Intrusion Detection for Embedded System Security

Reports in the cyber-security technology consistently state the ever-increasing number of security attacks. Not only complexity of cyber-attacks is growing on daily bases but also they are spreading everywhere rapidly. This growth demands proper defense mechanisms. Intrusion detection systems have a crucial role in detecting and disrupting attacks before they can compromise system. Two intrusion detection approaches have been presented in this thesis which detects anomalous malware behavior at runtime. Most techniques take in software-based analysis which is too slow to support the tight timing constraints regularly imposed on embedded systems.;In the first technique we propose a hardware-based intrusion detection approach which does not alter the functional performance of the system. One limitation of software based approaches to detect the intrusion is a time lag between attack execution and its detection. This can be a severe hindrance for intrusion detection which compares system behavior to the known-correct behavior of the process which is currently executing. When using a real-time operating system, the executing process alters multiple times each second, requiring fast adaptation on the intrusion detection side. Our hardware base approach can address the performance constraint of real-time operating system by enabling fast detection capability through hardware. But a traditional limitation of hardware-based systems is their lack of flexibility since their behavior is generally fixed at the time of manufacture.;In the second technique, we present a method to exploit the partial runtime reconfiguration feature present on many modern field programmable gate arrays (FPGAs) to adapt intrusion detection to a new process at each context switch. The reconfiguration process is triggered by a context switch in the operating system and the reconfiguration time can be masked by the context switching overhead. The use of runtime reconfiguration enables the flexibility of software-based approaches with the performance benefits of hardware-based approaches.;Finally we present a novel technique to securely verify the state of remote peripheral connecting to the system of chip. This process known as remote attestation involves process that can happen either statically (at boot time) or dynamically, at run-time. We use Physically Unclonable Functions (PUFs) to remotely attest and evaluate the identity of peripheral devices. In contrast to existing attestation schemes our solution is very simple to implement while practically impossible to duplicate due to the uniqueness of PUFs. Our attestation technique is capable to resists efficiently against many today's security threat such as an I/O or collision attacks.