diff --git a/procver/ACNS/acronyms.tex b/procver/ACNS/acronyms.tex index a108c2b..1e27e09 100644 --- a/procver/ACNS/acronyms.tex +++ b/procver/ACNS/acronyms.tex @@ -2,13 +2,20 @@ short={IDS}, long={Intrusion Detection System} } - \DeclareAcronym{hids}{ short={HIDS}, long={Host-Based Intrusion Detection System} } - \DeclareAcronym{os}{ short={OS}, long={Operating System} } +\DeclareAcronym{sci}{ + short={SCI}, + long={Side-Channel Information} +} +\DeclareAcronym{cpu}{ + short={CPU}, + long={Central Processing Unit} +} + diff --git a/procver/ACNS/main.tex b/procver/ACNS/main.tex index 4c71666..5806c33 100644 --- a/procver/ACNS/main.tex +++ b/procver/ACNS/main.tex @@ -104,9 +104,35 @@ For the purpose of this study, we do not differentiate between Unix-based OSs an Of course, many methods have been proposed and implemented to detect or counter process list tampering. These methods --- although they leverage different mechanisms --- are all host-based. This create a circular dependency where the \ac{ids} rely on the host system to provide the very information leveraged to assess its integrity. -As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide adequate protection. +In this situation, an attacker that succesfully compromises a machine can employ evasion technics that manipulate the data used for detection. +As rootkis providing process hiding remained a threat since their introduction, it is safe to assume that current countermesures --- and future ones based on similar technics --- do not provide complete protection. % is it a bird? is it a plane? No its the good old power consumption! +One possible alternate method for detecting process list manipulation is using a secondary source of information to corroborate the process list. +To avoid bypass, the secondary source must be independent from the \ac{os} and not require its cooperation to enable protection. +However, the source must also provide information correlated with process presence and activity on the machine. + +\ac{sci} are compeling as the secondary source. +As involuntary emissions, they are intrisecely independent from the origin system. +No communication is required with the system to access these information. +As physical by-product of the computation, they are hard to forge from an attacker point of view. +A program can somewhat controle its computation intensity but it is difficult to precisely controle the generated emission and impossible to fully supress them. +If the attacker wish to perform any computation on the compromised machine, it will result in some form of physical emission. +The most common \ac{sci} leveraged for attack or defense is energy consumption. +Due to its ease of capture, high reliability, large range of application, and good informative potential about the activity of the system. +Of course, there are drawbacks to using power consumption as a source of information. +First, the raw power consumption of a machine is not an actionable piece of information. +A step of information mining --- for example pattern recognition, anomaly detection, or even a simple thresholding --- is always required to take a decision. +Then, measuring true independent power consumption data require additional hardware. +Although software estimations of power consumption are available, they bear the same issue as other host-based source of information. +Finaly, the power consumption of a mchine only ontains a small subset of all information related to processes activity. +A \ac{cpu} are capable or hundreds to thousands of millions operations per seconds. +Each intruction triggers multiple consumptions patterns acrosses multiple components of the system. +Although --- in theory --- the power consumption is a sum of all these sub-consumptions, the reality of measurement --- in terms of resolution, accuracy, and sampling rate --- make single-instruction measurement unrealistic at a global scale of the \ac{cpu}. + +Taking all these limitations into account, the power consumption of a machine --- and more specifically the global power consuption of its \ac{cpu} --- is a valuable complementary source of information. +The correlation between a list of processes and the power consumption can enable the detection of process list tampering, evidence of malware activity. + % Thank you king of sweden. No it was nothing you are welcome. Ok get home safe now. Byeeee.