Hardware-assisted malware detection for embedded systems

Abstract

Side-channel attacks (SCAs) have risen to prominence in recent years, due to the advancement of measurement technology and machine learning algorithms. This project aims to detect the presence of such attacks on embedded systems, which have gained relevance with the advent of Internet-of-Things (IOT) technology, by analysing hardware-level behavioural changes through the inspection of in-built Hardware Performance Counters (HPCs). In this report, the configuration of a Flush+Reload cache-based side-channel attack was conducted on an ARM device through ARMageddon, with data collection of the HPCs done through the perf command line utility on Linux to characterise system behaviour under both normal and attacked states. Feature analysis and selection were conducted to isolate the relevant affected events, and machine learning approaches such as Neural Networks and XGBoost were used to predict the compromise of a system. Relevant HPCs in side-channel attack detection were found to mainly fall under hardware events and hardware-cache events, while software events remained largely unaffected. High model accuracies for XGBoost (99.99%) and Decision Trees (99.96%) were attained, indicating the feasibility of implementing a lightweight and accurate solution for real-time detection in future studies.

Keywords: Side-channel Attacks, Micro-architectural Events, Hardware Performance Counters, Embedded Systems, Flush+Reload