Hardware-Assisted Detection of Malicious Software in Embedded Systems

“…In [17], Kolbitsch et al proposed a malware detection system to complement conventional AV software by matching automatically generated behaviour models against the runtime behaviour of unknown programs. Similar to [1], Rahmatian et al [5] used a CFG to detect intrusion for secured embedded systems by detecting behavioural differences between the correct system and malware. In their system, each executing process is associated with a finite state machine (FSM) that recognizes the sequences of system calls generated by the correct program.…”

“…The limitations with the use of system calls for program identification [1], [5] have been pointed out in [15] and are more prevalent in embedded systems settings, which typically to not employ operating systems. The mentioned limitations are: 1) Programs with little or no system calls such as programs solely based on arithmetic operation, and 2) Programs which do not have unique system call behaviours may fail to exhibit a birthmark.…”

“…It is worth noting that unlike other software-based [17] [18] and hardware-based [1,5] approaches, our work is independent of the processor's architecture or operating system's kernel, thus making it compatible with most modern embedded systems. In [1], the hash-checking of all CFG significantly degrade the processor's performance.…”

“…However, our scheme maintains the original length of critical path of the processor and monitors the executing programme in parallel through the debug interface, without performance penalty. Although the fastest intrusion detection system is proposed in [5], only system call sequence is used for the comparison of correct and compromised systems. In contrast, our system does not only monitor system call sequence, but also checks instruction sequence within the system call, which captures both coarse-grained and Fuzzy C-means SOM fine-grained programme behaviour in a hierarchical manner.…”

“…Integrated circuits are first identified by utilising manufacturing process variation and then the identities are further used for cryptography. There has also been research work focusing on detecting software failure, tampering and malicious codes in embedded architectures [1,5]. A major drawback of these techniques is the storage of sensitive information in the system as "valid" samples or templates.…”

Exploring ICMetrics to detect abnormal program behaviour on embedded devices

“…In [17], Kolbitsch et al proposed a malware detection system to complement conventional AV software by matching automatically generated behaviour models against the runtime behaviour of unknown programs. Similar to [1], Rahmatian et al [5] used a CFG to detect intrusion for secured embedded systems by detecting behavioural differences between the correct system and malware. In their system, each executing process is associated with a finite state machine (FSM) that recognizes the sequences of system calls generated by the correct program.…”

“…The limitations with the use of system calls for program identification [1], [5] have been pointed out in [15] and are more prevalent in embedded systems settings, which typically to not employ operating systems. The mentioned limitations are: 1) Programs with little or no system calls such as programs solely based on arithmetic operation, and 2) Programs which do not have unique system call behaviours may fail to exhibit a birthmark.…”

“…It is worth noting that unlike other software-based [17] [18] and hardware-based [1,5] approaches, our work is independent of the processor's architecture or operating system's kernel, thus making it compatible with most modern embedded systems. In [1], the hash-checking of all CFG significantly degrade the processor's performance.…”

“…However, our scheme maintains the original length of critical path of the processor and monitors the executing programme in parallel through the debug interface, without performance penalty. Although the fastest intrusion detection system is proposed in [5], only system call sequence is used for the comparison of correct and compromised systems. In contrast, our system does not only monitor system call sequence, but also checks instruction sequence within the system call, which captures both coarse-grained and Fuzzy C-means SOM fine-grained programme behaviour in a hierarchical manner.…”

“…Integrated circuits are first identified by utilising manufacturing process variation and then the identities are further used for cryptography. There has also been research work focusing on detecting software failure, tampering and malicious codes in embedded architectures [1,5]. A major drawback of these techniques is the storage of sensitive information in the system as "valid" samples or templates.…”

Exploring ICMetrics to detect abnormal program behaviour on embedded devices

Smart Grid Hardware Security

FastCFI: Real-Time Control Flow Integrity Using FPGA Without Code Instrumentation