Implementation of Disassembler on Microcontroller Using Side-Channel Power Consumption Leakage

Abstract

With the development of 5G and network technology, the usage of IoT devices has become popular. Because most of these IoT devices can be controlled by an adversary away from the administrator, several security issues such as firmware dumping can arise. Firmware dumping is the cornerstone or goal of many types of hardware hacking. Therefore, many IoT device manufacturers adopt some protection mechanisms such as the restriction of hardware debuggers. However, several recent studies have shown that the operating instructions of an IoT device can be recovered through the profiling-based side-channel analysis. The Side-Channel-Based Disassembler (SCBD) refers to software that recovers instructions of the device only from the side-channel signal. The SCBD is powerful enough to defeat many firmware protection mechanisms. In this paper, we show how an adversary can build an instruction (opcode)-level disassembler using the power consumption signal of commercial microcontrollers (MCUs) such as the 8-bit ATxmega128 and 32-bit STM32F0. To implement the SCBD, we elaborately constructed the instruction template considering the pipeline of the target MCUs through instruction sequence analysis. Furthermore, we preprocessed the side-channel signals using the Continuous Wavelet Transform (CWT) for noise reduction and Kullback-Leibler Divergence (KLD) for instruction feature extraction. Our experimental results show that the machine-learning-based instruction disassembling models can recover the operating instructions with an accuracy of about 91.9% and 98.6% for the ATxmega128 and STM32F0, respectively. Furthermore, we achieved an accuracy of 77% and 96.5% in a cross-board validation.