Fiscal: Firmware identification using side-channel power analysis

Abstract

Side-channel analysis techniques have been demonstrated for secret information extraction, vulnerability assessment and intrusion analysis. However, these techniques have not been applied to identify instructions running on a general purpose pipelined computing platform. In this work we identify instruction execution sequences on these platforms using side-channel power measurements. The technique uses a Principal Component Analysis (PCA) based model to generate multiple power-supply templates and a novel post-processing dynamic programming algorithm for optimal template matching. One unique aspect of this technique is that we take measurements on multiple power supply pins on the device, to increase the precision and accuracy. We apply our dynamic programming algorithm, to detect the sequence of execution clock cycles, on templates for single instructions that provides accuracy in the range of 69.2% to 87.5% for ten thousand observations, from individual power supply pins. We further augment this technique to generate multiple dictionaries for various length instructions and use data from multiple power supply pins to increases the accuracy in the range of 87% to 100%. Further, classification rates for instruction templates based on operand addressing mode and specific hardware used, range from 87% to 100% using as few as 10 principal components. Using our methodology, we can determine malicious insertions in a pre-determined code sequence with a 100% accuracy, as demonstrated in the results.