Malicious Firmware Detection with Hardware Performance Counters

Xueyang Wang, Charalambos Konstantinou, Mihalis Maniatakos, Ramesh Karri, Serena Lee, Patricia Robison, Paul Stergiou, Steve Kim

Research output: Contribution to journalArticle

Abstract

Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We propose a comparison-based technique to detect malicious modifications in firmwares with simple control-flows. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.

Original languageEnglish (US)
Article number7470546
Pages (from-to)160-173
Number of pages14
JournalIEEE Transactions on Multi-Scale Computing Systems
Volume2
Issue number3
DOIs
StatePublished - Jul 1 2016

Fingerprint

Firmware
Computer hardware
Hardware
Control systems
Flow control
Critical infrastructures
Learning systems
Microprocessor chips
Costs

Keywords

  • attacks
  • detection
  • Firmware
  • hardware performance counters

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Information Systems
  • Hardware and Architecture

Cite this

Wang, X., Konstantinou, C., Maniatakos, M., Karri, R., Lee, S., Robison, P., ... Kim, S. (2016). Malicious Firmware Detection with Hardware Performance Counters. IEEE Transactions on Multi-Scale Computing Systems, 2(3), 160-173. [7470546]. https://doi.org/10.1109/TMSCS.2016.2569467

Malicious Firmware Detection with Hardware Performance Counters. / Wang, Xueyang; Konstantinou, Charalambos; Maniatakos, Mihalis; Karri, Ramesh; Lee, Serena; Robison, Patricia; Stergiou, Paul; Kim, Steve.

In: IEEE Transactions on Multi-Scale Computing Systems, Vol. 2, No. 3, 7470546, 01.07.2016, p. 160-173.

Research output: Contribution to journalArticle

Wang, X, Konstantinou, C, Maniatakos, M, Karri, R, Lee, S, Robison, P, Stergiou, P & Kim, S 2016, 'Malicious Firmware Detection with Hardware Performance Counters', IEEE Transactions on Multi-Scale Computing Systems, vol. 2, no. 3, 7470546, pp. 160-173. https://doi.org/10.1109/TMSCS.2016.2569467
Wang, Xueyang ; Konstantinou, Charalambos ; Maniatakos, Mihalis ; Karri, Ramesh ; Lee, Serena ; Robison, Patricia ; Stergiou, Paul ; Kim, Steve. / Malicious Firmware Detection with Hardware Performance Counters. In: IEEE Transactions on Multi-Scale Computing Systems. 2016 ; Vol. 2, No. 3. pp. 160-173.
@article{805412c6fee84f36b216ce0cd3b1a7e1,
title = "Malicious Firmware Detection with Hardware Performance Counters",
abstract = "Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We propose a comparison-based technique to detect malicious modifications in firmwares with simple control-flows. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.",
keywords = "attacks, detection, Firmware, hardware performance counters",
author = "Xueyang Wang and Charalambos Konstantinou and Mihalis Maniatakos and Ramesh Karri and Serena Lee and Patricia Robison and Paul Stergiou and Steve Kim",
year = "2016",
month = "7",
day = "1",
doi = "10.1109/TMSCS.2016.2569467",
language = "English (US)",
volume = "2",
pages = "160--173",
journal = "IEEE Transactions on Multi-Scale Computing Systems",
issn = "2332-7766",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "3",

}

TY - JOUR

T1 - Malicious Firmware Detection with Hardware Performance Counters

AU - Wang, Xueyang

AU - Konstantinou, Charalambos

AU - Maniatakos, Mihalis

AU - Karri, Ramesh

AU - Lee, Serena

AU - Robison, Patricia

AU - Stergiou, Paul

AU - Kim, Steve

PY - 2016/7/1

Y1 - 2016/7/1

N2 - Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We propose a comparison-based technique to detect malicious modifications in firmwares with simple control-flows. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.

AB - Critical infrastructure components nowadays use microprocessor-based embedded control systems. It is often infeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent performance and resource constraints of embedded control systems. Furthermore, as software sits atop and relies on the firmware for proper operation, software-level techniques cannot detect malicious behavior of the firmware. In this work, we propose ConFirm, a low-cost technique to detect malicious modifications in the firmware of embedded control systems by measuring the number of low-level hardware events that occur during the execution of the firmware. In order to count these events, ConFirm leverages the Hardware Performance Counters (HPCs), which readily exist in many embedded processors. We propose a comparison-based technique to detect malicious modifications in firmwares with simple control-flows. For firmwares with more complex control-flows, we use machine learning techniques to automatically extract the relations among different hardware events. This method significantly reduces the number of pre-stored valid HPC signatures without compromising the detection accuracy. Finally, we reduce the consumption of local resources by implementing a remote-based detection mechanism. We evaluate the detection capability and performance overhead of the proposed technique on various types of firmware running on ARM- and PowerPC-based embedded processors. Experimental results demonstrate its practicality and effectiveness.

KW - attacks

KW - detection

KW - Firmware

KW - hardware performance counters

UR - http://www.scopus.com/inward/record.url?scp=84994285925&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994285925&partnerID=8YFLogxK

U2 - 10.1109/TMSCS.2016.2569467

DO - 10.1109/TMSCS.2016.2569467

M3 - Article

VL - 2

SP - 160

EP - 173

JO - IEEE Transactions on Multi-Scale Computing Systems

JF - IEEE Transactions on Multi-Scale Computing Systems

SN - 2332-7766

IS - 3

M1 - 7470546

ER -