Counters Help Against Roving Malware

CHARM is a novel technique to enable interruptible Remote Attestation on low-end microcontrollers. This repo stores the codebase that was used to experimentally validate our approach.

Many vendors include Hardware Performance Counters (HPC) in their devices. They often consist of few hardware registers that are incremented whenever some specific event occurs. Despite being useful for debugging, we claim that it is possible to use them to capture a trace of the microcontroller's activity. This trace can later be used to determine whether some malicious relocations occurred at attestation time. By feeding this information to a well-trained Binary Classifier on the Verifier's side we can detect relocations with high accuracy.

We ran our experiments on a STM32L552 board equipped with a Cortex-M33 MCU. We used PlatformIO to develop and upload source code to the device. The code in Code/src is in charge of running multiple Remote Attestation routines that overlap with malicious relocations. More on how to use this code in the next section.

There are 16 datasets in total. You can find them in the Code/dataset folder. Each of them corresponds to one combination of two parameters, namely entropy level (how unpredictable the benign applications running on your device are) and activity level (how many operations per unit of time the bening applications execute). Each dataset is a csv file labelled by the date in which it was acquired, and containts approximately 10k records. Datasets are generated by the Code/CollectData.py script. This script overwrites the definition of some constants in the Code/constants.h header, then runs the pio run --target upload to flash the code to the MCU. One must manually set the desired activity and entropy levels in the script, then run it to generate the dataset. To log the data one must manually monitor the device's serial output and redirect to a file. In our experiment we used the pio device monitor command, but any other tool works.

We tested three Binary Classifiers, namely Logistic Regression (LR), Decision Trees (DT) and Support Vector Machine (SVM). The Code/models folders contains Python classes implementing these classifiers. They are used by the Code/ClassifiersRun.ipynb notebook to run train and test models on the collected datasets.

The test scores for each model and each preprocessing technique were gathered in the PlotGenerationKit/Results. The PlotGenerationKit/Plots.ipynb notebook reads and analyzes those scores and generates the plots that you can find in our manuscript.