Aydin Aysu, Ph.D., is Assistant Professor in the Electrical & Computer Engineering Department at North Carolina State University in Raleigh, where he helped develop a technique for detecting micro-architecture malware that uses a system’s architecture to thwart traditional security measures.

Tech Briefs: How does micro-architecture malware thwart traditional security measures?

Professor Aydin Aysu: Typically, malware detection relies on a software issue. There is a database of potential software vulnerabilities. If such a vulnerability is being exploited, you can detect it. This is called signature-based detection. Micro-architecture malware, on the other hand, uses hardware vulnerabilities, which are fundamentally different. This is done in all modern microcontrollers or processors — things like sharing tasks and data across applications. In the past three or four years, we have figured out ways this fundamental optimization strategy can be abused. That is what we mean by micro-architectural attacks — they can occur because of how the hardware fundamentally operates.

Tech Briefs: How does the malware get into the microprocessor?

Dr. Aysu: There is a unit called a cache — a full memory structure in the hardware that is shared across different programs. When a program executes, caches are shared among programs to accelerate their execution. Malware doesn’t actually listen in on the software; it listens for how the software changes the hardware execution. If there is a certain behavior in memory or cache access in some security-critical program, then while this is executing, the malware listens to its signatures — memory access, execution time, etc. Based on this information, the malware tries to reverse-engineer what is being done in the target victim’s software. It can do this without having to access the target program’s execution. It simply observes how the program is executed in the hardware and observes the traces it leaves in the architecture.

Tech Briefs: How did you come to the idea of tracking power fluctuations?

Dr. Aysu: We found that although malware can be successful, the perpetrators would have to change the software instantiation by adding extra instructions. That would change the power consumption as it’s being executed. There are millions of electronic devices today. People are trying to patch in software to make the devices more secure against malware but it’s not successful in my opinion. What we envision in the future is an out-of-the-box, plug-and-play software monitor that can then be attached to the microcontroller of the system it’s going to protect.

Tech Briefs: Won’t hackers try to fool your detector?

Dr. Aysu: Once you have this system, the next step for the malware designers is to mimic the power behavior of a trusted application and still do some malicious activity. Depending on the system configuration and its power measurement capabilities, there is room for malware to mimic power consumption. This is not valid for all malware but even where it can be effective, its power will be reduced. We observed that if the malware is shaped to mimic normal power behavior, our detector causes it to slow down by over 86%.

An edited version of this interview appeared in the July Issue of Tech Briefs.