Toward an RF side-channel reverse engineering tool

Digital technology advances quickly. New versions of both processors and software are released on a timescale of months, and each modification brings the potential for new security threats. We investigate here the use of RF side channel collection and a machine learning-based classifier for a general-purpose reverse-engineering tool. Ideally, such a tool would enable a user to learn as much as possible about the device under test (DUT) with minimal interaction with that DUT. Furthermore, to enable rapid updates, training of the tool to classify new hardware and software should not require detailed knowledge of the new DUT. We demonstrate identification of various processes running on an Intel Atom single-core processor using RF side channel analysis and machine learning. One classifier was able to distinguish among BIOS, Windows 10, and Ubuntu Linux, and another among Ubuntu Linux 16.04, 18.04, and 20.04. A classifier was built that can detect processes running in the background on Windows or Linux, including a web browser and word processor on each. Finally, a classifier was built that detects the WannaCry ransomware operating. For all of these capabilities, for both training and testing, collection of RF leakage was done with minimal interaction with the DUT; the DUT was booted and the probe was placed by hand near the CPU to collect the RF side-channel leakage asynchronously and without a trigger. Performance was above 99.9% with a fixed probe position, and above 99% for probe that was placed for each measurement. We describe the application of 1D deep convolutional neural networks inspired by natural language processing algorithms to the RF data, and how very high performance classification of even very subtle RF signatures can be achieved.