Visible to the public Buffer Overflow Attack's Power Consumption Signatures

TitleBuffer Overflow Attack's Power Consumption Signatures
Publication TypeConference Paper
Year of Publication2016
AuthorsMoore, Samuel, Yampolskiy, Mark, Gatlin, Jacob, McDonald, Jeffrey T., Andel, Todd R.
Conference NameProceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering
Date PublishedDecember 2016
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4841-6
Keywordschannel coding, composability, Cyber Dependencies, cyber physical security, ICS Anomaly Detection, Metrics, Physical layer, physical layer security, physical-layer security, power consumption anomaly detection, pubcrawl, Resiliency, rop attacks, Scalability, side-channel analysis, simple power analysis
Abstract

Embedded Systems (ES) are an integral part of Cyber-Physical Systems (CPS), the Internet of Things (IoT), and consumer devices like smartphones. ES often have limited resources, and - if used in CPS and IoT - have to satisfy real time requirements. Therefore, ES rarely employ the security measures established for computer systems and networks. Due to the growth of both CPS and IoT it is important to identify ongoing attacks on ES without interfering with realtime constraints. Furthermore, security solutions that can be retrofit to legacy systems are desirable, especially when ES are used in Industrial Control Systems (ICS) that often maintain the same hardware for decades. To tackle this problem, several researchers have proposed using side-channels (i.e., physical emanations accompanying cyber processes) to detect such attacks. While prior work focuses on the anomaly detection approach, this might not always be sufficient, especially in complex ES whose behavior depends on the input data. In this paper, we determine whether one of the most common attacks - a buffer overflow attack - generates distinct side-channel signatures if executed on a vulnerable ES. We only consider the power consumption side-channel. We collect and analyze power traces from normal program operation and four cases of buffer overflow attack categories: (i) crash program execution, (ii) injection of executable code, (iii) return to existing function, and (iv) Return Oriented Programming (ROP) with gadgets. Our analysis shows that for some of these cases a power signature-based detection of a buffer overflow attack is possible.

URLhttps://dl.acm.org/doi/10.1145/3015135.3015141
DOI10.1145/3015135.3015141
Citation Keymoore_buffer_2016