering (SCARE) - an improved attack against a secret A3/A8 GSM algorithm. IACR Cryptology ePrint Archive 2004:49 (2004)
Lee, S., Ermedahl, A., Min, S.L., Chang, N.: An accurate instruction-level energy consumption model for embedded RISC processors. In: Hong, S., Pande, S., (eds.) LCTES/OM, Snowbird, Utah, USA, 22–23 June 2001, pp. 1–10. ACM (2001)
Kavvadias, N., Neofotistos, P., Nikolaidis, S., Kosmatopoulos, C.A., Laopoulos, T.: Measurements analysis of the software-related power consumption in microprocessors. IEEE Trans. Instrum. Measur. 53(4), 1106–1112 (2004)
Mayes, K., Markantonakis, K., Chen, C.: Smart card platform-fingerprinting. Advanced Card Technology, pp. 78–82 (2006)
Becker, G.T., Strobel, D., Paar, C., Burleson, W.: Detecting software theft in embedded systems: a side-channel approach. IEEE Trans. Inf. Forensics Secur. 7(4), 1144–1154 (2012)
Coron, J.-S., Naccache, D.: On the security of RSA screening. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, p. 197. Springer, Heidelberg (1999)
Bishop, C.M., Nasrabadi, N.M.: Pattern recognition and machine learning. J. Electron. Imaging 16(4), 049901 (2007)
Rechberger, C., Oswald, E.: Practical template attacks. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 440–456. Springer, Heidelberg (2005)
Standaert, F.-X., Archambeau, C.: Using subspace-based template attacks to compare and combine power and electromagnetic information leakages. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 411–425. Springer, Heidelberg (2008)
Berrendero, J.R., Justel, A., Svarc, M.: Principal components for multivariate functional data. Comput. Stat. Data Anal. 55(9), 2619–2634 (2011)
Strang, G.: Introduction to Linear Algebra, vol. 3. Wellesley-Cambridge Press, Wellesley (2003)
Wang, L., Zhang, Y., Feng, J.: On the Euclidean distance of images. IEEE Trans. Pattern Anal. Mach. Intell. 27(8), 1334–1339 (2005)
Deza, M.M., Deza, E.: Encyclopedia of Distances. Springer, Heidelberg (2009)
Web site: Tutorial for learning assembly language for the AVR-Single-Chip-Processors, Visited, October 2013. http://www.avr-asm-tutorial.net/avr_en/
Web site: AVR freaks, Visited, October 2013. http://www.avrfreaks.net/
Teledyne LeCroy: Teledyne LeCroy website, Visited, February 2013. http://www.teledynelecroy.com
Pomona Electronics: 6069A scope probe, website, Visited, October 2012. www.pomonaelectronics.com/pdf/d4550b-sp150b_6_01.pdf
Kohenen, T.: Self-organized formation of topologically correct feature maps. Biol. Cybern. 43(1), 59–69 (1982)
Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20(3), 273–297 (1995)
Kohenen, T.: Learning vector quantization. In: Self-Organizing Maps. Springer, Heidelberg (2001)
Rish, I.: An empirical study of the Naive Bayes classifier. IJCAI 2001 Workshop on Empirical Methods in Artificial Intelligence 3(22): 41–46 (2001)
Gut, A.: An Intermediate Course in Probability, 2nd edn. Springer, New York (2009). (Department of Mathematics, Uppsala University, Sweden)
Deutsche Bank AG and Contributors: Cryptool 1-4-31, Downloaded, May 2013. http://www.cryptool.org/en/jct-downloads-en
National Institute of Standards and Technology: FIPS 180–2, secure hash standard, federal information processing standard (FIPS), publication 180–2. Technical report, Department Of Commerce (1995)
Rivest, R.: RFC 1321: The MD5 message-digest algorithm, April 1992
Coron, J.-S., Goubin, L.: On Boolean and arithmetic masking against differential power analysis. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, p. 231. Springer, Heidelberg (2000)
Bo, Y., Xiangyu, L., Cong, C.: An AES chip with DPA resistance using hardware-based random order execution. J. Semicond. 33(6), 065009-8 (2012)
Clavier, C., Coron, J.-S., Dabbous, N.: Differential power analysis in the presence of hardware countermeasures. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, p. 252. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Selected AVR Instructions
Out of the 130 instructions supported by ATMega163 microcontroller we have selected 39 instructions for our experiment. In Table 1 we present the notations use in Table 2.
In Table 2, the first column is the list of selected instructions followed by their description. The third column is the operation that the instructions accomplish when executed. The forth column is the number of clock cycles that the instructions take to be executed.
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Msgna, M., Markantonakis, K., Naccache, D., Mayes, K. (2014). Verifying Software Integrity in Embedded Systems: A Side Channel Approach. In: Prouff, E. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2014. Lecture Notes in Computer Science(), vol 8622. Springer, Cham. https://doi.org/10.1007/978-3-319-10175-0_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-10175-0_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10174-3
Online ISBN: 978-3-319-10175-0
eBook Packages: Computer ScienceComputer Science (R0)