ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters

Xueyang Wang, Charalambos Konstantinou, Mihalis Maniatakos, Ramesh Karri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate that ConFirm can detect all the tested modifications with low performance overhead.

Original languageEnglish (US)
Title of host publication2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages544-551
Number of pages8
ISBN (Print)9781467383882
DOIs
StatePublished - Jan 5 2016
Event34th IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015 - Austin, United States
Duration: Nov 2 2015Nov 6 2015

Other

Other34th IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015
CountryUnited States
CityAustin
Period11/2/1511/6/15

Fingerprint

Firmware
Embedded systems
Computer hardware
Control systems
Hardware
Critical infrastructures
Microprocessor chips
Costs

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design

Cite this

Wang, X., Konstantinou, C., Maniatakos, M., & Karri, R. (2016). ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters. In 2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015 (pp. 544-551). [7372617] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICCAD.2015.7372617

ConFirm : Detecting firmware modifications in embedded systems using Hardware Performance Counters. / Wang, Xueyang; Konstantinou, Charalambos; Maniatakos, Mihalis; Karri, Ramesh.

2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015. Institute of Electrical and Electronics Engineers Inc., 2016. p. 544-551 7372617.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Wang, X, Konstantinou, C, Maniatakos, M & Karri, R 2016, ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters. in 2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015., 7372617, Institute of Electrical and Electronics Engineers Inc., pp. 544-551, 34th IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015, Austin, United States, 11/2/15. https://doi.org/10.1109/ICCAD.2015.7372617
Wang X, Konstantinou C, Maniatakos M, Karri R. ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters. In 2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015. Institute of Electrical and Electronics Engineers Inc. 2016. p. 544-551. 7372617 https://doi.org/10.1109/ICCAD.2015.7372617
Wang, Xueyang ; Konstantinou, Charalambos ; Maniatakos, Mihalis ; Karri, Ramesh. / ConFirm : Detecting firmware modifications in embedded systems using Hardware Performance Counters. 2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 544-551
@inproceedings{f90efb9cd4734fc196ef3cdc732ab330,
title = "ConFirm: Detecting firmware modifications in embedded systems using Hardware Performance Counters",
abstract = "Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate that ConFirm can detect all the tested modifications with low performance overhead.",
author = "Xueyang Wang and Charalambos Konstantinou and Mihalis Maniatakos and Ramesh Karri",
year = "2016",
month = "1",
day = "5",
doi = "10.1109/ICCAD.2015.7372617",
language = "English (US)",
isbn = "9781467383882",
pages = "544--551",
booktitle = "2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - ConFirm

T2 - Detecting firmware modifications in embedded systems using Hardware Performance Counters

AU - Wang, Xueyang

AU - Konstantinou, Charalambos

AU - Maniatakos, Mihalis

AU - Karri, Ramesh

PY - 2016/1/5

Y1 - 2016/1/5

N2 - Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate that ConFirm can detect all the tested modifications with low performance overhead.

AB - Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate that ConFirm can detect all the tested modifications with low performance overhead.

UR - http://www.scopus.com/inward/record.url?scp=84964440091&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84964440091&partnerID=8YFLogxK

U2 - 10.1109/ICCAD.2015.7372617

DO - 10.1109/ICCAD.2015.7372617

M3 - Conference contribution

AN - SCOPUS:84964440091

SN - 9781467383882

SP - 544

EP - 551

BT - 2015 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -