The Leveraging the Analog Domain for Security (LADS) program seeks out new technologies for monitoring device signals that operate separately from the embedded system being monitored. In this way, even full compromise of the system cannot lead to compromise of the security-monitoring functionality. The goal of the LADS program is to develop new cybersecurity capability by exploring the intersection of the analog and digital domains in order to enable high-fidelity, high-accuracy introspection of fielded Embedded and Mission-specific Devices. According to DARPA, these devices (EMSDs) have numerous limitations, which include:
- low computational resources;
- physical constraints;
- intermittent connectivity;
- lack of trustworthy visibility into system status and operations;
- cost sensitivity;
- limited interactivity;
- difficulty to augment once fielded; and
- the lack of standardized hardware and software platforms.
Although its primarily focus is on the development of techniques for detecting attackers by monitoring the analog emissions of EMSDs, the LADS program seeks to produce applications with relevance across traditional IT devices.
As stated within DARPA’s initial solicitation, the goal of this program is to allow a decoupled monitoring device to confirm and to report the current state of the monitored-device software (2015). To achieve this end, the LADS program must first identify and quantify analog channels conveying useful information about the EMSD’s internal state. Next, the program must map the device’s hardware, firmware, configuration and input/output data to an analog emissions model that can capture attacker behavior. Third, the program must track device emissions with sufficient fidelity to discern interesting deviations (attacks) while also exploring the impact of various physical parameters (noise). Over the past two years, the LADS program has delivered several, publicly-accessible research publications demonstrating the Phase I progress of this research. This research may be categorized into three principal focus areas: (1) methods for sensing electromagnetic emanations of computer systems, (2) methods for profiling systems using electromagnetic emanations, and (3) methods of applying electromagnetic profiles to detect deviations in program execution.
Assessing for Side-channel Vulnerabilities
In A Method for Finding Frequency-modulated and Amplitude-modulated Electromagnetic Emanations in Computer Systems (2017), Georgia Institute of Technology and Northrop Grumman researchers presented an algorithm for automatically finding AM and FM modulated signals potentially exposing sensitive information (Prvulovic, Zajic, Callan, & Wang). Both radio wave side-channel attacks and their countermeasures depend upon the ability to find the range of amplitudes and frequencies of existing “strong signals”, which modulate during system processing and memory activities. Information leakage occurs when system activities can be linked to sensitive information, such as cryptographic keys. Unlike other cryptographic algorithms, which rely on ad-hoc, application-specific approaches to discovering frequency ranges by observing a program over time, the proposed measurement method automatically identifies all frequencies at which at least some activity information will leak, determines the type of modulation, and determines the quality of the signals. In this way, the proposed method offers a powerful diagnostic tool for broadly assessing the potential vulnerabilities of system circuits, while reducing both the error and time consumption of pattern detection.
In Characterization of Riscure 1-GHz Low Sensitivity Probe for Side Channel Analysis (2017), the Riverside Research team investigated the problem of side-channel radio-frequency emissions (Graham, Baldwin, & Sampathkumar). The most common method for extracting side-channel information from targeted devices is via near-field placement of antenna-amplified probes. The probes detects and amplify radio-frequency emissions, and transmits this information for analysis and testing. Side-channel attacks use the information of a system’s performance, such as timing, power consumption, electromagnetic (EM) radiation, acoustic “noise”, and temperature variation to statistically derive sensitive, even encrypted, information. This study compared signal sensitivity as a response to near-field antenna characteristics to determine peak frequency responses. Further, this study characterized the effective source-receiver distance, cross-talk and spatial-signal averaging at various distances for signal attenuation and normalization.
Similarly, in Path Loss Prediction for Electromagnetic Side-Channel Signals (2017), the Georgia Tech/Northrop Grumman research team investigated propagation mechanisms that EM side-channel signal experience at different frequencies (Zajic, Prvulovic, & Chu). They proposed models for both near-field and far-field propagation, which help to inform an understanding of the distances at which the side-channel signals might be received at low frequencies. Assumed to depend on the attacker’s close (within millimeters) and prolonged proximity, EM side-channel attacks are not perceived as serious security threats. However, EM-side channel signals can be received across meters, and even through a wall. To quantitatively determine the effect of distance on the power of EM side-channel signals, the research team used the SAVAT exposure metric, which provides essential feedback to programmers on the execution instructions posing the greatest vulnerability to side-channel attack.
System Profiling via EM Emissions
Program profiling is a type of dynamic analysis that measures aspects of software behavior in order to identify regions of code expending the bulk of execution time (i.e. hot paths, or hot regions). It is used for both optimization of programs, and to lend an understanding to performance problems. Typically, performance analysis is implemented through the addition of software probes, which help to log or sample data for specific events. This technique of adding instrumentation adds to both runtime and processing cost overheads. Additionally, profiling to diagnose performance issues of fielded systems presents a unique challenge in terms of hardware requirements, costs, effort and time. For some systems in real-time/cyber-physical domains, profiling instrumentation generates an “observer effect”, which interrupts “normal” program execution. In an effort to approach the ideal profiling solution that produces accurate information through non-intrusive means, Georgia Tech researchers derived two profiling methodologies using EM emissions: Zero-overhead Profiling and Spectral Profiling.
Zero-overhead Profiling (ZOP) records and analyzes the unintentional EM emanations generated at program execution in order to track a program’s execution path to generate profiling information (Callan, Behrang, Zajic, Prvulovic, & Orso, 2016). During the training phase, ZOP uses the system’s EM emanations (known inputs) to build a model of waveforms produced by different cold fragments. In the profiling phase, this model is used to infer from unknown inputs which parts of the code are being executed, at what times. If a program executes with the same inputs several times, the EM emanations may vary significantly between runs. Additionally, both external radio-frequency emissions and unrelated internal system activities introduce variations. In all cases, these variations are smaller than the waveform differences between executions of different paths through the program. Through their proof-of-concept, the research team effectively demonstrated that, with sufficient observations of static paths during the training phase, ZOP enables accurate recognition of dynamic instances.
Like ZOP, Spectral Profiling offers a non-instrumentation approach to system profiling by monitoring EM emanations of side-channel signals. However, ZOP uses time-domain correlation of acyclic paths, which is computationally intensive and has only been evaluated for short program runs. Spectral Profiling, alternatively, seeks to exploit the connection between the EM signal “spikes” resulting from periodic program behaviors (loops) to provide at-speed profiling of long runs (Sehatbakhsh, Nazari, Zajic, & Prvulovic, 2016). The spectral approach to profiling not only allows for the determination of which parts of the program have executed at what times, but also for the determination of the execution runtime of a loop. Whereas the identification of hot regions of code and the amount of time spent in these regions is essential for program optimization, identifying loops with unusually large per-iteration performance variations may help programmers to identify performance problems. Best of all, Spectral Profiling can monitor a system “as-is”, without the need for program implementation or profiling-related support activities, thus eliminating the observer’s negative effect on performance profiling.
EM-based System Validation
Electromagnetic-based methods show promise not only for profiling execution performance, but also for decoupled security monitoring of device networks. In Extraction and Validation of Algorithms Based on Analog Side-Channels (2017), the Riverside Research team explored machine learning methods to detect modifications to collected IoT/IoE processor code (Riley, Graham, Fuller, Baldwin, & Sampathkumar). Their research described a process for positioning a wide-band radio-frequency probe over a device under test. Support-vector machine classifiers accurately discriminated between code-instruction signatures, learned during model training. To identify these signatures, principal component analysis extracts and separates signals into fetch, opcode, operands and value factors. Sequence learning algorithms then apply this methodology to blocks of code. By reducing the dimensionality of low signal-to-noise radio-frequency emissions data, these techniques improve the speed and accuracy of instruction-level classification.
In EDDIE: EM-based Detection of Deviations in Program Execution (2017), the Georgia Tech/Northrop Grumman team described the application of Spectral Profiling to characterize normal program behavior, and to identify deviations from normal behavior (Nazari, Sehatbakhsh, Alam, Zajic, & Prvulovic). Thus, in addition to considering loop activity, EDDIE extends the approach of Spectral Profiling to both non-loop behaviors and loop-to-loop transitions – i.e. all parts of the application. During the training phase, both Spectral Profiling and EDDIE adds light-weight instrumentation to logs the run-time of each loop, functionally mapping each part of the EM-signal to the code region as it executes. EDDIE further obtains a reference set of sample windows with spikes already identified, and the knowledge of how many samples should be used in statistical tests. Through the use of non-parametric tests to compare the observed and reference spectra, EDDIE presents a highly reliable, non-invasive and independent methodology for detecting anomalies in program execution; it is especially well-suited for security monitoring of embedded IoT systems.
Although side-channel attacks represent a minor cyber-security risk to fielded EMSD’s, the ability to exploit side-channel emissions to monitor a diverse and ever-changing portfolio of system technologies offers several unique benefits to both defense and commercial applications. First, the use of radio-frequency emissions for monitoring requires minimal interference from analysts, and only during model training. Second, the autonomous performance of monitoring tools distinct from device programs eliminates their potential compromise in the event of successful malware attacks. Related to this, the de-coupling of monitoring technologies from devices eliminates an otherwise diminished performance overhead. Unfortunately, the success of electromagnetic-emissions monitoring of devices depends significantly upon the close proximity of a receiver to the monitored devise.
Currently nearing the middle of its second of three phases, it is clear that the LADS research offers much potential in the ongoing search for IoT network security. Whereas Phase I research sought to achieve a minimum of 80% accuracy on a simple IoT device with close proximity of one (1) foot, in an environment of low ambient noise, Phase II expends the complexity of this challenge. Currently, LADS researchers seek to achieve a level of 90% accuracy with devices of increased intricacy, at distances with close proximity of three (3) feet. The Phase III objective will challenge researcher improve accuracy to 95% of high-end devices with close proximity to 10 feet. What is not clear from this program is how these technologies may be deployed to monitor networks at scale, particularly within operating scenarios. One can only hope for the continued publication of declassified LADS research, and for the opening of innovation challenges to explore these necessary applications.
Callan, R., Behrang, F., Zajic, A., Prvulovic, M., & Orso, A. (2016). Zero-overhead profiling via EM emanations. Proceedings of the 25th International Symposium on Software Testing and Analysis – ISSTA 2016. doi:10.1145/2931037.2931065
DARPA. (2015, September 25). Leveraging the Analog Domain for Security (LADS) Program: Solicitation Number DARPA-BAA-15-61 (USA, Other Defense Agencies, Defense Advanced Research Projects Agency). Retrieved from https://www.fbo.gov/index?s=opportunity&mode=form&id=916dd7ee159a12bc221bdd442ebf4409&tab=core&_cview=0
Graham, J. T., Baldwin, R. O., & Sampathkumar, A. (2017). Characterization of Riscure 1-GHz low sensitivity probe for side channel analysis (SCA) [Abstract]. Cyber Sensing 2017. doi:10.1117/12.2262121
Nazari, A., Sehatbakhsh, N., Alam, M., Zajic, A., & Prvulovic, M. (2017). EDDIE: EM-based detection of deviations in program execution. Proceedings of the 44th Annual International Symposium on Computer Architecture – ISCA ’17. doi:10.1145/3079856.3080223
Prvulovic, M., Zajic, A., Callan, R., & Wang, C. (2017). A Method for Finding Frequency-Modulated and Amplitude-Modulated Electromagnetic Emanations in Computer Systems. IEEE Transactions on Electromagnetic Compatibility, 59(1), 34-42. doi:10.1109/temc.2016.2603847
Riley, R. A., Graham, J. T., Fuller, R. M., Baldwin, R. O., & Sampathkumar, A. (2017). Extraction and validation of algorithms based on analog side-channels [Abstract]. Cyber Sensing 2017. doi:10.1117/12.2262113
Sehatbakhsh, N., Nazari, A., Zajic, A., & Prvulovic, M. (2016). Spectral profiling: Observer-effect-free profiling by monitoring EM emanations. 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). doi:10.1109/micro.2016.7783762
Zajic, A., Prvulovic, M., & Chu, D. (2017). Path loss prediction for electromagnetic side-channel signals. 2017 11th European Conference on Antennas and Propagation (EUCAP). doi:10.23919/eucap.2017.7928125