Using power fingerprinting (PFP) to monitor the integrity and enhance security of computer based systems

US 9,262,632 B2
Filed: 11/03/2011
Issued: 02/16/2016
Est. Priority Date: 11/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method for performing real-time integrity assessment of execution of a routine in a computer processing platform, comprising:

monitoring execution of the routine by tracing power consumption of a processor by sampling with one or more sensors during execution of the routine;

using a platform characterization technique that further comprisesdetecting sections of traces sampled by the one or more sensors that display the largest dependence on state transitions in the processor;

using said sections to select features carrying the most information;

obtaining from a characterization of selected features of the routine contained in said sections a set of trusted power fingerprints of the routine;

establishing a threshold for a specific false alarm rate based on the probability distribution of distance from a signature comprised of said trusted fingerprints;

comparing a library of said trusted fingerprints to features extracted from traces from the execution of untrusted code;

determining a distance between said fingerprints and the extracted features; and

reporting an exception if the distance exceeds the threshold.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Procedures are described for enhancing target system execution integrity determined by power fingerprinting (PFP): by integrating PFP into the detection phase of comprehensive defense-in-depth security; by deploying a network of PFP enabled nodes executing untrusted devices with predefined inputs forcing a specific state sequence and specific software execution; by embedding module identification information into synchronization signaling; by combining signals from different board elements; by using malware signatures to enhance PFP performance; by automatic characterization and signature extraction; by providing secure signature updates; by protecting against side-channel attacks; performing real-time integrity assessment in embedded platform by monitoring their dynamic power consumption and comparing it against signatures from trusted code, including pre-characterizing power consumption of the platform by concentrating on trace sections carrying the most information about the internal execution status; by using PFP from sequence of bit transitions to detect deviations from authorized execution of software in a digital processor.

Citations

16 Claims

1. A method for performing real-time integrity assessment of execution of a routine in a computer processing platform, comprising:
- monitoring execution of the routine by tracing power consumption of a processor by sampling with one or more sensors during execution of the routine;
  
  using a platform characterization technique that further comprisesdetecting sections of traces sampled by the one or more sensors that display the largest dependence on state transitions in the processor;
  
  using said sections to select features carrying the most information;
  
  obtaining from a characterization of selected features of the routine contained in said sections a set of trusted power fingerprints of the routine;
  
  establishing a threshold for a specific false alarm rate based on the probability distribution of distance from a signature comprised of said trusted fingerprints;
  
  comparing a library of said trusted fingerprints to features extracted from traces from the execution of untrusted code;
  
  determining a distance between said fingerprints and the extracted features; and
  
  reporting an exception if the distance exceeds the threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising synchronizing said tracing with execution of the routine by embedding module identification information into the routine.
  - 3. The method of claim 2 wherein the module identification information is a binary identification code written in an IO register before execution of the routine.
  - 4. The method of claim 2 wherein the module identification information is a sequence of instructions yielding a distinctive power consumption pattern.
  - 5. The method of claim 1 wherein the tracing of power consumption combines signals from a plurality of processor circuits.
  - 6. The method of claim 1 further comprising enhancing the quality of said exception reporting by adding to said library fingerprint signatures of known malware.

7. A system for performing real-time integrity assessment of execution of a routine in a computer processing platform, comprising:
- one or more sensors for monitoring execution of the routine by tracing power consumption of a processor by sampling during execution of the routine;
  
  means for using a platform characterization technique that further comprisesmeans for detecting sections of traces sampled with said one or more sensors that display the largest dependence on state transitions in the processor;
  
  means for using said sections to select features carrying the most information;
  
  means for obtaining from a characterization of the selected features contained in said sections a set of trusted power fingerprints of the routine;
  
  means for establishing a threshold for a specific false alarm rate based on the probability distribution of distance from a signature comprised of said trusted fingerprints;
  
  means for comparing a library of said trusted fingerprints to features extracted from traces from the execution of untrusted codemeans for determining a distance between said fingerprints and the extracted features; and
  
  means for reporting an exception if the distance exceeds the threshold.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7 further comprising module identification information embedded into the routine.
  - 9. The system of claim 8 wherein the module identification information is a binary identification code written in an IO register before execution of the routine.
  - 10. The system of claim 8 wherein the module identification information is a sequence of instructions yielding a distinctive power consumption pattern.
  - 11. The system of claim 7 wherein the means for tracing of power consumption combines signals from a plurality of processor circuits.
  - 12. The system of claim 7 further comprising means for enhancing the quality of said exception reporting by adding to said library fingerprint signatures of known malware.

13. A method for detecting deviations from authorized execution of software in a digital processor, comprising:
- receiving, from one or more sensors, a signal representing power consumption of a first processor during execution of at least one routine of the software;
  
  comparing the power consumption of the first processor to a power consumption characterization for a second processor performing an authorized execution of the at least one routine of the software, the first processor being a type corresponding to a type of the second processor; and
  
  using a result of said comparing step to determine deviation.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the power consumption characterization of the second processor is based on sections of power consumption traces that display a largest dependence on state transitions in the second processor.
  - 15. The method of claim 13, further comprising determining a sequence of bit transitions to form the power consumption characterization of the second processor during the execution of the at least one routine.
  - 16. The method of claim 15, further comprising steps ofdetecting sections of the traces that display a largest dependence on state transitions in the second processor;
    - andusing the sections to select features carrying the most information,the determining including determining the sequence of bit transitions based on the selected features to form the power consumption characterization of the second processor during the execution of the at least one routine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virginia Tech Intellectual Properties, Inc. (Virginia Polytechnic Institute and State University)
Original Assignee
Virginia Tech Intellectual Properties, Inc. (Virginia Polytechnic Institute and State University)
Inventors
Reed, Jeffrey H., Aguayo Gonzalez, Carlos R.
Primary Examiner(s)
Brown, Anthony

Application Number

US13/883,105
Publication Number

US 20130318607A1
Time in Patent Office

1,566 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 1/28   Supervision thereof, e.g. d...

G06F 1/3206   Monitoring of events, devic...

G06F 11/3062   where the monitored propert...

G06F 11/3093   Configuration details there...

G06F 21/52   during program execution, e...

G06F 21/56   Computer malware detection ...

G06F 21/755   with measures against power...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

H04L 9/3247   involving digital signatures

Using power fingerprinting (PFP) to monitor the integrity and enhance security of computer based systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Using power fingerprinting (PFP) to monitor the integrity and enhance security of computer based systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links