Power anomalies can reveal malware hiding within embedded systems

Tracking the power fluctuations within embedded systems can catch malware in the act or at least reveal its presence.

Malware is insidious – with literally millions of varieties available for attackers to choose from – and, despite attempts at prevention, the malicious software occasionally slips through firewalls and other security measures. But researchers at North Carolina State University and University of Texas at Austin have created a way to detect the types of malware that use a system’s architecture to thwart traditional security measures. The tool works by tracking the power fluctuations within embedded systems.

The researchers define “embedded systems” as essentially a computer without a physical keyboard – ranging from smartphones to the Internet of Things. And the U.S. military relies on a wide variety of embedded systems that are often deployed and expected to operate for a decade or longer.

“Embedded systems are used in everything from voice-­activated virtual assistants in our homes to industrial control systems like those used in power plants,” explains Aydin Aysu, an assistant professor of electrical and computer engineering at NC State. “Malware that targets those systems can be used to seize control or to steal information.”

Microarchitecture attacks, a form of malware, target a system’s architectural design to effectively hijack the hardware in a way that gives outside users control of the system and access to its data. Spectre and Meltdown are two recent – from 2018 – high-profile examples of this form of malware. Unlike most malware, these disruptive tools exploit the architecture of the processors themselves, the millions of transistors that work together to execute operations.

Each new attack is essentially an unpatchable problem for embedded systems, which is a real problem.

Simply put, Spectre and Meltdown exploit the fact that all operations require a slightly different amount of time to execute. Say someone tries to guess a PIN, for example, and they begin by guessing “1111” through “9111.” If the first eight guesses take the same amount of time, but “9111” takes a nanosecond longer, then that one most likely has at least the “9” right and the attacker can move on to guessing “9111” through “9911” via these “timing attacks,” and go from there.

One operation that’s particularly vulnerable to these attacks is accessing memory. Hackers can make a processor speculatively execute some code to read a part of memory it shouldn’t be able to. Even if the code fails, it can still leak data that the attacker can then access and use.

It’s fairly difficult to catch microarchitecture attacks, as they can be extremely stealthy and quite difficult to catch. “But we’ve found a way to detect them,” Aysu says. “We have a good idea of what power consumption looks like when embedded systems are operating normally. By looking for anomalies in power consumption, we can tell that there is malware within a system – even if we can’t identify the malware directly.”

The researchers say that their power-monitoring solution can be incorporated into smart batteries for use with future embedded systems’ technologies. For existing technologies, new plug-and-play hardware will be needed to apply the detection tool.

There are some limitations to this solution: One, the researchers point out, is that their detection tool relies on an embedded system’s power reporting. When they put it to the test in the lab they discovered that in some cases the power-monitoring detection tool could be tricked if the malware modifies its activity to mimic “normal” power usage patterns.

But even if this occurs, the technique still “provides an advantage,” Aysu says. “We found that the effort required to mimic normal power consumption and evade detection forced malware to slow down its data transfer rate by between 86% to 97%. In short, our approach can still reduce the effects of malware – even in those few instances where the malware isn’t detected.”

Power anomalies are a simple defense that “can help future-proof embedded systems against vulnerabilities that are likely to emerge as new hardware like phase-change memories and accelerators become mainstream,” according to the group.

The researchers presented a paper, “Using Power-Anomalies to Detect Evasive Micro-Architectural Attacks in Embedded Systems,” during IEEE’s International Symposium on Hardware-Oriented Security and Trust (HOST), held in May 2019. It was coauthored by Shijia Wei, Michael Orshansky, and Andreas Gerstlauer, Mohit Tiwari of the University of Texas at Austin, and Aydin Aysu.

This work received support through grants from Lockheed Martin and the National Science Foundation.