On Optimizing The Radio Side-Channel For Application Modeling

Kyle Super, University of Pennsylvania


This dissertation introduces techniques for passively determining the instructions executed by embeddedmicrocontroller devices. Microcontroller applications are increasingly important for programmed mechanical control, analog sensor input, human interface operations and other roles, and when connected form an Internet of Things (IoT). Their simplicity, programmability, robust I/O, small size, low energy, low cost and widespread uses in vehicles, medical devices, wearables, thermostats, toasters, and myriad ”smart” systems have led to estimates of many tens of billions deployed in the near future. Their ubiquity and importance make them attractive targets for malicious actors. Today’s malware often evades detection. This thesis introduces novel techniques to exploit electromagnetic (EM) side-channels to overcome this threat.

First, we rely on the observation of the EM field. CMOS microcontroller chips create complex currentfluctuations on the ground and power wiring as circuits open and close. The wiring acts as an antenna, emanating in the RF spectrum. We record emissions from a running system with a software defined radio and use a principled analysis of the EM field to yield far more information than reported in prior work.

Second, we develop a robust theory relating application operation and produced radiation and use novelinformation recovery and feature extraction methods to recover a full understanding of the applications with zero prior knowledge of the code. This allows anomalies in a device under test to be detected by comparison against a reference model from a known, reliable device. This is a major advantage in the common case of proprietary application code.

Finally, these claims are validated with measurements across a diverse set of complex applications using arealized system incorporating the novel signal capture, analysis, and application modeling schemes. The principled design and robust theoretical foundations have resulted in an implementation on inexpensive commodity hardware that outperforms published prior work. Particulars of the design enable other capabilities beyond malware in microcontrollers, including the detection of hardware failures, software operation debugging, and reverse engineering, to detect faults or suspicious activities that originate early in the device supply-chain.