CN107798237A - It is a kind of to determine to hide the method and system at back door in embedded system by side channel signal - Google Patents

It is a kind of to determine to hide the method and system at back door in embedded system by side channel signal Download PDF

Info

Publication number
CN107798237A
CN107798237A CN201610786385.8A CN201610786385A CN107798237A CN 107798237 A CN107798237 A CN 107798237A CN 201610786385 A CN201610786385 A CN 201610786385A CN 107798237 A CN107798237 A CN 107798237A
Authority
CN
China
Prior art keywords
channel signal
side channel
sequential
reference data
invalid command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610786385.8A
Other languages
Chinese (zh)
Other versions
CN107798237B (en
Inventor
华刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201610786385.8A priority Critical patent/CN107798237B/en
Publication of CN107798237A publication Critical patent/CN107798237A/en
Application granted granted Critical
Publication of CN107798237B publication Critical patent/CN107798237B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power-Operated Mechanisms For Wings (AREA)
  • Devices For Checking Fares Or Tickets At Control Points (AREA)

Abstract

The present invention proposes a kind of method that the hiding back door of disguise as invalid command in embedded system is determined by side channel signal.Methods described includes:Gather the multiple side channel signals of multiple invalid commands in the process of implementation;The multiple side channel signals gathered are alignd in time, obtain multiple sequential sides channel signal;Obtained multiple sequential sides channel signal is subjected to mean value calculation to obtain reference data sequential side channel signal;Calculate the variance yields of resulting reference data sequential side channel signal and according to variance yields threshold value;Multiple sequential sides channel signal is compared to simultaneously calculating difference with reference data sequential side channel signal respectively;The absolute value of the difference and threshold value are contrasted, determine pending invalid command;And the sequential side channel signal of pending invalid command and reference data sequential side channel signal are subjected to waveform comparison, determine the pending invalid command whether be disguise as invalid command hiding back door.

Description

It is a kind of by side channel signal determine in embedded system hide back door method and System
Technical field
Embedded system is determined by side channel the present invention relates to computer safety field, and more particularly, to one kind The method and system at back door is hidden in system.
Background technology
The development system of existing Embedded Application be usually by:Hardware platform, Chinese operating system (COS, China Operating System) and three part compositions of application program.Wherein, hardware platform is the hardware base for realizing various functions Plinth.COS systems are mainly responsible for command scheduling, resource management, inside and outside data transfer etc., and application program part performs business and patrolled Volume.These three parts are general all to be realized by different producers.
For Embedded Application developer, its development platform purchased generally comprises hardware platform and COS systems.Cause This, it is only necessary to development and application logic both can, efficiency can also be so improved while cost is reduced.But in general, Code will not be supplied to the developer of Embedded Application by the provider of development platform.So, the developer of Embedded Application without Method learns that the product that the provider of development platform is provided whether there is the hiding back door endangered or reduce system safe class.
At present, for the research at hiding back door, network security aspect is concentrated mainly on, is divided into port and hides back door and webpage Hide back door.But the research for back door in embedded system is less.In in general embedded system, the investigation at back door Method is needed to provide complete source code, and hiding back door is investigated by the logic analysis of code.In view of this method exists The border of Liao Liangge economic entities is crossed in intellectual property protection, so typically code is supplied to third party by a side, by Third party makes an appraisal, then by assessment result to the side for needing the result.In this approach, the premise of implementation is both sides It is required for establishing to third-party trust.And this method is not a kind of direct method, but a kind of round-about way.It is this Method adds the complexity of whole economic process, also increases cost, and reduce efficiency.
In embedded systems, the completion of operation flow is mainly by responding extraneous incoming Application Protocol Data Unit (APDU, Application Protocol Data Unit) is ordered to complete.In general user's handbook, those perform business Effective APDU orders can all be listed, and the APDU orders that those are not listed are considered as then invalid command.Have a kind of hidden The implementation for hiding back door is exactly the invalid command that disguises oneself as, and after only receiving some special parameter, hides back door just meeting Perform.Therefore, the implementor that only has a back door connection just knows how to call these back doors, and the caller without knowing this parameter can not Trigger the execution at back door.So attempting the mode of all invalid commands only by traversal, these back doors can not be found.
Embedded device in the process of running, with the progress of calculating, be able to can discharge in power consumption, electromagnetism etc. Clock signal.Generally, these signals are referred to as side channel information by prior art.Side channel signal analysis is to be based on these side channels The analysis that information is carried out, it is therefore an objective to obtain the state inside embedded device, analyze and obtain the process of some conclusions accordingly.
Existing embedded system back door detection technique, which is substantially all, to be needed just draw a conclusion by the analysis of source code, And this method is more complicated, cost is higher and efficiency is low.
The content of the invention
In order to solve the above problems, disguise as in embedded system is determined by side channel signal the invention provides one kind The method and system at the hiding back door of invalid command.The present invention differentiates real invalid command by the exception of side channel signal With the invalid command of camouflage, and by this comparison, the back door of those invalid commands that disguise oneself as is found.
According to an aspect of the invention, there is provided it is a kind of by side channel signal determine in embedded system disguise as without The method at the hiding back door of active command, methods described include:
The multiple side channel signals of multiple invalid commands in the process of implementation are gathered, one of invalid command is corresponding one Side channel signal;
The multiple side channel signals gathered are alignd in time, obtain multiple sequential sides channel signal;
Obtained multiple sequential sides channel signal is subjected to mean value calculation to obtain reference data sequential side channel letter Number;
Calculate the variance yields of resulting reference data sequential side channel signal and according to variance yields threshold value;
Multiple sequential sides channel signal is compared with reference data sequential side channel signal respectively, during determining multiple The difference of each sequential side channel signal and reference data sequential side channel signal in the channel signal of sequence side;
The absolute value of the difference and threshold value are contrasted, determine pending invalid command;And
The sequential side channel signal of pending invalid command and reference data sequential side channel signal are subjected to waveform ratio Compared with, determine the pending invalid command whether be disguise as invalid command hiding back door.
Preferably, wherein before the multiple side channel signals gathered are alignd in time, to multiple side channels Signal carries out low-pass filtering treatment, to remove noise.
Preferably, wherein described carry out mean value calculation to obtain reference data by obtained multiple sequential sides channel signal Sequential side channel signal is:Multiple sequential sides channel signal is each to obtain in the value progress mean value calculation of same time point The average value at time point, the average value of Each point in time is then formed into reference data sequential side channel signal.
Preferably, multiple sequential sides channel signal is compared with reference data sequential side channel signal respectively, with true The difference of each sequential side channel signal and reference data sequential side channel signal is in fixed multiple sequential sides channel signal:It is determined that Each sequential side channel signal and reference data sequential side channel signal are on same time point in the channel signal of multiple sequential sides The absolute value of difference, so that it is determined that the difference curve of each sequential side channel signal and reference data sequential side channel signal.
Preferably, wherein the absolute value of the difference and threshold value are contrasted, determine that pending invalid command includes: By in difference curve value a little compared with threshold value, when the value at any point is more than threshold value, the side channel is believed Invalid command corresponding to number is defined as pending invalid command.
Preferably, wherein by the sequential side channel signal of pending invalid command and reference data sequential side channel signal Waveform comparison is carried out, determines whether the pending invalid command is to hide back door to include:If pending invalid command Sequential side channel signal the beginning part and latter end respectively with the beginning part of reference data sequential side channel signal and Latter end is consistent, but is moved after sequential being present in center section, it is determined that pending invalid command is disguise as without going all out to do one's duty regardless of personal danger The hiding back door of order.
According to another aspect of the present invention, there is provided a kind of that disguise as in existing embedded system is determined by side channel letter The system at the hiding back door of invalid command, including:
Signal gathering unit, gather the multiple side channel signals of multiple invalid commands in the process of implementation, one of nothing The corresponding side channel signal of active command;
Signal alignment unit, the multiple side channel signals gathered are alignd in time, obtain multiple sequential sides Channel signal;
Equal value cell is calculated, when obtained multiple sequential sides channel signal is carried out into mean value calculation to obtain reference data Sequence side channel signal;
Threshold value determination unit, the variance yields of the reference data sequential side channel signal obtained by calculating are simultaneously true according to variance yields Determine threshold value;
Difference unit is calculated, multiple sequential sides channel signal is compared with reference data sequential side channel signal respectively Compared with to determine the difference of each sequential side channel signal and reference data sequential side channel signal in the channel signal of multiple sequential sides Value;
Threshold decision unit, the absolute value of the difference and threshold value are contrasted, determine pending invalid command;With And
As a result judging unit, the sequential side channel signal of pending invalid command and reference data sequential side channel are believed Number be compared, determine the pending invalid command whether be disguise as invalid command hiding back door.
Preferably, the system is also made an uproar unit including low pass filtered, multiple side channel signals is carried out into low-pass filtering treatment, to go Except noise.
Preferably, wherein calculate described in equal value cell by obtained multiple sequential sides channel signal carry out mean value calculation with Obtaining reference data sequential side channel signal is:Value of multiple sequential sides channel signal in same time point is subjected to average value meter Calculate to obtain the average value of Each point in time, the average value of Each point in time is then formed into reference data sequential side channel letter Number.
Preferably, multiple sequential sides channel signal is believed with reference data sequential side channel respectively wherein calculating difference unit Number it is compared, to determine each sequential side channel signal and reference data sequential side channel in the channel signal of multiple sequential sides The difference of signal is:Determine that each sequential side channel signal is believed with reference data sequential side channel in the channel signal of multiple sequential sides The absolute value of difference number on same time point, so that it is determined that each sequential side channel signal is believed with reference data sequential side channel Number difference curve.
Preferably, wherein threshold decision unit is contrasted the absolute value of the difference and threshold value, is determined pending Invalid command includes:By in difference curve value a little compared with threshold value, will when the value at any point is more than threshold value Invalid command corresponding to the side channel signal is defined as pending invalid command.
Preferably, when wherein result judging unit is by the sequential side channel signal and reference data of pending invalid command Sequence side channel signal carries out waveform comparison, determines whether the pending invalid command is to hide back door to include:If wait to locate The beginning part and latter end of the sequential side channel signal of the invalid command of reason respectively with reference data sequential side channel signal The beginning part it is consistent with ending, but moved after sequential being present in center section, it is determined that pending invalid command is The hiding back door of disguise as invalid command.
Technical scheme does not need source code, by dividing side channel signal caused by invalid command Analysis, judge that the development platform of platform development business offer whether there is the hiding back door of disguise as invalid command.On the one hand, directly build The technology trusting relationship of vertical both sides, avoids passing through third party to be authenticated, while efficiency is greatly improved significantly Reduce cost.On the other hand, the security privacy of user is protected, there is preferable practical value.
The key point of the present invention is:
1. by the side channel signal of collection is analyzed judge whether disguise as invalid command hide after Door.
2. it is used as judgment standard by the use of the average of the side channel signal of all invalid commands.If the side letter of some invalid command Road signal and this mean value signal difference exceed specific threshold, then it is probably the hidden of disguise as invalid command to judge the invalid command Hide back door.
3. judge whether the invalid command is hidden by using the mode alignd before and after the side channel signaling data of sequential The back door of Tibetan.In sequential, the clock signal of invalid command under a cloud and reference data sequential side channel signal are compared It is right.If the clock signal the beginning part and latter end are consistent with reference signal, but centre there occurs it is trickle when Moved after sequence, then can determine that the displacement in the signal is judged caused by the implementation procedure of sentence for what certain triggering back door performed , it may be determined that " invalid command " corresponding to it is the hiding back door of disguise as invalid command.
Brief description of the drawings
By reference to the following drawings, the illustrative embodiments of the present invention can be more fully understood by:
Fig. 1 shows the overall flow figure of the side channel signal analysis method 100 according to embodiment of the present invention;
Fig. 2 shows the flow chart according to the preferred embodiment of the present invention for determining to hide the method 200 at back door;
Fig. 3 shows the structural representation according to the preferred embodiment of the present invention for determining to hide the system 300 at back door;With And
Fig. 4 A and 4B show it is according to the preferred embodiment of the present invention according to sequential relatively come determine hide back door side The exemplary plot of method 400.
Embodiment
The illustrative embodiments of the present invention are introduced with reference now to accompanying drawing, however, the present invention can use many different shapes Formula is implemented, and is not limited to embodiment described herein, there is provided these embodiments are to disclose at large and fully The present invention, and fully pass on the scope of the present invention to person of ordinary skill in the field.Show for what is be illustrated in the accompanying drawings Term in example property embodiment is not limitation of the invention.In the accompanying drawings, identical cells/elements are attached using identical Icon is remembered.
Unless otherwise indicated, term (including scientific and technical terminology) used herein has to person of ordinary skill in the field It is common to understand implication.Further it will be understood that the term limited with usually used dictionary, be appreciated that and its The linguistic context of association area has consistent implication, and is not construed as Utopian or overly formal meaning.
The method of the present invention is mainly analyzed by the side channel signal of the invalid command to collection, to judge whether The hiding back door of disguise as invalid command be present.The whole flow process of side channel signal analysis is broadly divided into 3 stages:(1) signal Sample collection;(2) pretreatment of sample of signal;And (3) data analysis.
Fig. 1 shows the overall flow figure of the side channel signal analysis method 100 according to embodiment of the present invention.Such as Fig. 1 Shown, side channel signal analysis method 100 is since step 101 place.In step 101, gather multiple invalid commands and performing Multiple side channel signals in journey.Preferably, the corresponding side channel signal of an invalid command.It is if for example, invalid in the presence of 8 Order, then this 8 invalid commands have 8 side channel signals.
Preferably, the side channel signal of collection is handled in step 102, data processing stage.For example, low pass filtered Make an uproar, signal alignment, mean value computation, threshold value determine, calculate difference, threshold decision etc..Preferably, multiple side channels of collection are believed Number carry out low-pass filtering treatment, to remove noise.Preferably, when multiple side channel signals to collection carry out low-pass filtering treatment The multiple side channel signals gathered are alignd in time in step 203, signal alignment unit afterwards, obtain multiple sequential Side channel signal.In time and it may not lined up generally, due to the multiple side channel signals gathered, so for follow-up Mean value computation can cause serious influence.Therefore, generally before subsequently calculate, the multiple side channel signals that will be gathered Alignd in time.Preferably, after signal alignment is carried out to the survey channel signal of collection, the multiple sequential sides that will obtain Channel signal carries out mean value calculation to obtain reference data sequential side channel signal.Wherein calculating will be multiple described in equal value cell Sequential side channel signal carry out mean value calculation using obtain reference data sequential side channel signal as:Multiple sequential sides channel is believed Number mean value calculation is carried out to obtain the average value of Each point in time in the value of same time point, and by the flat of Each point in time Average composition reference data sequential side channel signal.Preferably, the side of the reference data sequential side channel signal obtained by calculating Difference and according to variance yields threshold value.Preferably, by multiple sequential sides channel signal respectively with reference data sequential side channel Signal is compared, to determine each sequential side channel signal and reference data sequential side channel in the channel signal of multiple sequential sides The difference of signal.Preferably, it is determined that each sequential side channel signal and reference data sequential side channel signal are in same time point The absolute value of upper difference, so that it is determined that the difference curve of each sequential side channel signal and reference data sequential side channel signal. Preferably, the absolute value of the difference and threshold value are contrasted, determines pending invalid command.Preferably, difference curve On value a little compared with threshold value, when the value at any point is more than threshold value, by corresponding to the side channel signal Invalid command is defined as pending invalid command.
Preferably, in step 103, as a result judge that the stage carries out analysis judgement to treated side channel signal.Specifically For, the sequential side channel signal of pending invalid command and benchmark sequential side channel signal are compared, it is determined that described Pending invalid command whether be disguise as invalid command hiding back door.Preferably, if pending invalid command The beginning part of side channel signal is consistent with benchmark sequential side channel signal with latter end, but in the presence of center section Moved after sequence, it is determined that pending invalid command is the hiding back door of disguise as invalid command.
Fig. 2 shows the flow chart according to the preferred embodiment of the present invention for determining to hide the method 200 at back door.Such as Fig. 2 It is shown, it is determined that hiding the method 200 at back door since step 201 place.In step 201, gather multiple invalid commands and performing Multiple side channel signals in journey.Preferably, the corresponding side channel signal of an invalid command.It is if for example, invalid in the presence of 8 Order, then this 8 invalid commands have 8 side channel signals.
Preferably, in step 202, low-pass filtering treatment is carried out to multiple side channel signals of collection, to remove noise.
Preferably, after multiple side channel signals to collection carry out low-pass filtering treatment, step 203 is carried out.In step 203, signal alignment unit is alignd the multiple side channel signals gathered in time, obtains multiple sequential sides channel letter Number.In time and it may not lined up generally, due to the multiple side channel signals gathered, so for follow-up mean value computation Serious influence can be caused.Therefore, generally before subsequently calculate, by the multiple side channel signals gathered in time Alignd.
Preferably, in step 204, after the survey channel signal to collection carries out signal alignment, the multiple sequential that will obtain Side channel signal carries out mean value calculation to obtain reference data sequential side channel signal.It will be more wherein to calculate described in equal value cell Individual sequential side channel signal carry out mean value calculation using obtain reference data sequential side channel signal as:By multiple sequential sides channel Signal carries out mean value calculation to obtain the average value of Each point in time in the value of same time point, and by Each point in time Average value composition reference data sequential side channel signal.For example, for each side channel signal in sequential (for example, time point) The numerical value drawn of averaging is respectively 1,3,5,4,2, then corresponding reference data side channel signal is corresponding in the sequential Numerical value is respectively 1,3,5,4,2.
Preferably, in step 205, the variance yields of the reference data sequential side channel signal obtained by calculating and according to side Difference threshold value.Preferably, 2/3 threshold value as maximum magnitude more than variance yields can be chosen.For example, to reference data For the channel signal of sequential side, variance 2 then can be using selected threshold as 2+2*2/3=3.33.
Preferably, in step 206, multiple sequential sides channel signal is carried out with reference data sequential side channel signal respectively Compare, to determine the difference of each sequential side channel signal and reference data sequential side channel signal in the channel signal of multiple sequential sides Value.Preferably, it is determined that each sequential side channel signal and reference data sequential side channel signal difference on same time point Absolute value, so that it is determined that the difference curve of each sequential side channel signal and reference data sequential side channel signal.
Preferably, in step 207, the absolute value of the difference and threshold value are contrasted, determine that pending nothing is gone all out to do one's duty regardless of personal danger Order.Preferably, in difference curve value a little compared with threshold value, when the value at any point is more than threshold value, by institute Invalid command corresponding to stating side channel signal is defined as pending invalid command.If for example, in the presence of invalid command when Absolute value of the sequence side channel signal with the difference of reference data sequential side channel signal in sequential is respectively 0.5,0.8,2.5, 1.8,3.2, and threshold value is 3.3, now the absolute value in the absence of the difference of any point is more than threshold value 3.3, then it is assumed that this side channel Invalid command corresponding to signal is not to hide the hiding back door for invalid command.If in the presence of the sequential side channel of an invalid command Absolute value of the signal with the difference of reference data sequential side channel signal in sequential is respectively 0.5,0.8,2.5,1.8,3.3, And threshold value is 3.2, now the absolute value in the presence of the difference at a point is more than threshold value 3.2, then it is assumed that this side channel signal is corresponding Invalid command be hide back door possibility it is larger, extract pending.
Preferably, in step 208, the sequential side channel signal of pending invalid command and reference data sequential side are believed Road signal is compared, determine the pending invalid command whether be disguise as invalid command hiding back door.Preferably, If the beginning part and latter end of the side channel signal of pending invalid command are believed with reference data sequential side channel It is number consistent, but moved after sequential being present in center section, it is determined that pending invalid command is hidden for disguise as invalid command Hide back door.
Fig. 3 shows the structural representation according to the preferred embodiment of the present invention for determining to hide the system 300 at back door.Such as Shown in Fig. 3, the system 300 for finding to hide back door includes:Signal gathering unit 301, low pass filtered are made an uproar unit 302, signal alignment list Member 303, calculate equal value cell 304, threshold value determination unit 305, calculate difference list 306, threshold decision unit 307, result judgement Unit 308.It was found that the system 300 for hiding back door gathers multiple invalid commands in the process of implementation in signal gathering unit 301 Multiple side channel signals.Preferably, the corresponding side channel signal of an invalid command.If for example, in the presence of 8 invalid commands, It is then corresponding to have 8 side channel signals.
Preferably, needed after signal gathering unit 301, low pass filtered unit 302 of making an uproar is carried out to the side channel signal of collection Low-pass filtering treatment, to remove noise.
Preferably, after multiple side channel signals of collection carry out low-pass filtering treatment, signal alignment unit 303 will be adopted Multiple side channel signals of collection are alignd in time, obtain multiple sequential sides channel signal.
Preferably, after the survey channel signal to collection carries out signal alignment, it is multiple by what is obtained to calculate equal value cell 304 Sequential side channel signal carries out mean value calculation to obtain reference data sequential side channel signal.Wherein calculate equal value cell 304 It is described by multiple sequential sides channel signal carry out mean value calculation using obtain reference data sequential side channel signal as:When will be multiple Sequence side channel signal carries out mean value calculation to obtain the average value of Each point in time in the value of same time point, and will be each The average value composition reference data sequential side channel signal at time point.
Preferably, the variance yields and root of the reference data sequential side channel signal obtained by threshold value determination unit 305 calculates According to variance yields threshold value.Preferably, variance yields can be chosen and obtain 2/3 threshold value as maximum magnitude.
Preferably, difference unit 306 is calculated to believe multiple sequential sides channel signal with reference data sequential side channel respectively Number it is compared, to determine that each sequential side channel signal is believed with reference data sequential side channel in the channel signal of multiple sequential sides Number difference.Preferably, it is determined that each sequential side channel signal and reference data sequential side channel signal are on same time point The absolute value of difference, so that it is determined that the difference curve of each sequential side channel signal and reference data sequential side channel signal.
Preferably, threshold decision unit 307 is contrasted the absolute value of the difference and threshold value, determines pending nothing Active command.Preferably, in difference curve value a little compared with threshold value, when the value at any point is more than threshold value, Invalid command corresponding to the side channel signal is defined as pending invalid command.
Preferably, as a result judging unit 308 by the sequential side channel signal of pending invalid command and benchmark sequential side Channel signal is compared, determine the pending invalid command whether be disguise as invalid command hiding back door.It is preferred that Ground, if the side channel signal of pending invalid command the beginning part and latter end and reference data sequential side channel Signal is consistent, but is moved after sequential being present in center section, it is determined that pending invalid command is disguise as invalid command Hide back door.
Fig. 4 A and 4B show it is according to the preferred embodiment of the present invention according to sequential relatively come determine hide back door side The exemplary plot of method 400.In sequential, by the sequential side channel signal of pending invalid command and reference data sequential side channel Signal carries out waveform comparison.If the beginning part and latter end of the sequential side channel signal are believed with reference data sequential side Road signal is consistent, is only moved after center section is there occurs trickle sequential, then can determine the displacement in the side channel signal Judge for what certain triggering back door performed caused by the implementation procedure of sentence, thus may determine that " invalid command " corresponding to it For the hiding back door of disguise as invalid command.
As shown in Figure 4 A, " leave a question open (alternatively referred to as pending) " side channel signal and " benchmark " side channel signal is opened in signal The position of beginning is overlapping alignment.As shown in Figure 4 B, " leave a question open " side channel signal and " benchmark " side channel signal it is later half in signal Part is overlapping alignment., it is necessary to which the side channel signal that " will leave a question open " translates forward on the basis of Fig. 4 A first half alignment, Could be in latter half and the alignment of " benchmark " side channel signal.This just illustrates representated by " leaving a question open (pending) " side channel signal Calculate, for the calculating representated by the channel signal of " benchmark " side, insert some computings, these computings are exactly to start to hide The code at back door, usually judge whether input parameter meets with and if start the program code for hiding back door.
The present invention is described by reference to a small amount of embodiment.However, it is known in those skilled in the art, as What subsidiary Patent right requirement was limited, except the present invention other embodiments disclosed above equally fall the present invention's In the range of.
Normally, all terms used in the claims are all solved according to them in the usual implication of technical field Release, unless clearly being defined in addition wherein.All references " one/described/be somebody's turn to do [device, component etc.] " are all opened ground At least one example being construed in described device, component etc., unless otherwise expressly specified.Any method disclosed herein Step need not all be run with disclosed accurately order, unless explicitly stated otherwise.

Claims (12)

1. a kind of method that the hiding back door of disguise as invalid command in embedded system is determined by side channel signal, including:
Gather the multiple side channel signals of multiple invalid commands in the process of implementation, the corresponding side letter of one of invalid command Road signal;
The multiple side channel signals gathered are alignd in time, obtain multiple sequential sides channel signal;
Obtained multiple sequential sides channel signal is subjected to mean value calculation to obtain reference data sequential side channel signal;
Calculate the variance yields of resulting reference data sequential side channel signal and according to variance yields threshold value;
Multiple sequential sides channel signal is compared with reference data sequential side channel signal respectively, to determine multiple sequential sides The difference of each sequential side channel signal and reference data sequential side channel signal in channel signal;
The absolute value of the difference and threshold value are contrasted, determine pending invalid command;And
The sequential side channel signal of pending invalid command and reference data sequential side channel signal are subjected to waveform comparison, really The fixed pending invalid command whether be disguise as invalid command hiding back door.
2. according to the method for claim 1, wherein the multiple side channel signals gathered are carried out aliging it in time Before, low-pass filtering treatment is carried out to multiple side channel signals, to remove noise.
3. according to the method for claim 1, wherein described carry out average value meter by obtained multiple sequential sides channel signal Calculate using obtain reference data sequential side channel signal as:Value of multiple sequential sides channel signal in same time point is averaged Value is calculated to obtain the average value of Each point in time, and the average value of Each point in time then is formed into reference data sequential side channel Signal.
4. according to the method for claim 1, multiple sequential sides channel signal is believed with reference data sequential side channel respectively Number it is compared, to determine that each sequential side channel signal is believed with reference data sequential side channel in the channel signal of multiple sequential sides Number difference be:Determine each sequential side channel signal and reference data sequential side channel signal in the channel signal of multiple sequential sides The absolute value of difference on same time point, so that it is determined that each sequential side channel signal and reference data sequential side channel signal Difference curve.
5. according to the method for claim 4, wherein the absolute value of the difference and threshold value are contrasted, determine pending Invalid command include:By in difference curve value a little compared with threshold value, when the value at any point is more than threshold value, Invalid command corresponding to the side channel signal is defined as pending invalid command.
6. according to the method for claim 1, wherein by the sequential side channel signal of pending invalid command and with reference to base Punctual sequence side channel signal carries out waveform comparison, determines whether the pending invalid command is to hide back door to include:If The beginning part and latter end of the sequential side channel signal of pending invalid command respectively with reference data sequential side channel The beginning part of signal is consistent with latter end, but is moved after sequential being present in center section, it is determined that pending nothing is gone all out to do one's duty regardless of personal danger Make the hiding back door for disguise as invalid command.
7. a kind of system that the hiding back door of disguise as invalid command in embedded system is determined by side channel signal, including:
Signal gathering unit, the multiple side channel signals of multiple invalid commands in the process of implementation are gathered, one of nothing is gone all out to do one's duty regardless of personal danger The corresponding side channel signal of order;
Signal alignment unit, the multiple side channel signals gathered are alignd in time, obtain multiple sequential sides channel Signal;
Equal value cell is calculated, obtained multiple sequential sides channel signal is subjected to mean value calculation to obtain reference data sequential side Channel signal;
Threshold value determination unit, the variance yields of the reference data sequential side channel signal obtained by calculating simultaneously determine threshold according to variance yields Value;
Difference unit is calculated, multiple sequential sides channel signal is compared with reference data sequential side channel signal respectively, with Determine the difference of each sequential side channel signal and reference data sequential side channel signal in the channel signal of multiple sequential sides;
Threshold decision unit, the absolute value of the difference and threshold value are contrasted, determine pending invalid command;And
As a result judging unit, the sequential side channel signal of pending invalid command and reference data sequential side channel signal are entered Row compare, determine the pending invalid command whether be disguise as invalid command hiding back door.
8. system according to claim 7, in addition to low pass filtered is made an uproar unit, and multiple side channel signals are carried out into LPF Processing, to remove noise.
9. system according to claim 7, wherein calculating the multiple sequential sides channel signal that will be obtained described in equal value cell Carry out mean value calculation using obtain reference data sequential side channel signal as:By multiple sequential sides channel signal in same time point Value carry out mean value calculation to obtain the average value of Each point in time, the average value of Each point in time composition is then referred into base Punctual sequence side channel signal.
10. system according to claim 7, difference unit is calculated by multiple sequential sides channel signal respectively and reference data Sequential side channel signal is compared, to determine each sequential side channel signal and reference data in the channel signal of multiple sequential sides The difference of sequential side channel signal is:When determining that each sequential side channel signal is with reference data in the channel signal of multiple sequential sides The absolute value of sequence side channel signal difference on same time point, so that it is determined that when each sequential side channel signal is with reference data The difference curve of sequence side channel signal.
11. system according to claim 10, wherein threshold decision unit carry out the absolute value of the difference and threshold value Contrast, determines that pending invalid command includes:By in difference curve value a little compared with threshold value, work as any point Value when being more than threshold value, invalid command corresponding to the side channel signal is defined as pending invalid command.
12. system according to claim 7, wherein result judging unit are by the sequential side channel of pending invalid command Signal and reference data sequential side channel signal carry out waveform comparison, determine whether the pending invalid command is after hiding Door includes:If the beginning part and latter end of the sequential side channel signal of pending invalid command be not with reference data The beginning part of sequence side channel signal is consistent with ending, but is moved after sequential being present in center section, it is determined that pending Invalid command be disguise as invalid command hiding back door.
CN201610786385.8A 2016-08-30 2016-08-30 Method and system for determining hidden back door in embedded system through side channel signal Active CN107798237B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610786385.8A CN107798237B (en) 2016-08-30 2016-08-30 Method and system for determining hidden back door in embedded system through side channel signal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610786385.8A CN107798237B (en) 2016-08-30 2016-08-30 Method and system for determining hidden back door in embedded system through side channel signal

Publications (2)

Publication Number Publication Date
CN107798237A true CN107798237A (en) 2018-03-13
CN107798237B CN107798237B (en) 2021-06-11

Family

ID=61528469

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610786385.8A Active CN107798237B (en) 2016-08-30 2016-08-30 Method and system for determining hidden back door in embedded system through side channel signal

Country Status (1)

Country Link
CN (1) CN107798237B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103488941A (en) * 2013-09-18 2014-01-01 工业和信息化部电子第五研究所 Hardware Trojan horse detection method and hardware Trojan horse detection system
US8750065B2 (en) * 2011-06-28 2014-06-10 Rochester Institute Of Technology Thermal management apparatuses with temperature sensing resistive random access memory devices and methods thereof
CN103888244A (en) * 2014-04-17 2014-06-25 武汉大学 Embedded-platform-oriented side channel analysis system and method
CN104950246A (en) * 2015-06-11 2015-09-30 工业和信息化部电子第五研究所 Hardware trojan detection method and system based on time delay

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8750065B2 (en) * 2011-06-28 2014-06-10 Rochester Institute Of Technology Thermal management apparatuses with temperature sensing resistive random access memory devices and methods thereof
CN103488941A (en) * 2013-09-18 2014-01-01 工业和信息化部电子第五研究所 Hardware Trojan horse detection method and hardware Trojan horse detection system
CN103888244A (en) * 2014-04-17 2014-06-25 武汉大学 Embedded-platform-oriented side channel analysis system and method
CN104950246A (en) * 2015-06-11 2015-09-30 工业和信息化部电子第五研究所 Hardware trojan detection method and system based on time delay

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
冯紫竹: ""基于侧信道分析的硬件木马检测平台设计"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
刘长龙: ""基于侧信道分析的硬件木马检测技术研究"", 《中国博士学位论文全文数据库 信息科技辑》 *

Also Published As

Publication number Publication date
CN107798237B (en) 2021-06-11

Similar Documents

Publication Publication Date Title
CN109302380B (en) Intelligent decision-making method and system for linkage defense strategy of safety protection equipment
EP2069993B1 (en) Security system and method for detecting intrusion in a computerized system
CN110602042B (en) APT attack behavior analysis and detection method and device based on cascade attack chain model
Hunton The stages of cybercrime investigations: Bridging the gap between technology examination and law enforcement investigation
Ahmed et al. Detecting Computer Intrusions Using Behavioral Biometrics.
CN104732157B (en) A kind of application hides, deployment method and device
KR101442691B1 (en) Apparatus and method for quantifying vulnerability of system
US20140359766A1 (en) Method and system for prevention of windowless screen capture
EP2448211A1 (en) Method, system and equipment for detecting botnets
WO2016045225A1 (en) Password fault tolerance method based on mouse behaviour
CN103136476A (en) Mobile intelligent terminal malicious software analysis system
CN104182695B (en) The system and method guaranteeing the confidentiality of information used by authentication vs. authorization during the operation
CN111368302B (en) Automatic threat detection method based on attacker attack strategy generation
CN104618353A (en) Computer security network
CN106502529A (en) A kind of terminal is double to open application changing method and its device
CN103353930B (en) A kind of method and apparatus of preventing infectious virus infection
CN114357459A (en) Information security detection method for block chain system
CN105915536A (en) Attack behavior real-time tracking and analysis method for cyber range
Gudimetla MULTI-FACTOR AUTHENTICATION FOR CLOUD
CN107798237A (en) It is a kind of to determine to hide the method and system at back door in embedded system by side channel signal
Choo et al. Internet-and cloud-of-things cybersecurity research challenges and advances
CN106407760B (en) User terminal and application program hiding method
CN108055242A (en) A kind of mobile target system of defense under variation environment
TW201626281A (en) Method for authenticating information system
CN106611113A (en) Security environment construction method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant