Decoupled, Real-Time, Multi-Modal Program Execution State Monitoring

Many layer PCBs have many attack surfaces that can hide a Trojan capable of corrupting the processor execution state only with interactions with the processor through external channels such as memory bus. The focus of this research is to monitor the processor execution state only through channels and side-channels that extend beyond the processor chip boundaries. Such a decoupled monitor localizes the program execution state at a blob level - an aggregated form of the program control flow graph. Higher the level of blob aggregation, less demanding are the requirements for the side-channels and execution state revealing channels. Decoupled monitor uses side-channel sensor streams that are naturally created by the program execution (last level cache -LLC- misses). The side-channel sensor streams evaluated in this paper are (1) LLC miss address stream, (2) processor domain power stream, (3) DDR memory domain power stream captured through electromagnetic (EM) emission, and (4) performance monitoring unit (PMU) stream. Blob construction heuristics presents a monitoring overhead trade-off with the localization granularity. A blob is a program level entity whose boundaries are detectable off-processor through side-channel streams. Typical blob sizes we have encountered are 200 instructions as static size and 100s of millions of dynamically executed instructions. The goal of the decoupled monitor is to validate the execution state conformity with a precomputed golden model at a blob and blob path granularity. The monitor is evaluated on a Xilinx Zynq Ultrascale+ ZCU 106 board which contains two ARM processors and a sea of FPGA fabric. Targeted program executes on the Cortex A53 processor for the monitored program state localization. Each of the LLC address, execution path power, performance monitoring unit streams builds machine learning (ML) models for all the paths in a program. The monitor uses these trained ML models to classify the sensor stream data into a Blob/Path. The multiple streams’ classifications are resolved into a single Blob/Path localization based on confidence values of each stream classification. Individual stream’s classification accuracy ranges from 80-90% for the Blob/Path classification. The overall execution state localization is evaluated on a benchmark program "STREAM" with 3 normal execution runs and 2 anomalous runs. The accuracy of this localization is 83.3% for normal runs and 100% for anomalous runs.