This Small Business Innovation Research (SBIR) Phase I project aims to demonstrate the technical and commercial feasibility of a novel approach called Power Fingerprinting (PFP) for integrity assessment and intrusion detection in critical embedded and wireless systems based on side-channel analysis by an external monitor. Such integrity assessment approach is fundamental for protecting critical systems from cyber attacks in government agencies, financial institutions, military command, and industrial control. PFP treats cyber security as a signal detection and classification problem and introduces tangible quantitative metrics for security and trust. Phase I objectives include: (1) demonstrate the feasibility of characterizing kernel modules and core applications for embedded systems; 2) extract behavioral signatures to improve performance; 3) develop techniques to compensate for variations in power consumption due to manufacturing and environmental variations; and 4) create a general architecture for the application of PFP. The research will be performed using Angstrom Linux on a Beagleboard embedded platform, from which PFP signatures will be extracted and used to detect malicious intrusions in blind tests. The expected result is to achieve over 95% accuracy in detecting execution anomalies during blind tests and provide a baseline to develop a commercial PFP monitor prototype in Phase II.
The broader impact/commercial potential of this project includes the development of an innovative mechanism for early detection of cyber attacks to critical infrastructure from well-funded adversaries. Such attacks, if not promptly discovered, that can steal state secrets and intellectual property with devastating consequences to national security. PFP brings a new perspective to cyber security treating it as a signal detection and classification problem and introducing tangible quantitative metrics for integrity and trust. PFP addresses a growing need to secure critical embedded systems. PFP is very difficult to evade, adds little overhead in the processor being monitored, and is effective against zero-day attacks. In comparison, traditional cyber security monitoring approaches are susceptible to evasion and ineffective against new attacks because they depend on known malware signatures. These features make PFP capable of detecting sophisticated covert attacks and rootkits, such as the recent Stuxnet worm. PFP has dual application in the commercial and government markets, particularly for resource-constrained and embedded platforms, including smart phones, smart grid, critical industrial control, and tactical communication devices. PFP has the potential to become a fundamental player in cyber-security by protecting the nation?s infrastructure and promoting further development of the economic base and employment.
This Small Business Innovation Research (SBIR) Phase I project demonstrated the feasibility of a novel approach, called Power Fingerprinting (PFP), for performing integrity assessment and intrusion detection in critical embedded systems. PFP was shown capable of monitoring all types of platforms, including resource-constrained and legacy processors. Traditional cyber defense approaches have proven to be ineffective at preventing adversaries from gaining access to critical systems. Critical embedded systems, such as industrial controls, are especially vulnerable to cyber-attacks due to computational resource constraints, which limit their ability to support existing monitoring mechanisms. Furthermore, many of these platforms are implemented with legacy or special processors not supported by commercial cyber security solutions. There is no current solution to effectively monitor critical resource-constrained embedded systems. PFP technology enables an external device to assess the execution integrity across all levels of the execution stack in embedded processors. The approach relies on independent hardware to provide extremely accurate, fast, and reliable detection of known and unknown cyber attacks. The approach is based on fine-grained anomaly detection on the processor’s power consumption, which improves visibility across the execution stack while minimizing the impact on the target. The main technical outcome of the project was the demonstration of the ability of FPF to monitor the execution of kernel modules on the Angstrom Embedded Linux distribution running on an embedded ARM platform and detect when unauthorized modifications have taken place. The results of this Phase I show the PFP monitor able to differentiate small changes on execution at the Kernel level, even when there is no observable difference in functional behavior, all while introducing only minimal overhead into the target system. The accuracy achieved in our assessments and the level of detail in the execution status information cannot be achieved using traditional security mechanisms without explicit cooperation from the processor and without introducing significant performance overhead. Upon commercialization, PFP is expected to tap the billion-dollar market of cyber-security with a solution that is uniquely positioned to serve the critical embedded system niche. The ability of PFP to monitor specific actions across all levels of the execution stack to improve defense-in-depth is a necessary element to effectively protect critical infrastructure from cyber attacks. PFP can greatly improve the security of our critical infrastructure and protect it against ever-growing cyber threats while promoting further development of the economic base and employment in the area of cyber-security.
