skip to main content
research-article

LAMBDA: Lightweight Assessment of Malware for emBeddeD Architectures

Published:21 June 2020Publication History
Skip Abstract Section

Abstract

Security is a critical aspect in many of the latest embedded and IoT systems. Malware is one of the severe threats of security for such devices. There have been enormous efforts in malware detection and analysis; however, occurrences of newer varieties of malicious codes prove that it is an extremely difficult problem given the nature of these surreptitious codes. In this article, instead of addressing a general solution, we aim at malware detection for platforms that have more than one core for performance enhancement. We investigate the utility of multiple cores from the point of view of security, where one of the cores operate as a watchdog. We define a notion of a new metric called LAMBDA (Lightweight Assessment of Malware for emBeddeD Architectures), denoted by λ, indicating a conceptual boundary between the programs which are allowed to run on a given platform, with the codes that are suspected as malwares. The metric λ is computed using carefully chosen monitors or features, which are tuples of high-level programs representing OS resources, along with low-level hardware performance counters. In comparison to heavy-weight machine learning techniques, we use an online hypothesis testing, in the form of t-test, to classify a given program-under-test. For applications where security is of prime concern, we propose an additional step based on multivariate analysis to classify the unknown programs that are closer to the threshold with a high degree of confidence. We present experimental results focusing on an ARM-based platform which validate that the proposed approach provides a lightweight, accurate assessment of malware codes for embedded platforms. In addition to it, we also present a security analysis to show the difficulty of a mimicry attack attempting to bypass LAMBDA.

References

  1. Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2005. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05). 340--353.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Chris Aldrich and Lidia Auret. 2013. Unsupervised Process Monitoring and Fault Diagnosis with Machine Learning Methods. Springer.Google ScholarGoogle Scholar
  3. Fatemeh Azmandian, Micha Moffie, Malak Alshawabkeh, Jennifer Dy, Javed Aslam, and David Kaeli. 2011. Virtual machine monitor-based lightweight intrusion detection. ACM SIGOPS Operat. Syst. Rev. 45, 2 (2011), 38--53.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Amin Azmoodeh, Ali Dehghantanha, and Kim-Kwang Raymond Choo. 2018. Robust malware detection for internet of (battlefield) things devices using deep eigenspace learning. IEEE Trans. Sustain. Comput. 4, 1 (2018), 88--95.Google ScholarGoogle Scholar
  5. Mohammad Bagher Bahador, Mahdi Abadi, and Asghar Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. In Proceedings of the 4th International eConference on Computer and Knowledge Engineering (ICCKE’14). 703--708.Google ScholarGoogle ScholarCross RefCross Ref
  6. Davide Balzarotti, Marco Cova, Christoph Karlberger, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In Proceedings of the Network and Distributed System Security Symposium (NDSS’10). Citeseer.Google ScholarGoogle Scholar
  7. Davide Canali, Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. 2012. A quantitative study of accuracy in system call-based malware detection. In Proceedings of the International Symposium on Software Testing and Analysis. ACM, 122--132.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Mahinthan Chandramohan, Hee Beng Kuan Tan, Lionel C. Briand, Lwin Khin Shar, and Bindu Madhavi Padmanabhuni. 2013. A scalable approach for malware detection through bounded feature space behavior modeling. In Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE’13). IEEE, 312--322.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, and Marcel Winandy. 2010. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security. ACM, 559--572.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Fred Cohen. 1987. Computer viruses: Theory and experiments. Comput. Secur. 6, 1 (1987), 22--35.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. David Cooper, Andrew Regenscheid, Murugiah Souppaya, Christopher Bean, Mike Boyle, Dorothy Cooley, and Michael Jenkins. 2018. Security considerations for code signing. NIST Cybersecurity White Paper (2018).Google ScholarGoogle Scholar
  12. Sanjeev Das, Yang Liu, Wei Zhang, and Mahintham Chandramohan. 2016. Semantics-based online malware detection: Towards efficient real-time protection against malware. IEEE Trans. Info. Forensics Secur. 11, 2 (2016), 289--302.Google ScholarGoogle ScholarCross RefCross Ref
  13. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of th 23rd USENIX Security Symposium USENIX Security 14. 401--416.Google ScholarGoogle Scholar
  14. Ruan de Clercq and Ingrid Verbauwhede. 2017. A survey of hardware-based control flow integrity (CFI). Arxiv Preprint Arxiv:1706.07257.Google ScholarGoogle Scholar
  15. John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore Stolfo. 2013. On the feasibility of online malware detection with performance counters. In ACM SIGARCH Computer Architecture News, Vol. 41. ACM, 559--570.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surveys 44, 2 (2012), 6.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Tarek Elgamal, Maysam Yabandeh, Ashraf Aboulnaga, Waleed Mustafa, and Mohamed Hefeeda. 2015. spca: Scalable principal component analysis for big data on distributed platforms. In Proceedings of the ACM SIGMOD International Conference on Management of Data. ACM, 79--91.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Rana Elnaggar, Krishnendu Chakrabarty, and Mehdi B. Tahoori. 2017. Run-time hardware trojan detection using performance counters. In Proceedings of the IEEE International Test Conference (ITC’17). IEEE, 1--10.Google ScholarGoogle Scholar
  19. Hugo Gascon, Fabian Yamaguchi, Daniel Arp, and Konrad Rieck. 2013. Structural detection of android malware using embedded call graphs. In Proceedings of the ACM Workshop on Artificial Intelligence and Security. ACM, 45--54.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. GitHub. 2019. Bitcoin Core integration/staging tree. Retrieved from https://github.com/bitcoin/bitcoin.Google ScholarGoogle Scholar
  21. Matthew R. Guthaus, Jeffrey S. Ringenberg, Dan Ernst, Todd M. Austin, Trevor Mudge, and Richard B. Brown. 2001. MiBench: A free, commercially representative embedded benchmark suite. In Proceedings of the IEEE International Workshop on Workload Characterization (WWC’01). 3--14.Google ScholarGoogle Scholar
  22. Yuko Hara, Hiroyuki Tomiyama, Shinya Honda, Hiroaki Takada, and Katsuya Ishii. 2008. Chstone: A benchmark program suite for practical c-based high-level synthesis. In Proceedings of the IEEE International Symposium on Circuits and Systems. IEEE, 1192--1195.Google ScholarGoogle Scholar
  23. John L. Henning. 2000. SPEC CPU2000: Measuring CPU performance in the new millennium. Computer 33, 7 (2000), 28--35.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Kai Huang, Biao Hu, Long Chen, Alois Knoll, and Zhihua Wang. 2018. ADAS on COTS with OpenCL: A case study with lane detection. IEEE Trans. Comput. 67, 4 (2018), 559--565.Google ScholarGoogle ScholarCross RefCross Ref
  25. Arun K. Kanuparthi, Ramesh Karri, Gaston Ormazabal, and Sateesh K. Addepalli. 2012. A high-performance, low-overhead microarchitecture for secure program execution. In Proceedings of the IEEE 30th International Conference on Computer Design (ICCD’12). IEEE, 102--107.Google ScholarGoogle Scholar
  26. Vladimir Kiriansky, Derek Bruening, Saman P. Amarasinghe, et al. 2002. Secure execution via program shepherding. In Proceedings of the USENIX Security Symposium, Vol. 92. 84.Google ScholarGoogle Scholar
  27. Federico Maggi, Matteo Matteucci, and Stefano Zanero. 2010. Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Depend. Secure Comput. 7, 4 (2010), 381--395.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Corey Malone, Mohamed Zahran, and Ramesh Karri. 2011. Are hardware performance counters a cost effective way for integrity checking of programs. In Proceedings of the 6th ACM Workshop on Scalable Trusted Computing. ACM, 71--76.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Teresa McLaurin. 2018. Periodic online LBIST considerations for a multicore processor. In Proceedings of the IEEE International Test Conference in Asia (ITC-Asia’18). IEEE, 37--42.Google ScholarGoogle ScholarCross RefCross Ref
  30. Larry W. McVoy, Carl Staelin, et al. 1996. lmbench: Portable tools for performance analysis.. In Proceedings of the USENIX Annual Technical Conference. 279--294.Google ScholarGoogle Scholar
  31. Brian Melewski. 2005. Roll Your Own Custom x86-Based Embedded Systems. Retrieved from http://www.electronicdesign.com/boards/roll-your-own-custom-x86-based-embedded-systems.Google ScholarGoogle Scholar
  32. Richard Neill, Andi Drebes, and Antoniu Pop. 2017. Fuse: Accurate multiplexing of hardware performance counters across executions. ACM Trans. Archit. Code Optimiz. 14, 4 (2017), 43.Google ScholarGoogle Scholar
  33. Meltem Ozsoy, Khaled N Khasawneh, Caleb Donovick, Iakov Gorelik, Nael Abu-Ghazaleh, and Dmitry Ponomarev. 2016. Hardware-based malware detection using low-level architectural features. IEEE Trans. Comput. 65, 11 (2016), 3332--3344.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Samuel Phung. 2017. x86-Based Hardware and the Internet-of-Things Devices Market. Retrieved from http://www.embeddedintel.com/technology_applications.php?article=2350.Google ScholarGoogle Scholar
  35. QEMU. 2019. QEMU version 4.1.0 User Documentation. Retrieved from https://qemu.weilnetz.de/doc/qemu-doc.html.Google ScholarGoogle Scholar
  36. Mehryar Rahmatian, Hessam Kooti, Ian G. Harris, and Elaheh Bozorgzadeh. 2012. Hardware-assisted detection of malicious software in embedded systems. IEEE Embed. Syst. Lett. 4, 4 (2012), 94--97.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Hossein Sayadi, Hosein Mohammadi Makrani, Onkar Randive, Sai Manoj P. D., Setareh Rafatirad, and Houman Homayoun. 2018. Customized machine learning-based hardware-assisted malware detection in embedded devices. In Proceedings of the 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE’18). IEEE, 1685--1688.Google ScholarGoogle Scholar
  38. Peter Selinger. 2011. MD5 Collision Demo. Retrieved from https://www.mathstat.dal.ca/ selinger/md5collision/.Google ScholarGoogle Scholar
  39. Ben Smith, Rick Grehan, Tom Yager, and DC Niemi. 2011. Byte-unixbench: A unix benchmark suite. Technical Report (2011).Google ScholarGoogle Scholar
  40. Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised anomaly-based malware detection using hardware features. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 109--129.Google ScholarGoogle Scholar
  41. Xueyang Wang and Jerry Backer. 2016. SIGDROP: Signature-based ROP detection using hardware performance counters. Arxiv Preprint Arxiv:1609.02667.Google ScholarGoogle Scholar
  42. Xueyang Wang, Sek Chai, Michael Isnardi, Sehoon Lim, and Ramesh Karri. 2016a. Hardware performance counter-based malware identification and detection with adaptive compressive sensing. ACM Trans. Architect. Code Optimiz. 13, 1 (2016), 3.Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Xueyang Wang and Ramesh Karri. 2013. Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters. In Proceedings of the 50th ACM/EDAC/IEEE Design Automation Conference (DAC’13). IEEE, 1--7.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Xueyang Wang and Ramesh Karri. 2014. Detecting kernel control-flow modifying Rootkits. In Network Science and Cybersecurity. Springer, 177--187.Google ScholarGoogle Scholar
  45. Xueyang Wang and Ramesh Karri. 2016. Reusing hardware performance counters to detect and identify kernel control-flow modifying rootkits. IEEE Trans. Comput.-Aided Design Integr. Circ. Syst. 35, 3 (2016), 485--498.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, and Ramesh Karri. 2015. Confirm: Detecting firmware modifications in embedded systems using hardware performance counters. In Proceedings of the IEEE/ACM International Conference on Computer-aided Design. IEEE Press, 544--551.Google ScholarGoogle ScholarCross RefCross Ref
  47. Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, Ramesh Karri, Serena Lee, Patricia Robison, Paul Stergiou, and Steve Kim. 2016b. Malicious firmware detection with hardware performance counters. IEEE Trans. Multi-Scale Comput. Syst. 2, 3 (2016), 160--173.Google ScholarGoogle ScholarCross RefCross Ref
  48. Xiaoyun Wang and Hongbo Yu. 2005. How to break MD5 and other hash functions. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 19--35.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Xiaojun Zhai, Kofi Appiah, Shoaib Ehsan, Gareth Howells, Huosheng Hu, Dongbing Gu, and Klaus D. McDonald-Maier. 2015. A method for detecting abnormal program behavior on embedded devices. IEEE Trans. Info. Forensics Secur. 10, 8 (2015), 1692--1704.Google ScholarGoogle ScholarCross RefCross Ref
  50. HongWei Zhou, Xin Wu, WenChang Shi, JinHui Yuan, and Bin Liang. 2014. HDROP: Detecting ROP attacks using performance monitoring counters. In Proceedings of the International Conference on Information Security Practice and Experience. Springer, 172--186.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. LAMBDA: Lightweight Assessment of Malware for emBeddeD Architectures

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!