Rooting Out Malware With a Side-Channel Chip Defense System

The world of malware has been turned on its head this week, as a company in Virginia has introduceda new cybersecurity technology that at first glance looks more like a classic cyberattack.

The idea hatched by PFP Cybersecurity of Vienna, Va., is taken from the playbook of a famous cryptography-breaking scheme called the side channel attack. All malware, no matter the details of its code, authorship, or execution, must consume power. And, as PFP has found, the signature of malwares power usage looks very different from the baseline power draw of a chips standard operations.

So this week, PFP is announcing a two-pronged technology (called P2Scan and eMonitor) that physically sits outside the CPU and sniffs the chips electromagnetic leakage for telltale signatures of power consumption patterns indicating abnormal behavior.

The result, they say, is a practically undetectable, all-purpose malware discovery protocol, especially for low-level systems that follow a predictable and standard routine. (Computers with users regularly attached to them, like laptops and smartphones, often have no baseline routine from which abnormal behavior can be inferred. So, PFP officials say, their technology is at the moment better suited to things like routers, networks, power grids, critical infrastructure, and other more automated systems.)

On average, malware exists on a system for 229 days before anyone ever notices anything is there, Thurston Brooks, PFPs vice president of engineering and product marketing told IEEE Spectrum. Whats really cool about our system is we tell you within milliseconds that something has happened.

PFPan acronym for power fingerprintingrequires that its users establish a firm baseline of normal operations for the chips the company will be monitoring. So they begin with P2Scan, a credit-card-size physical sensor that monitors a given chip, board, device, embedded system, or network router for its electromagnetic fingerprints when running normally.

Unlike most malware strategies in the marketplace today, PFP takes a strikingly software-agnostic tack to besting malware, hardware Trojans, and other cyberattacks.

Were not trying to actually understand whats going on inside the machine, like the hackers are, says Brooks. Were trying to define what normal behavior looks like. Then, knowing [that], we can detect abnormal behavior.

The view of malware as seen from outside the chip, in other words, can be a refreshing one. Hackers cant detect this type of surveillance, because the scanning tools never actually interact with the chips operations. And hackers can be as clever as the most sophisticated programmers in the world. Yet, their code will still very likely be detected because, simply by virtue of performing different tasks than the chip normally performs, it will have a different power profile.

I am a signal processing guy, says PFP president Jeff Reed, who is also a professor in the ECE department at Virginia Tech. Our approach is a very different approach than a person whos normally schooled in securityWere trying to understand a disturbance in the signal due to the inclusion of malware.

Read this article:
Rooting Out Malware With a Side-Channel Chip Defense System