Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Multimodal Instruction Disassembly with Covariate Shift Adaptation and Real-time Implementation

Yunkai Bai, Jungmin Park, Domenic Forte

TL;DR

This work tackles real-time, non-invasive disassembly from side-channel traces by introducing a compact dual-channel platform (RASCv3) that simultaneously captures power and EM signals. It marries mutual-information-based feature fusion with minimum-redundancy feature selection (mRMR) and a covariate-shift minimization scheme implemented on a resource-constrained FPGA to achieve real-time classification of ARM/ AVR instructions, demonstrated on six benchmarks with an 8-bit Arduino UNO. Key contributions include a formal MI-driven dual-channel fusion framework, a self-enhancing QDA-based classifier for non-stationary environments, and a practical real-time pipeline that outperforms single-channel approaches while maintaining feasibility on low-cost hardware. The results show offline accuracy near 90% and real-time accuracy around 80%, with notable improvements over time, and they discuss challenges and directions for extending to more complex targets and DVFS scenarios, highlighting significant implications for malware detection and OT monitoring. Overall, the approach provides a scalable path to in-situ, real-time side-channel disassembly using multimodal signals and adaptive classification on compact hardware.

Abstract

Side-channel based instruction disassembly has been proposed as a low-cost and non-invasive approach for security applications such as IP infringement detection, code flow analysis, malware detection, and reconstructing unknown code from obsolete systems. However, existing approaches to side-channel based disassembly rely on setups to collect and process side-channel traces that make them impractical for real-time applications. In addition, they rely on fixed classifiers that cannot adapt to statistical deviations in side-channels caused by different operating environments. In this article, we advance the state of the art in side-channel based disassembly in multiple ways. First, we introduce a new miniature platform, RASCv3, that can simultaneously collect power and EM measurements from a target device and subsequently process them for instruction disassembly in real time. Second, we devise a new approach to combine and select features from power and EM traces using information theory that improves classification accuracy and avoids the curse of dimensionality. Third, we explore covariate shift adjustment techniques that further improve accuracy over time and in response to statistical changes. The proposed methodology is demonstrated on six benchmarks, and the recognition rates of offline and real-time instruction disassemblers are compared for single- and multi-modal cases with a variety of classifiers and over time. Since the proposed approach is only applied to an 8-bit Arduino UNO, we also discuss challenges of extending to more complex targets.

Multimodal Instruction Disassembly with Covariate Shift Adaptation and Real-time Implementation

TL;DR

This work tackles real-time, non-invasive disassembly from side-channel traces by introducing a compact dual-channel platform (RASCv3) that simultaneously captures power and EM signals. It marries mutual-information-based feature fusion with minimum-redundancy feature selection (mRMR) and a covariate-shift minimization scheme implemented on a resource-constrained FPGA to achieve real-time classification of ARM/ AVR instructions, demonstrated on six benchmarks with an 8-bit Arduino UNO. Key contributions include a formal MI-driven dual-channel fusion framework, a self-enhancing QDA-based classifier for non-stationary environments, and a practical real-time pipeline that outperforms single-channel approaches while maintaining feasibility on low-cost hardware. The results show offline accuracy near 90% and real-time accuracy around 80%, with notable improvements over time, and they discuss challenges and directions for extending to more complex targets and DVFS scenarios, highlighting significant implications for malware detection and OT monitoring. Overall, the approach provides a scalable path to in-situ, real-time side-channel disassembly using multimodal signals and adaptive classification on compact hardware.

Abstract

Side-channel based instruction disassembly has been proposed as a low-cost and non-invasive approach for security applications such as IP infringement detection, code flow analysis, malware detection, and reconstructing unknown code from obsolete systems. However, existing approaches to side-channel based disassembly rely on setups to collect and process side-channel traces that make them impractical for real-time applications. In addition, they rely on fixed classifiers that cannot adapt to statistical deviations in side-channels caused by different operating environments. In this article, we advance the state of the art in side-channel based disassembly in multiple ways. First, we introduce a new miniature platform, RASCv3, that can simultaneously collect power and EM measurements from a target device and subsequently process them for instruction disassembly in real time. Second, we devise a new approach to combine and select features from power and EM traces using information theory that improves classification accuracy and avoids the curse of dimensionality. Third, we explore covariate shift adjustment techniques that further improve accuracy over time and in response to statistical changes. The proposed methodology is demonstrated on six benchmarks, and the recognition rates of offline and real-time instruction disassemblers are compared for single- and multi-modal cases with a variety of classifiers and over time. Since the proposed approach is only applied to an 8-bit Arduino UNO, we also discuss challenges of extending to more complex targets.

Paper Structure

This paper contains 38 sections, 27 equations, 13 figures, 14 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Classification Task Formulation
  4. Classifiers of Interest
  5. Mutual Information
  6. Feature Selection Methods
  7. High-level disassembly methodology
  8. Measurement Setups
  9. Feature Collection and Selection
  10. Real-time disassembly
  11. Dual Channel Combination & Feature Selection
  12. Preconditions
  13. Optimal Combination of Features
  14. Feature Selection
  15. Real-time SCD Implementation
  16. ...and 23 more sections

Figures (13)

  • Figure 1: High-level diagram of the proposed methodology. (a) Feature Selection Phase: The goal in this phase is to identify the optimal combination of feature selection methods (including coefficients and indices) and classification algorithms. Initially, EM and power traces (red and blue, respectively) are collected from the target board. Different channel configurations are then evaluated, including power only, EM only, and linearly combined EM and power using mutual information. Five feature selection methods are considered: PCA, mRMR, Gini index and Filter selection. Following feature selection, deep learning and machine learning classifiers (LDA, QDA, and MLP) are employed to disassemble the instructions. By the end of this phase, the combination of EM/Power traces, mRMR feature selection, and a QDA classifier is selected for real-time disassembly; (b) Real-Time Disassembly Phase: This phase aims to perform SCD in real-time. The dual-channel traces are collected and combined using the mRMR method. To reduce the impact of environmental changes on results, the classifiers are fine-tuned using covariate shift minimization. Once the adjustments are completed, the subsequent combined test traces are fed into QDA classifiers to obtain disassembly outcomes.
  • Figure 2: (a) Instructions in the pipeline during clock cycles $i-1$, $i$, and $i+1$; (b) Example template used to train a classifier for the add instruction.
  • Figure 3: Mutual information between (a) EM and class label; (b) power and class label.
  • Figure 4: Combined 1st feature's linear coefficient $\alpha$ vs. mutual information and $\dot{o}$.
  • Figure 5: (a) Depiction of RASC in the field.
  • ...and 8 more figures