Side channel parameter characteristics of code injection attacks





Embedded systems are suggestive targets for code injection attacks in the recent years. Software protection mechanisms, and in general computers, are not usually applicable in embedded systems since they have limited resources like memory and process power. In this paper we investigate side channel characteristics of embedded systems and their applicability in code injection attack detection. The architectural simulation for execution time, power usage and temperature on benchmarks shows that these parameters disclose meaningful and distinguishable behaviours in case of attack.


[1] Sri Parameswaran and Tilman Wolf, "Embedded systems security - an overview", Design Automation for Embedded Systems 12, no. 3, pp. 173-183, 2008.

[2] Krutartha Patel, Sridevan Parameswaran, and Seng Lin Shee, "Ensuring secure program execution in multiprocessor embedded systems: a case study", In Hardware/Software Codesign and System Synthesis (CODES+ ISSS) 2007 5th IEEE/ACM/IFIP International Conference on, pp. 57-62, IEEE, 2007.

[3] Tammy Noergaard, "Embedded Systems Architecture: A Comprehensive Guide for Engineers and Programmers". Access Online via Elsevier, 2005.

[4] M. Howard and D. LeBlanc, "Writing Secure Code". Microsoft Press, 2002.

[5] G. Hoglund and G. McGraw, "Exploiting Software: How to Break Code" Addison-Wesley, 2004.

[6] Ken, and Dawson Engler Ashcraft, "Using programmer-written compiler extensions to catch security holes", In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, pp. 143-159, IEEE, 2002.

[7] William R., Jonathan D. Pincus, and David J. Sielaff Bush, "A static analyzer for finding dynamic programming errors", Software-Practice and Experience 30, no. 7, pp. 775-802, 2000.

[8] Jeremy, Matthew Harren, Scott McPeak, George C. Necula, and Westley Weimer Condit, "CCured in the real world", ACM SIGPLAN Notices 38, no. 5, pp. 232-244, 2003.

[9] Srivaths, Anand Raghunathan, and Srimat Chakradhar Ravi, "Tamper resistance mechanisms for secure embedded systems", In VLSI Design, 2004.

[10] Dinakar, Sumant Kowshik, Vikram Adve, and Chris Lattner Dhurjati, "Memory safety without runtime checks or garbage collection", In ACM SIGPLAN Notices, vol. 38, no. 7, pp. 69-80, ACM, 2003.

[11] CryptocellTM. Discretix Technologies Ltd. [Online].

[12] D. Lie et al., "Architectural support for copy and tamper resistant software", in Proc. ACM Architectural Support for Programming Languages and Operating Systems (ASPLOS), pp. 168177, 2000.

[13] R. York. A New Foundation for CPU Systems Security. ARM Limited. [Online].

[14] LaGrande Technology for Safer Computing. Intel Inc. [Online].

[15] D. Clarke, B. Gassend, M. van Dijk, and S. Devadas G. E. Suh, "AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing", in Proc. Intl Conf. Supercomputing (ICS03), pp. 160171, June 2003.

[16] Calvin Ko, Manfred Ruschitzka, and Karl Levitt, "Execution monitoring of security-critical programs in distributed systems: A specification-based approach", In Security and Privacy, 1997. Proceedings, 1997 IEEE Symposium on, pp. 175-187, IEEE, 1997.

[17] Vladimir Kiriansky, Derek Bruening, and Saman Amarasinghe, "Secure execution via program shepherding", Proceedings of the 11th USENIX security symposium, vol. 6, no. 2, pp. 191206, 2002.

[18] Steven A., Stephanie Forrest, and Anil Somayaji Hofmeyr, "Intrusion detection using sequences of system calls", Journal of computer security 6, no. 3, pp. 151-180, 1998.

[19] Stephanie, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff Forrest, "A sense of self for unix processes", In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on, pp. 120-128, IEEE, 1996.

[20] Sachin P., and Stephen R. Tate Joglekar, "Protomon: Embedded monitors for cryptographic protocol intrusion detection and prevention", In Information Technology: Coding and Computing. Proceedings. ITCC 2004. International Conference on, vol. 1, pp. 81-88, IEEE, 2004.

[21] Divya Arora, Srivaths Ravi, Anand Raghunathan, and Niraj K. Jha, "Secure embedded processing through hardware-assisted run-time monitoring", Proceedings of the conference on Design, Automation and Test in Europe-Volume 1. IEEE Computer Society, pp. 178-183, 2005.

[22] M. Kuhn, "The TrustNo 1 Cryptoprocessor Concept. CS555 Report", Purdue University (, 1997.

[23] X. Zhang, L. Doorn, T. Jaeger, R. Perez, and R. Sailer, "Secure coprocessor-based intrusion detection", in Proc. ACM SIGOPS European Wkshp, 2002.

[24] Mehryar Rahmatian, I. Harris, H. Kooti, and Elaheh Bozorgzadeh, "Hardware-Assisted Detection of Malicious Software in Embedded Systems", Embedded Systems Letters, IEEE, 2012.

[25] G. E. Suh, J. Lee, and S. Devadas, "Secure program execution via dynamic information flow tracking", Dept. of EECS, MIT, Tech. Rep., 2003.

[26] Roshan G. Ragel and Sri Parameswaran, "IMPRES: integrated monitoring for processor reliability and security." In Proceedings of the 43rd annual Design Automation Conference, pp. 502-505, ACM, 2006.

[27] Shufu Mao and Tilman Wolf, "Hardware support for secure processing in embedded systems", Computers, IEEE Transactions on 59, no. 6, pp. 847-854, 2010.

[28] Tilman, Shufu Mao, Dhruv Kumar, Basab Datta, Wayne Burleson, and Guy Gogniat Wolf, "Collaborative Monitors for embedded System security", Proc. Wkshp. of Embedded System Security, 2006.

[29] Carlos R. Aguayo, and Jeffrey H. Reed Gonzalez, "Power fingerprinting in SDR and CR integrity assessment", In Military Communications Conference, 2009. MILCOM 2009, pp. 1-7, IEEE, 2009.

[30] Carlos R. Aguayo, and Jeffrey H. Reed Gonzalez, "Power fingerprinting in SDR integrity assessment for security and regulatory compliance", Analog Integrated Circuits and Signal Processing 69, no. 2-3, pp. 307-327, 2011.

[31] Carlos R. Aguayo, and Jeffrey H. Reed Gonzalez, "Detecting unauthorized software execution in SDR using power fingerprinting", In MILITARY COMMUNICATIONS CONFERENCE, 2010-MILCOM 2010, pp. 2211-2216, IEEE, 2010.

[32] Tang, Adrian, Simha Sethumadhavan, and Salvatore J. Stolfo. "Unsupervised anomaly-based malware detection using hardware features." International Workshop on Recent Advances in Intrusion Detection, 2014.

[33] Liu, Hong, Hongmin Li, and Eugene Y. Vasserman. "Practicality of Using Side-Channel Analysis for Software Integrity Checking of Embedded Systems." International Conference on Security and Privacy in Communication Systems, 2015.

[34] Lu, Sixing, Minjun Seo, and Roman Lysecky. "Timing-based anomaly detection in embedded systems." The 20th Asia and South Pacific Design Automation Conference, 2015.

[35] Zhai, Xiaojun, et al. "A method for detecting abnormal program behavior on embedded devices." IEEE Transactions on Information Forensics and Security 10.8 (2015): 1692-1704.

[36] Jeffrey H., and Carlos R. Aguayo Gonzalez Reed, "Enhancing Smart Grid cyber security using power fingerprinting: Integrity assessment and intrusion detection", Future of Instrumentation International Workshop (FIIW), IEEE, 2012.

[37] Shane S. Clark et al., "WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices", In Presented as part of the 2013 USENIX Workshop on Health Information Technologies, 2013.

[38] A. Moradi, "Side-Channel Leakage through Static Power", Cryptographic Hardware and Embedded Systems CHES 2014 Volume 8731 of the series Lecture Notes in Computer Science pp. 562-579

[39] John L. Hennessy and David A. Patterson, "Computer architecture: a quantitative approach", 4th ed.: Elsevier, 2007.

[40] Dakshi, Selcuk Baktir, Deniz Karakoyunlu, Pankaj Rohatgi, and Berk Sunar Agrawal, "Trojan detection using IC fingerprinting", In Security and Privacy, 2007. SP'07. IEEE Symposium on, pp. 296-310, IEEE, 2007.

[41] Li-Wei, and Hong-Wei Luo Wang, "A power analysis based approach to detect Trojan circuits", In Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), 2011 International Conference on, pp. 380-384, IEEE, 2011.

[42] Dongwoo Lee,Wesley Kwong, David Blaauw, and Dennis Sylvester, "Analysis and minimization techniques for total leakage considering gate oxide leakage", In Proceedings of the 40th annual Design Automation Conference, pp. 175-180, ACM, 2003.

[43] Matthew R. Guthaus et al., "MiBench: A free, commercially representative embedded benchmark suite", In Workload Characterization. WWC-4. 2001 IEEE International Workshop on, pp. 3-14, IEEE, 2001.

[44] MARS (MIPS Assembler and Runtime Simulator) An IDE for MIPS Assembly Language Programming. [Online].

[45] linux execve 60 bytes shellcode.


[46] 40 byte MIPS/Irix PIC stdin-read shell-code. [Online].

[47] rigan. Linux/MIPS - reboot () - 32 bytes. [Online].

[48] Weiping Liao. PTscalar - University of California at Los Angeles. [Online].

[49] Weka 3: Data Mining Software in Java. [Online].