Fine-Grained Analysis of Physically Observable Side Channels

Question 1

What is HDBSCAN?

Answer 1

Tool designed to help identify repetitive code patterns in a frequency over time graph.

Question 2

How does HDBSCAN quantitatively analyze a graph?

Answer 2

It transforms a frequency over time graph based on density / sparsity of signals and uses a minimum spanning tree to sort them.

Question 3

How do we find a match in HDBSCAN?

Answer 3

HDBSCAN creates a table of harmonics sorted by time, we check our signal with each entry in the graph

Question 4

What is an alternative to HDBSCAN?

Answer 4

Dimension reduction

Question 5

What are the two phases of dimension reduction?

Answer 5

• Phase I: average of short-Fourier transfers to reduce noise
• Phase II: reduce number of samples (tracking all frequency components can cause high overhead)

Question 6

Three types of loops and their spectral representation

Answer 6

1. Fixed - fixed time == high peak at one frequency
2. Control flow == two peaks (one for if, one for else)
3. Nested == wide peak (since the timing can vary)

Question 7

How does malware affect loops?

Answer 7

If code is inserted or removed from a loop, the timing will go up or down and the spectral peaks will move left or right (shift in frequency)

Question 8

EDDIE

Answer 8

Tool designed to detect malware inserted/removed from loops.

Question 9

How does EDDIE work?

Answer 9

Create reference set for each loop and then compare live data to it

Question 10

How well does EDDIE perform?

Answer 10

Fastest to detect anomalies in fixed, then control flow, then nested

Question 11

Pro / con of time domain analysis

Answer 11

pro: good for fine-grained analysis to see program flow
con: does not scale

Question 12

In time domain analysis, what granularity can we track on?

Answer 12

individual instruction, blocks, or control flow

Question 13

How do we determine which branch was taken?

Answer 13

peak in graph of moving median slope is the start of a branch, and you can find the branch since it is a fixed-distance away. 1. Train data then 2. use ML at runtime to determine which branch was taken

Question 14

How well does our branch predictor work?

Answer 14

Works perfectly on large differences, works okay-to-well on 1 instruction differences depending on measurement frequency

Question 15

Potential drawback of ML

Answer 15

scale!

Question 16

Zero Overhead Profiling (ZOP) via EM Emanations

Answer 16

1. Insert markers into the code so that you can subdivide the signal and only compare a single at a time (i.e. you are only trying to match a partial signal) =>this way, you don’t have to train across all possible runs of the program and can reuse runs of the same section even if it didn’t occur in the same order
2. Markers can help you recreate the control flow graph (can also infer that if we are at point A, we can only go to points B, and C, but not D)
3. Do a search at runtime of graph

Question 17

Pro/cons of ZOP

Answer 17

• Pros: can be used for many purposes: malware detection, debugging, security
• Cons: Does not scale well to larger programs and hard to get 100% code coverage on training data

Question 18

IDEA

Answer 18

Technique for EM SC Analysis - want to deal with ZOP’s computation explosion

Question 19

IDEA steps

Answer 19

1. Create dictionary from training signals:
   
   • Divide each signal into overlapping fixed-duration windows
   • Each window is an entry in the dictionary
2. Use clustering to reduce the number of dictionary entries
   
   • In ZOP, we kept all examples of an A->B segment, here we reduce so that we only have one example of A->B
3. In monitoring phase, match signal to dictionary entry
   
   • Split monitored signal into windows and match to dictionary
   • Recreate a signal based on the ‘best-match’ of each window

Question 20

Pros of IDEA

Answer 20

• Great at malware detection
• Does not require malware signature
• Does not require access to source code or control flow graph

Question 21

Cons of IDEA

Answer 21

• Dictionary may get prohibitively large for larger applications
• Need more samples as clock rate increases

Question 22

Neural Network Technique

Answer 22

Improves on IDEA and is a neural network trained on sample inputs. Has 6 hidden layers, and outputs next (predicted) signal. Compare predicted signal to actual signal => flag if too much of a deviation

Question 23

Pros of Neural Network

Answer 23

• Better performance
• Lower memory consumption
• Lower computation time