TY - JOUR
T1 - Malicious Firmware Detection with Hardware Performance Counters
AU - Wang, Xueyang
AU - Konstantinou, Charalambos
AU - Maniatakos, Michail
AU - Karri, Ramesh
AU - Lee, Serena
AU - Robison, Patricia
AU - Stergiou, Paul
AU - Kim, Steve
N1 - Generated from Scopus record by KAUST IRTS on 2022-09-13
PY - 2016/7/1
Y1 - 2016/7/1
N2 - Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We propose a comparison-based technique to detect malicious modifications in firmwares with simple control-flows. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.
AB - Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We propose a comparison-based technique to detect malicious modifications in firmwares with simple control-flows. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.
UR - http://ieeexplore.ieee.org/document/7470546/
UR - http://www.scopus.com/inward/record.url?scp=84994285925&partnerID=8YFLogxK
U2 - 10.1109/TMSCS.2016.2569467
DO - 10.1109/TMSCS.2016.2569467
M3 - Article
SN - 2332-7766
VL - 2
SP - 160
EP - 173
JO - IEEE Transactions on Multi-Scale Computing Systems
JF - IEEE Transactions on Multi-Scale Computing Systems
IS - 3
ER -