publications

2023

1. ACM

   Portability of Deep-Learning Side-Channel Attacks againstSoftware Discrepancies

   ACM Conference on Security and Privacy in Wireless and Mobile Networks, May 2023

   Abs PDF

   Deep-learning side-channel attacks can reveal encryption keys on a device by analyzing power consumption with neural networks. However, the portability of deep-learning side-channel attacks can be affected when training data (from the training device) and test data (from the test device) are discrepant. Recent studies have exam-ined the portability of deep-learning side-channel attacks against hardware discrepancies between two devices. In this paper, we investigate the portability of deep-learning side-channel attacks against software discrepancies between the training device and test device. Specifically, we examine four factors that can lead to software discrepancies, including random delays, instruction rewriting, optimization levels, and code obfuscation. Our experi- mental results show that software discrepancies caused by each factor can significantly downgrade the attack performance of deep-learning side-channel attacks, and even prevent an attacker from recovering keys. To mitigate the impacts of software discrepancies, we investigate three mitigation methods, including adjusting Points of Interest, domain adaptation, and multi-domain training, from the perspective of an attacker. Our results indicate that multi-domain training is the most effective approach among the three, but it can be difficult to scale given the diversity of software discrepancies.

2. IEEE

   TinyPower: Side-Channel Attacks with Tiny Neural Networks(*BEST STUDENT PAPER)

   IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Oct 2023

   Abs PDF

   Abstract—Side-channel attacks leverage the correlation between power consumption and intermediate results of encryption to infer encryption keys. Recent studies show that deeplearning offers promising results in the context of side-channel attacks. However, neural networks utilized in deep-learning sidechannel attacks are often complex with substantial amounts of parameters and consume significant memory. Therefore, it is challenging to perform deep-learning side-channel attacks on resource-constrained devices. In this paper, we propose a framework, named TinyPower, which leverages pruning to reduce the number of parameters of neural networks for side-channel attacks. Pruned neural networks obtained from our framework can successfully run side-channel attacks with a much lower number of parameters and significantly less memory. Our framework focuses on structured pruning over filters of Convolutional Neural Networks (CNNs). We demonstrate the effectiveness of structured pruning over power and EM traces of AES-128 running on microcontrollers (AVR XMEGA and ARM STM32) and FPGAs (Xilinx Artix-7). Our experimental results show that we can achieve a reduction rate of 98.8% (reducing the number of parameters from 53.1 millions to 0.59 millions) on a CNN and still recover keys on XMEGA. For STM32 and Artix-7, we achieve a reduction rate of 92.9% and 87.3% on a CNN respectively. We also demonstrate that our pruned CNNs can effectively perform the attack phase of side-channel attacks on a Raspberry Pi 4 with less than 2.5 milli second inference timeper trace and less than 41 MB memory usage per CNN.

3. IEEE

   EvilELF: Evasion Attacks on Deep-Learning Malware Detection over ELF Files

   IEEE International Conference on Machine Learning and Applications, Sep 2023

   Abs PDF

   This paper investigates evasion attacks on end-to-end deep-learning malware detection over ELF (Executable and Linkable Format) binaries. We show that an attacker can deliberately modify bytes in a malware ELF binary such that a well-trained neural network is misled and predicts it as benign. We examine five methods that can modify ELF binaries without affecting functionalities and leverage them in evasion attacks. We explore two state-of-the-art end-to-end deep learning malware detectors, including MalConv and FireEyeNet, over a real-world dataset with 1,422 ELF binaries. Our experimental results show that evasion attacks with 3 out of the 5 methods are effective and can force the two CNNs to predict incorrectly. For instance, the most effective modification achieves up to 76.6% evasion rate on FireEyeNet and 8.4% evasion rate on MalConv. We also demonstrate that retraining CNNs with deliberately modified binaries can significantly mitigate evasion attacks.

2024

1. ACM

   A Second Look at the Portability of Deep Learning Side-Channel Attacks over EM Traces

   27th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2024), Sep 2024

   Abs PDF

   Deep learning side-channel attacks can recover encryption keys on a target by analyzing power consumption or electromagnetic (EM) signals. However, they are less portable when there are domain shifts between training and test data. While existing studies have shown that pre-processing and unsupervised domain adaptation can enhance the portability of deep learning side-channel attacks given domain shifts over EM traces, the findings are limited to easy targets (e.g. 8-bit microcontrollers).In this paper, we investigate the portability of deep learning side-channel attacks over EM traces acquired from more challeng- ing targets, including 32-bit microcontrollers and EM traces with random delay. We study domain shifts introduced by the combina- tion of hardware variations, distinct keys, and inconsistent probe locations between two targets. In addition, we perform compar- ative analyses of multiple existing (and new) pre-processing and unsupervised domain adaptation methods. We conduct a series of comprehensive experiments and derive three main observations. (1) Pre-processing and unsupervised domain adaptation methods can enhance the portability of deep learning side-channel attacks over more challenging targets. (2) The effectiveness of each method, however, varies depending on the target and probe locations in use. In other words, observations of a method on easy targets do not necessarily generalize to challenging targets. (3) None of the methods can constantly outperform others. Moreover, we highlight two types of pitfalls that could lead to over-optimistic attack results in cross-device evaluations. We also contribute a large-scale public dataset (with 3 million EM traces from 9 probe locations over mul- tiple targets) for benchmarking and reproducibility of side-channel attacks tackling domain shifts over EM traces.