Researchers Detect Hardware-Level Malware Via Power Anomalies

By Lucian Armasu
published

Researchers from North Carolina State University and the University of Texas at Austin have developed a new technique that can enable the detection of hardware-level malware or hacks by tracking power fluctuations in embedded systems.

New Way To Fight Spectre Malware

The researchers argued that micro-architectural attacks on embedded systems, such as those that take advantage of Spectre-like CPU flaws, could be detected by watching how the power fluctuates within the system and other irregular power usage anomalies.

Hardware-level attacks are typically very difficult to detect because they can easily bypass operating system-level protections or anti-malware solutions. These attacks take advantage of vulnerabilities that exist underneath the operating system into which the anti-malware solutions have no visibility.

Previous research has also shown that software mitigation against Spectre-like attacks is a dead-end because the speculative execution attacks take advantage of the micro-architectural design of the CPUs themselves. Therefore, the ultimate solution to prevent any such attacks in the future would be to redesign micro-architectures in a way that speculative execution attacks would no longer be possible.

In the meantime, North Carolina University and the University of Texas researchers have found a way to detect some of these micro-architectural attacks. The new technique can detect micro-architectural attacks because it also works at the hardware level.

Attacks Could Eventually Mimic Power Usage Patterns

However, even this solution can eventually be bypassed by more sophisticated attackers that can learn how to make their attacks “mimic” normal power usage patterns. The researchers claimed that even with this limitation, their technique could drastically impact the effectiveness of the malware:

"We found that the effort required to mimic normal power consumption and evade detection forced malware to slow down its data transfer rate by between 86 and 97 percent. In short, our approach can still reduce the effects of malware, even in those few instances where the malware is not detected.”

The researchers will present their paper, called "Using Power-Anomalies to Detect Evasive Micro-Architectural Attacks in Embedded Systems," at the IEEE International Symposium on Hardware Oriented Security and Trust (HOST), which will be held on May 6-10 in Tysons Corner, Va.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
3 Comments Comment from the forums
  • digitalgriffin
    I have a pretty good damn idea how spectre works. The original researches deserved to be commended. I won't give away too many details, but I'm pretty certain this exploit was applied years ago. I'm shocked that CPU architectures didn't protect against it as they would be subject to the similar attack vector.
    Reply
  • DotNetMaster777
    Good point why cpu is not protected against it !!!
    It is interested how the hardware can be fixed against this type of attack ????
    Reply
  • Specter0420
    Wouldn't it be easiest to detect at the network equipment? Sure the OS doesn't know that data is being sent out the network adapter, but the routers and firewalls still must route the traffic.
    Reply