Side-channel disassembly on a System-on-Chip: A practical feasibility study

Abstract

Side-channel based instruction disassembly (SCBD) is a family of side-channel attacks that aims at recovering the code executed by a device from physical measurements. Over past decades researches proved that instruction-level disassembly is feasible on simple microcontrollers. Simultaneously, the computing power and architectural complexity of processors are increasing, even in constrained devices. Performing side-channel attacks on mid or high-end devices is inherently harder because of complex concurrent activities and an important amount of noise. While broad behavior identification, such as cryptographic primitives, has been proved possible, the feasibility of precise SCBD remains an open question on a complex System-on-Chip (SoC).In this work, we address some of the technical challenges involved in performing SCBD on SoCs. We propose an experimental setup and measurement methodology that enables reliable characterization of instruction-level electromagnetic (EM) leakages. After investigating broad-functional unit activity leakages, we study the feasibility of three instruction-level code reconstruction granularities: functional unit recognition, opcode recognition and bit-level recovery. Under a controlled experimental environment, our results show that broad functional unit activity recognition is achievable as well as opcode-level SCBD. Finally, we show promising results regarding bit-level SCBD exploiting the prefetching stages of the CPU.