Control Flow Graph Modifications for Improved RF-Based Processor Tracking Performance

TL;DR

This paper explores enhancing RF-based program execution tracking on embedded processors by modifying control flow graphs through strategic program changes, improving the observability and accuracy of execution monitoring.

Contribution

It introduces a novel approach of CFG modifications to improve RF measurement-based program tracking, validated on simple and real-world applications.

Findings

CFG modifications improve RF tracking accuracy

Adding observable basic blocks enhances detection performance

Initial results show applicability to real-world programs

Abstract

Many dedicated embedded processors do not have memory or computational resources to coexist with traditional (host-based) security solutions. As a result, there is interest in using out-of-band analog side-channel measurements and their analyses to accurately monitor and analyze expected program execution. In this paper, we describe an approach to this problem using externally observable multi-band radio frequency (RF) measurements to make inferences about a program's execution. Because it is very difficult to identify individual instructions solely from their RF emissions, we compare RF measurements with the constrained execution logic of the program so that multiple RF measurements over time can effectively track program execution dynamically. In our approach, a program's execution is modeled by control flow graphs (CFG) and transitions between nodes of such graphs. We demonstrate that tracking performance can be improved through applications program modifications such as changing basic block transition properties and/or adding new basic blocks that are highly observable. In addition to demonstrating these principled approaches on some simple programs, we present initial results on the complexity and structure of real-world applications programs, namely gzip and md5sum, in this modeling framework.