Cybersecurity researchers have proposed a novel approach that utilizes electromagnetic field emanations from the Internet of Things (IoT) devices as a side channel to glean precise knowledge about the various types of malware targeting embedded systems, even in cases where obfuscation techniques have been used to impede analysis.
With the rapid adoption of IoT appliances presenting an attractive attack surface for threat actors, in part because they are equipped with more processing power and capable of running fully functional operating systems, the most recent research aims to enhance malware analysis to mitigate potential security risks.
A group of researchers from the Research Institute of Computer Science and Random Systems (IRISA) presented their findings at the Annual Computer Security Applications Conference (ACSAC) held last month.
The researchers Duy-Phuc Pham, Damien Marion, Matthieu Mastio, and Annelie Heuser wrote in a paper: “[Electromagnetic] emission measured from the device is practically undetectable by the malware.” “Consequently, malware evasion techniques cannot be applied straightforwardly, unlike dynamic software monitoring. In addition, since malware does not have control over external hardware features, a protection system dependent on hardware features cannot be disabled, even if the malware possesses the highest privilege on the system.”
The objective is to utilize side-channel information to detect anomalies in emanations when they deviate from previously observed patterns and to generate an alert when suspicious behavior emulating malware is recorded relative to the system’s normal state.
In addition to requiring no modifications to the target devices, the framework developed in this study enables the detection and classification of stealthy malware, such as kernel-level rootkits, ransomware, and distributed denial-of-service (DDoS) botnets like Mirai, including variants that have not yet been observed.
In three phases, the side channel approach involves measuring electromagnetic emissions when executing 30 distinct malware binaries and performing benign video, music, picture, and camera-related activities to train a convolutional neural network (CNN) model for classifying real-world malware samples. In particular, the framework accepts an executable as input and outputs its malware label using only side-channel information.
In an experimental setup, the researchers chose a Raspberry Pi 2B with a 900 MHz quad-core ARM Cortex A7 processor and 1 GB of memory as the target device. The electromagnetic signals were acquired and amplified using a combination of an oscilloscope and a PA 303 BNC preamplifier, accurately predicting the three malware types and their associated families with 99.82% and 99.61% accuracy, respectively.
The researchers concluded, “By employing simple neural network models, it is possible to obtain substantial information about the state of a monitored device by observing only its [electromagnetic] emanations.” “Our system is resistant to various code transformation/obfuscation techniques, such as random junk insertion, packing, and virtualization, even when the transformation was not previously known to the system.”