The B-Side of Side Channel Leakage: Control Flow Security in Embedded Systems

  • Mehari Msgna
  • Konstantinos Markantonakis
  • Keith Mayes
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 127)


The security of an embedded system is often compromised when a “trusted” program is subverted to behave differently. Such as executing maliciously crafted code and/or skipping legitimate parts of a “trusted” program. Several countermeasures have been proposed in the literature to counteract these behavioural changes of a program. A common underlying theme in most of them is to define security policies at the lower level of the system in an independent manner and then check for security violations either statically or dynamically at runtime. In this paper we propose a novel method that verifies a program’s behaviour, such as the control flow, by using the device’s side channel leakage.


Side Channel Leakage Power Consumption Program’s Control Flow Hidden Markov Model Principal Components Analysis Linear Discriminant Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Feng, A., Knieser, M., Rizkalla, M.E., King, B., Salama, P., Bowen, F.: Embedded system for sensor communication and security. IET Information Security 6(2), 111–121 (2012)CrossRefGoogle Scholar
  2. 2.
    Shoufan, A.: A hardware security module for quadrotor communication. In: International Conference on Field-Programmable Technology (FPT), December 10-12, 2012, pp. 253–256. IEEE (2012)Google Scholar
  3. 3.
    Jaeger, A., Stuebing, H., Huss, S.: A dedicated hardware security module for field operational tests of Car-to-X communication. In: 4th ACM Conference on Wireless Network Security (WiSec 2011) (June 2011)Google Scholar
  4. 4.
    Parameswaran, S., Wolf, T.: Embedded systems security - an overview. Design Autom. for Emb. Sys. 12(3), 173–183 (2008)CrossRefGoogle Scholar
  5. 5.
    Bouffard, G., Iguchi-Cartigny, J., Lanet, J.-L.: Combined software and hardware attacks on the Java Card control flow. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 283–296. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Francillon, A., Castelluccia, C.: Code injection attacks on Harvard-architecture devices. In: ACM Conference on Computer and Communications Security, October 27-31, pp. 15–26. ACM (2008)Google Scholar
  7. 7.
    Delalleau, G.: Large memory management vulnerabilities: System, compiler and application issues, (visited April 2013)
  8. 8.
    Arora, D., Ravi, S., Raghunathan, A., Jha, N.K.: Hardware-assisted run-time monitoring for secure program execution on embedded processors. IEEE Trans. VLSI Syst. 14(12), 1295–1308 (2006)CrossRefGoogle Scholar
  9. 9.
    Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Trans. Inf. Syst. Secur. 13(1) (2009)Google Scholar
  10. 10.
    Frantzen, M., Shuey, M.: StackGhost: Hardware facilitated stack protection. In: Wallach, D.S. (ed.) 10th USENIX Security Symposium, August 13-17. USENIX (2001)Google Scholar
  11. 11.
    Francillon, A., Perito, D., Castelluccia, C.: Defending embedded systems against control flow attacks. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 19–26. ACM, New York (2009)CrossRefGoogle Scholar
  12. 12.
    Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC), December 11-15, pp. 339–348. IEEE Computer Society (2006)Google Scholar
  13. 13.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, vol. 81, pp. 346–355 (1998)Google Scholar
  14. 14.
    Edward Suh, G., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), October 7-13, pp. 85–96. ACM (2004)Google Scholar
  15. 15.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Dhem, J.-F., Koeune, F., Leroux, P.-A., Mestré, P., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 167–182. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Arnaud, C., Fouque, P.-A.: Timing attack against protected RSA-CRT implementation used in PolarSSL. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 18–33. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  19. 19.
    Popp, T., Mangard, S., Oswald, E.: Power analysis attacks and countermeasures. IEEE Design & Test of Computers 24(6), 535–543 (2007)CrossRefzbMATHGoogle Scholar
  20. 20.
    Oswald, D., Paar, C.: Breaking Mifare DESFire MF3ICD40: Power analysis and templates in the real world. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 207–222. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of cryptographic implementations. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 231–244. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  22. 22.
    Gu, K., Wu, L., Li, X., Zhang, X.: Design and implementation of an electromagnetic analysis system for smart cards. In: Wang, Y., Cheung, Y.M., Guo, P., Wei, Y. (eds.) CIS, Sanya, Hainan, China, December 3-4, pp. 653–656. IEEE (2011)Google Scholar
  23. 23.
    Van Eck, W., Laborato, N.: Electromagnetic radiation from video display units: An eavesdropping risk? Computers & Security 4, 269–286 (1985)CrossRefGoogle Scholar
  24. 24.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer (2002)Google Scholar
  25. 25.
    Tuchman, W.: A brief history of the data encryption standard. In: Denning, D., Denning, P. (eds.) Internet Besieged, pp. 275–280. ACM Press/Addison-Wesley Publishing Co., New York (1998)Google Scholar
  26. 26.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Vermoen, D., Witteman, M., Gaydadjiev, G.N.: Reverse engineering Java Card applets using power analysis. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 138–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  28. 28.
    Eisenbarth, T., Paar, C., Weghenkel, B.: Building a side channel based disassembler. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science X. LNCS, vol. 6340, pp. 78–99. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Clavier, C.: Side channel analysis for reverse engineering (SCARE) - an improved attack against a secret A3/A8 GSM algorithm. IACR Cryptology ePrint Archive 2004, 49 (2004)Google Scholar
  30. 30.
    Lee, S., Ermedahl, A., Min, S.L., Chang, N.: An accurate instruction-level energy consumption model for embedded RISC processors. In: Hong, S., Pande, S. (eds.) LCTES/OM, Snowbird, Utah, USA, June 22-23, pp. 1–10. ACM (2001)Google Scholar
  31. 31.
    Kavvadias, N., Neofotistos, P., Nikolaidis, S., Kosmatopoulos, C.A., Laopoulos, T.: Measurements analysis of the software-related power consumption in microprocessors. IEEE T. Instrumentation and Measurement 53(4), 1106–1112 (2004)CrossRefGoogle Scholar
  32. 32.
    Mayes, K., Markantonakis, K., Chen, C.: Smart card platform-fingerprinting. In: Advanced Card Technology, pp. 78–82 (October 2006)Google Scholar
  33. 33.
    Allen, F.: Control flow analysis. In: Proceedings of a Symposium on Compiler Optimization, pp. 1–19. ACM, New York (1970)CrossRefGoogle Scholar
  34. 34.
    Popp, T., Mangard, S., Oswald, E.: Power analysis attacks and countermeasures. IEEE Design & Test of Computers 24(6), 535–543 (2007)CrossRefzbMATHGoogle Scholar
  35. 35.
    Fink, A.: Markov Models for Pattern Recognition. Springer (2008)Google Scholar
  36. 36.
    Rabiner, L.: A tutorial on Hidden Markov Models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  37. 37.
    Gut, A.: An Intermediate Course In Probability, 2nd edn. Springer, Department of Mathematics, Uppsala University, Sweden (2009)CrossRefzbMATHGoogle Scholar
  38. 38.
    Berrendero, J.R., Justel, A., Svarc, M.: Principal components for multivariate functional data. Computational Statistics & Data Analysis 55(9), 2619–2634 (2011)MathSciNetCrossRefGoogle Scholar
  39. 39.
    Strang, G.: Introduction to Linear Algebra, 3rd edn. Wellesley-Cambridge Press, MA (2003)zbMATHGoogle Scholar
  40. 40.
    Fisher, R.A.: The use of multiple measurements in taxonomic problems. Annals of Eugenics 7, 179–188 (1936)CrossRefGoogle Scholar
  41. 41.
    Fukumi, M., Mitsukura, Y.: Feature generation by simple-FLDA for pattern recognition. In: CIMCA/IAWTIC, November 28-30, pp. 730–734. IEEE Computer Society (2005)Google Scholar
  42. 42.
    Zhang, L., Wang, D., Gao, S.: Application of improved Fisher Linear Discriminant Analysis approaches. In: International Conference on Management Science and Industrial Engineering (MSIE), pp. 1311–1314 (2011)Google Scholar
  43. 43.
    Forney Jr., D.: The Viterbi Algorithm: A personal history. CoRR, abs/cs/0504020 (2005)Google Scholar
  44. 44.
    Teledyne LeCroy. Teledyne LeCroy website, (visited February 2013)
  45. 45.
    Pomona Electronics. 6069A Scope Probe, (visited October 2012)
  46. 46.
    MATLAB. Version (R2010a). The MathWorks, Inc., Natick, Massachusetts (2013),
  47. 47.
    MATLAB. Hidden Markov Model most probable state path, (visited March 2013)
  48. 48.
    Atkins Limited. MALPAS, (visited April 2013)

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2013

Authors and Affiliations

  • Mehari Msgna
    • 1
  • Konstantinos Markantonakis
    • 1
  • Keith Mayes
    • 1
  1. 1.Smart Card Centre, Information Security GroupRoyal Holloway, University of LondonEghamUK

Personalised recommendations