Maya: Falsifying Power Sidechannels with Dynamic Control

Maya: Falsifying Pow er Sidechannels with D ynamic Control Raghavendra Pradyumna Pothukuchi, Sweta Y amini Pothukuchi, Petros V oulgaris, Alexander Schwing, Josep T orrellas University of Illinois at Urbana-Champaign Abstract The security of computers is at risk because of information leaking through physical outputs such as power , tempera- ture, or electromagnetic (EM) emissions. Attackers can use advanced signal measurement and analysis to recover sensi- tive data from these sidechannels. T o address this problem, this paper presents Maya , a sim- ple and eective solution against power side-channels. The idea is to re-shape the power dissipated by an application in an application-transparent manner using control theory techniques – preventing attackers fr om learning any infor- mation. With control theory , a controller can reliably keep power close to a desired target value even when runtime conditions change unpredictably . Then, by changing these targets intelligently , p ower can be made to appear in any desired form, appearing to carr y activity information which, in reality , is unrelated to the application. Maya can be im- plemented in privileged software or in simple hardware . In this paper , we implement Maya on two multiprocessor ma- chines using Operating System (OS) threads, and show its eectiveness and ease of deployment. 1 Introduction There is an urgent need to secure computer systems against the growing number of cyberattack surfaces. An important class of these attacks is that which utilizes the physical out- puts of a system, such as its pow er , temperature or electro- magnetic (EM) emissions. These outputs are correlated with system activity and can be exploited by attackers to recover sensitive information [24, 26, 31, 49, 56]. Many computing systems ranging from mobile devices to multicore servers in the cloud are vulnerable to physical side channel attacks [ 26 , 28 , 31 , 49 , 51 , 55 ]. With advanced signal measurement and analysis, attackers can identify many de- tails like keystrokes, password lengths [ 49 ], personal data like location, browser and camera activity [ 26 , 31 , 51 ], and the bits of encryption keys [24]. Many defenses against physical sidechannels have been proposed which aim to keep the physical signals constant or noisy [ 7 , 14 , 24 , 38 , 42 , 52 , 53 ]. Ho wever , all these techniques require new hardware and, hence, existing systems in the eld ar e left vulnerable. Trusted execution environments like Intel SGX [ 30 ] or ARM T rustZone [ 6 ] cannot “ contain” phys- ical signals and are ineective to stop information leaking through them [10, 12, 28]. T o address this problem, we seek a solution that is simple to implement and is eective against power side-channels. The idea is to rely on privileged software or simple hard- ware to distort, in an application-transparent manner , the power dissipated by an application — so that the attacker cannot glean any information. Obfuscating power also re- moves leakage thr ough temperature and EM signals, since they are directly related to the computer’s power [ 12 , 13 , 28 ]. Such a defense can prevent exploits that analyze applica- tion behavior at the scale of several milliseconds or longer , such as those that infer what applications are running, what data is use d in the camera or browser , or what keystrokes occur [26, 49]. A rst challenge in building an easily deplo yable power- shaping defense is the lack of congurable system inputs that can eectively change power . Dynamic V oltage and Fre- quency Scaling (D VFS) is an input supported by nearly all mainstream processors [ 4 , 5 , 9 , 36 , 37 , 43 ]. Howe ver , D VFS levels are only a few , and the achievable range of power val- ues depends on the application — compute-intensive phases have higher values of power and show bigger changes with D VFS, while it is the opposite for memor y-bound applica- tions. Injecting idle cycles in the system [ 25 , 44 ] is another technique, but it can only reduce power and not increase it. The second and more important challenge is to dev elop an algorithm that reshapes power to eectiv ely eliminate any information leakage. This is hard because applications var y widely in their activity prole and in how the y respond to system inputs. Attempts to maintain constant power , insert noise into power signals, or simply randomize DVFS levels have been unsuccessful [ 26 , 35 , 55 ]. These techniques only tend to add noise, but do not mask application activity [ 35 , 55]. In this w ork, we propose Maya , a defense architecture that intelligently r e-shapes a computer’s power in an application- transparent manner , so that the attacker cannot extract ap- plication information. T o achieve this, Maya uses a Multiple Input Multiple Output (MIMO) contr oller from control the- ory [ 41 ]. This controller can r eliably keep power close to a target pow er le vel even when runtime conditions change un- predictably . By changing these targets intelligently , power can b e made to appear in any desired form, appearing to carry activity information which, in fact, is unrelated to the application. 1 Maya can be implemented in privileged software or in simple hardware. In this paper , we implement Maya on two multicore machines using OS threads. The contributions of this work are: 1. Maya , a new defense system against pow er side-channels through power re-shaping. 2. An implementation of Maya using only privileged soft- ware. T o the best of our knowledge, this is the rst soft- ware defense against p ower side-channels that is application- transparent. 3. The rst application of MIMO control theory to side- channel defense. 4. An analysis of power-shaping properties ne cessary to mask information leakage. 5. An evaluation of Maya using machine learning-based attacks on two dierent real machines. 2 Background 2.1 Physical Side-Channels Physical side-channels such as pow er , temperature, and elec- tromagnetic (EM) emissions carry signicant information about the execution. For example, these side channels have been use d to infer the characters typ ed by a smartphone user [ 26 ], to identify the running application, login requests, and the length of passwords on a commodity smartphone [ 49 ], and even to recover the full encryption key from a cryptosys- tem [23]. All power analysis attacks rely on the principle that the dy- namic power of a computing system is directly proportional to the switching activity of the hardware. Since this activity varies across instructions, groups of instructions, and applica- tion tasks, they all leave distinct power traces [ 26 , 40 , 45 , 49 ]. By analyzing these p ower traces, many details about the execution can be deduced. T emperature and EM emissions are also directly related to a computer’s power consumption and techniques to analyze them are similar [12, 13, 28]. Physical side-channels can be sensed thr ough special mea- surement devices [ 24 ], unprivileged hardware and OS coun- ters [ 1 , 37 ], public amenities like USB charging stations [ 51 ], malicious smart batteries [ 26 ] or remote antennas that mea- sure EM emissions [ 16 , 17 ]. In cloud systems, an application can use the thermal coupling between cores to infer the temperature prole of a co-located application [28]. After measuring the signals, attackers search for patterns in the signal over time like phase behavior and peak lo cations, and its frequency spectrum after a Fourier transform. This can be done through Simple Power Analysis (SP A), which uses a single trace [ 16 , 26 , 49 ], or Dier ential Pow er Analysis (DP A), which examines the statistical dierences between thousands of traces [24, 55]. The timescale over which the signals are analyzed is de- termined by the information that attackers seek. For cr yp- tographic keys, it is necessar y to record and analyze sig- nals over a few microseconds or faster [ 24 ]. For higher- level information like the details of the running applications, keystrokes, bro wser data, and personal information, signals are analyzed over timescales of milliseconds or more [ 26 , 49 , 51 ]. The latter are the timescales that this paper focuses on. 2.2 Control The or y T echniques Using control theory [ 41 ], we can design a controller K that manages a system S (i.e., a computer ) as shown in Figure 1. The system has outputs y (e .g., the power consume d) and congurable inputs u (e .g., the D VFS lev el). The outputs must be kept close to the output targets r . The controller reads the deviations of the outputs from their targets ( ∆ y = r − y ), and sets the inputs. S ys t e m S Cont rol l e r K In put s u O ut put s y O ut put t a rge t s r O ut put de vi a t i ons Δ y + – S ys t e m Robus t Con t ro l l e r Input s O ut put s T a rge t P ow e r + – M a s k G e ne ra t or Co n t ro l l er Mas k G en er at o r Se n s o r d ri v ers In p u t d ri v er s E l as t i c ap p l i cat i o n s T arg et s O u t p u t s OS A pp 1 A pp 2 In p u t s H a rdw a re Com put e r s ys t e m Cont rol l e r (Input s ) (S e ns ors ) T a rge t pow e r M a s k G e ne ra t or D V F S Ba l l oon l e ve l Idl e l e ve l P ow e r Figure 1. Control loop. The controller is a state machine characterized by a state vector , x ( T ) , which evolves over time T . It advances its state to x ( T + 1 ) and generates the system inputs u ( T ) by reading the output deviations ∆ y ( T ) : x ( T + 1 ) = A × x ( T ) + B × ∆ y ( T ) u ( T ) = C × x ( T ) + D × ∆ y ( T ) x ( 0 ) = 0 (1) where A , B , C , and D are matrices that encode the controller . The most useful controllers are those that actuate on Multiple Inputs and sense Multiple Outputs (MIMO ) at the same time. Designers can specify multiple parameters in the control system [ 41 ]. They include the maximum bounds on the devi- ations of the outputs from their targets, the dierences from design conditions or unmodeled eects that the controller must be tolerant to (i.e., the uncertainty guardband), and the relative priority of changing the dier ent inputs, if there is a choice (i.e., the input weights). With these parameters, controller design is automated [18]. 3 Threat Model W e assume that attackers tr y to compromise the victim’s security through power measurements. They measure p ower using o-the-shelf sensors present in the victim machine like hardware counters or OS APIs [ 1 , 37 ]. Such sensors are only reliable at the time granularity of several milliseconds. At- tackers could use alternative measurement strategies at this timescale like malicious USB charging booths [ 51 ], compro- mised batteries [ 26 ], thermal measurements [ 28 ], or cheap power-meters when physical access is possible [47]. W e exclude power analysis attacks that search for patterns at a ne time granularity with sp ecial hardware supp ort such 2 as oscilloscopes [ 23 ] or antennas [ 16 , 17 ]. While such attacks are powerful enough to attack cryptographic algorithms [ 24 ], they are harder to mount and need more expensive equip- ment. Even with ne-grain measur ement, information about events like keystr okes can be analyzed only at the millisec- ond timescale [26, 49]. W e assume that attackers can know the algorithm used by Maya to reshape the computer’s power . They can run the algorithm and see its impact on the time-domain and frequency-domain behavior of applications. Using these ob- servations, they can develop machine learning models to adapt to the defense and try defeating it. Finally , we assume that the hardware or privileged soft- ware that implements the control system to reshape the power trace is uncompr omised. In a software implementa- tion, the OS scheduler and D VFS interfaces are assumed to be uncompromised. 4 Falsifying Power Side-channels with Control W e propose that a computer system defend itself against power side-channel attacks by distorting its pattern of power consumption. Unfortunately , this is hard to perform success- fully . Simple distortions like adding noise to power signals can be removed by attackers using signal processing te ch- niques. This is espe cially the case if, as we assume in this paper , the attacker knows the general algorithm that the defense uses to distort the signal. Indeed, past approaches have been unable to provide a solution to this problem. In this paper , we propose a new approach. In the following, we describe the rationale behind the approach, present the high- level architecture, and discuss how to generate the distortion to falsify information leakage through power signals. 4.1 Why Use Control Theor y T echniques? T o understand why control theor y techniques are necessar y at shaping power , consider the following scenario. W e mea- sure the power consumed by an application at xe d timesteps to record a trace, as shown in Figure 2a. T o prevent informa- tion leakage , w e must distort the pow er trace into a dier ent uncorrelated shape. Assume that the system has a mechanism to increase the power consumed, and another to reduce it. In this paper , these mechanisms are the ability to run a Balloon thread and an idle thread, respectively , for a chosen amount of time. A balloon thread is one that performs power-consuming operations (e.g., oating-point operations) in a tight loop, and an idle thread forces the processor into an idle state . One way to mislead the attacker is to keep the power consumption at another level P (Figure 2b). T o achieve this, we can measure the dierence between P and the actual power p i at each timestep and schedule a balloon thread if P − p i > 0 or an idle thread other wise. Unfortunately , this p 0 p 1 p 2 p 3 p 0 p 1 p 2 p 3 p 1 ' p 2 ' p 3 ' T i m e T i m e P ow e r P ow e r P (a) Original p 0 p 1 p 2 p 3 p 0 p 1 p 2 p 3 p 1 ' p 2 ' p 3 ' T i m e T i m e P ow e r P ow e r P (b) Distorted Figure 2. Example of the power trace for an application. approach is too simplistic to b e eective. First, it ignores how the application’s pow er changes intrinsically . Second, achieving the power P with this application may r equire a combination of both the idle and balloon threads. When only a balloon thread is scheduled at the 0 t h timestep based on P − p 0 , the p ower in the 1 s t timestep w ould be p ′ 1 rather than our target P . If this poor control algorithm is repeatedly applied, it will always miss the target and we obtain the trace in Figure 2b where the measured power is not close to the target, and in addition, has enough features of the original trace. An approach with control theory is able to get much closer to the target p ower level. This is be cause the controller makes more informed power changes at every inter val and can set multiple inputs for accurate control. T o understand why , we rephrase the equations of controller operation (Equation 1) slightly: S t at e ( T + 1 ) = A × S t at e ( T ) + B × Er r or ( T ) A c t i on ( T ) = C × S t at e ( T ) + D × Er r or ( T ) (2) The second equation shows that the action taken at time T (in our case, scheduling the balloon and idle threads) is a function of the tracking error observed at time T (in our case, P - p 0 ) and the controller’s state. The state is a summary of the controller’s experience in regulating the application. The new state used in the next timestep is determined by the cur- rent state and error serving as an “accumulated experience” to smoothly and quickly reach the target. Further , the controller’s actions and state evolution are inuenced by the matrices A , B , C , and D , which were gener- ated when the controller was designed. This design includes running a training set of applications while scheduling the balloon and idle threads and measuring the resulting power changes. Consequently , these matrices embed the intrinsic behavior of the applications under these conditions. Overall, with a control theory controller the measured power trace will be much closer to the target signal. If the target signal is chosen appropriately , the attacker can longer recover the application information. 3 4.2 High-Level Architecture The high-level architecture of a system that uses control theory te chniques to reshape the power trace of a computer system is shown in Figur e 3. It is composed of a Mask Gen- erator and a Controller . The Mask Generator decides what should the target p ower b e at each time, so that it can mislead any attacker . It continuously communicates its target power to the controller . In the example of Section 4.1, the Mask Generator would pass the constant value P to the controller . Section 4.3 discusses more advance d cases that involve pass- ing a time-varying function. S ys t e m S Robus t Cont rol l e r K Input s u O ut put s y O ut put t a rg e t s r O ut put de vi a t i ons Δ y + – S ys t e m Robus t Con t ro l l e r Input s O ut put s T a rge t P ow e r + – M a s k G e ne ra t or Co n t ro l l er Mas k G en er at o r Se n s o r d ri v ers In p u t d ri v er s E l as t i c ap p l i cat i o n s T arg et s O u t p u t s OS A pp 1 A pp 2 In p u t s H a rdw a re Com put e r s ys t e m Cont rol l e r (Input s ) (S e ns ors ) T a rge t pow e r M a s k G e ne ra t or D V F S Ba l l oon l e ve l Idl e l e ve l P ow e r Figure 3. High-level architecture of a system that falsies the power trace of an application. The controller reads this target and the actual p ower con- sumed by the computer system, as given by power sensors. Then, based on its current state, it actuates on various inputs of the computer system, which will bring the power close to the target pow er . Some of the possible actuations ar e: chang- ing the frequency and voltage of the computer system, and scheduling the balloon thread or the idle thread. The space of power side-channel attack environments is broad, which calls for dierent architectures. T able 1 shows two representative environments, which we call Conven- tional and Sp ecialized environments. The Conventional en- vironment is one where the attacker extracts information through o-the-shelf sensors such as power counters or OS API [ 49 ]. Such sensors are typically reliable only at coarse measurement granularities – e.g., every 20ms. Hence, we can use a typical matrix-based controller , like the one described in Se ction 2.2, which can respond in 5–10 µ s. Given these timescales, the controller can actuate on parameters such as frequency or voltage, or schedule balloon or idle threads. Such controllers can b e used to hide what application is running, or what keystroke is being pressed. The Specialized environment is one where the attacker ex- tracts information using specialize d hardware de vices, such as oscilloscop es. The frequency of samples can be in the tens of nanoseconds. In this case, the controller has to b e very fast. Hence, it cannot use the matrix-based approach of Section 2.2. Instead, tt has to r ely on a table of pre-computed values. Its op eration involves a table look-up that determines what action to take. This controller is implemented in hard- ware and has a response time of no more than around 10ns. A possible design involves actuating on a hardware mod- ule that immediately inserts compute instructions into the ROB or pipeline bubbles to mislead any attacker . With such a T able 1. T wo types of power side-channel environments. Characteristic Conventional Specialized Attacker’s sensing Reads p ower sensors like counters Uses devices like o scillo- scopes Sensing rate ≈ 20ms < 50ns Controller type Matrix-based controller , in hardware or privileged software T able-base d controller in hardware Controller Re- sponse Time 5–10 µ s ≈ 10ns Example Actua- tions Change frequency and voltage; schedule balloon and idle threads Insert instructions and pipeline bubbles Example Use Cases Hide what application runs or what keystroke occurred Hide features of a cr ypto algorithm fast actuation, this type of defense can be used, for example, to hide the features of a cryptographic algorithm. In the rest of the paper , we fo cus on the rst type of envi- ronment only , as it is by far the easiest to mount and widely used. 4.3 Generating Eective Masks T o eectively mislead an attacker , it is not enough for the defense to only be able to track power targets closely (as discussed in Section 4.1). In addition, the defense must cr eate an appropriate target power signal (i.e., an appropriate mask ). The module that determines the mask to be used at each interval is the Mask Generator . An ee ctive mask must protect information leaked in b oth time domain and the frequency domain (i.e., after obtain- ing its FFT) because attackers can analyze signals in either domain. W e postulate that, to be ee ctive , a mask must have three properties. First, its mean and variance must change over the time domain, to portray phase behavior (Figure 4(c) top). Such changes will mask the original signal in the time do- main. The se cond property is that the mean and variance changes must have various rates – from smooth to abrupt. This pr op- erty will cause the resulting frequency domain curve to spread over a range of frequencies (Figure 4(c) bottom). As a result, the curve will a property similar to typical curves generated natively by applications. The nal property is that the target signal must have repeating patterns at various rates. This is to create various peaks in the frequency domain curve (Figure 4(e) bottom). Such peaks are common in applications, as they represent the eects of loops. T able 2 lists some well-known signals, showing whether each signal changes the mean and the variance in the time 4 0 5 10 15 20 Time(s) 0 5 10 15 20 25 Power (W) 0 5 10 15 20 Time(s) 0 5 10 15 20 25 Power (W) 0 5 10 15 20 Time(s) 0 5 10 15 20 25 Power (W) 0 5 10 15 20 Time(s) 0 5 10 15 20 25 Power (W) 0 5 10 15 20 Time(s) 0 5 10 15 20 25 Power (W) 0 5 10 15 20 Frequency (Hz) 0 2 4 6 8 |FFT(Power)| (a) Constant 0 5 10 15 20 Frequency (Hz) 0 2 4 6 8 |FFT(Power)| (b) Uniformly Random 0 5 10 15 20 Frequency (Hz) 0 2 4 6 8 |FFT(Power)| (c) Gaussian 0 5 10 15 20 Frequency (Hz) 0 2 4 6 8 |FFT(Power)| (d) Sinusoid 0 5 10 15 20 Frequency (Hz) 0 2 4 6 8 |FFT(Power)| (e) Gaussian Sinusoid Figure 4. Examples of dierent masks. In each case, the time-domain cur ve is at the top, and the frequency-domain one at the bottom. domain, and whether it creates spread and peaks in the fre- quency domain. Such properties determine their viability to b e used as eective masks. Figure 4 shows a graphical representation of each signal in order . T able 2. Some standard signals and what they change in the time and frequency domains. Time-domain Frequency-domain Signal Mean V ariance Spread Peaks Constant – – – – Uniformly Random Y es – Y es – Gaussian Y es Y es Y es – Sinusoid Y es Y es – Y es Gaussian Sinusoid Y es Y es Y es Y es A Constant signal (Figure 4(a)) does not change the mean or variance in the time domain, or create spread or peaks in the frequency domain. Note that this signal cannot be realized in practice. Any realistic metho d of keeping the output signal constant under changing conditions would have to rst observe the outputs deviating from the targets, and then set the inputs accordingly . Hence, the output signal would hav e a burst of pow er activity at all the change points in the application. As a result, such signal would easily leak information. Furthermore, the signals obtained in multiple runs of a given application would be similar to each other . In a Uniformly Random signal (Figure 4(b)), a value is chosen randomly from a range, and is used as a target for a random duration in the time domain. After this perio d, another value and duration are sele cted, and the process repeats. This signal changes the mean but not the variance in the time domain. In the frequency domain, the signal is spread across a range but has no peaks. This mask is not a good choice either b ecause any repeating activity in the application would be hard to hide in the time domain signal. The Gaussian signal (Figure 4(c)) takes a gaussian distri- bution and keeps changing the mean and variance randomly in the time domain. The resulting frequency-domain signal is spread over multiple fr equencies, but does not have peaks. The Sinusoid signal (Figure 4(d)) generates a sinusoid and keeps changing the frequency , the amplitude, and the oset (i.e., the power at angle 0 of the sinusoid) randomly with time. This signal changes the mean and variance in the time domain. In the frequency domain, it has clear sharp peaks at each of its sine wave frequencies. Howev er , there is no spread. Therefore, this signal is not eective at masking abrupt changes in the native power output of applications. Finally , the Gaussian Sinusoid (Figure 4(e)) is the addition of the previous two signals. This signal has all the properties that we want. The mean and variance in the time domain, and the peak locations in the frequency domain are varied by changing the parameters of the sinusoid. The gaussian com- ponent widens the peaks in the frequency domain, causing spread. This is the mask that we propose . 5 Implementation on T wo Systems W e implement Maya as the system shown in Figure 3. W e target the Conventional environment, sho wn in the center of T able 1, as it is by far the most frequent one. W e implement Maya in software, as OS threads, in tw o dierent machines. System One ( Sys1 ) is a consumer class machine with 6 cores. Each core supports 2 hardware conte xts, totaling 12 logical cores. System T wo ( Sys2 ) is a ser ver class machine with 2 sockets, each having 10 cores of 2 hardwar e contexts, for a total of 40 logical cores. 5 On both systems, the processors are Intel Sandybridge. The OS is CentOS 7.6, based on the Linux kernel version 3.10. On each context, we run one of three possible threads: a thread of a parallel benchmark, an idle thread, or a balloon thread. The latter is one thread of a parallel program that we call the Balloon program, which performs oating-point array operations in a loop to raise the power consumed. Both the benchmark and the Balloon program have as many threads as logical cores. In each system, the controller measures one output and actuates on three inputs. The output is the total power con- sumed by the chip(s). The inputs are the D VFS level applied, the percentage of idle thread execution, and the percentage of balloon program execution. D VFS values can be changed from 1.2 GHz to 2.0 GHz on Sys1, and from 1.2 GHz to 2.6 GHz on Sys2, with 0.1 GHz increments in either case. On both systems, idle thread execution can be set from 0% to 48% in steps of 4%, and the balloon program execution from 0% to 100% in steps of 10%. Power consumption is measured through RAPL inter- faces [ 32 ]. The D VFS level is set using the cpufreq interface. The idle thread setting is specied through Intel’s Power Clamp interface [ 44 ]. The balloon program setting is speci- ed through an shm le. The controller , mask generator , and balloon program run as privileged processes. 5.1 Designing the Controller W e design the controller using robust control the ory [ 41 ]. T o develop it, we need to: (i) design a dynamic model of the computer system running the applications, and (ii) set three parameters of the controller (Section 2.2), namely the input weights, the uncertainty guardband, and the output deviation bounds [41]. T o develop the model, we use the System Identication [ 27 ] experimental modeling methodology . In this approach, we run training applications on the computer system and, dur- ing execution, change the system inputs. W e log the observed outputs and the inputs. From the data, we construct a dy- namic polynomial model of the computer system: y ( T ) = a 1 × y ( T − 1 ) + . . . + a m × y ( T − m ) + b 1 × u ( T ) + . . . + b n × u ( T − n + 1 ) (3) In this equation, y(T) and u(T) ar e the outputs and inputs, re- spectively , at time T . This model describes the outputs at any time T as a function of the m past outputs, and the current and n-1 past inputs. The constants a i and b i are obtained by least squares minimization from the experimental data [ 27 ]. W e perform system identication by running tw o applica- tions from P ARSEC 3.0 ( swaptions and ferret ) and two from SPLASH2x ( barnes and raytrace ) [ 11 ] on Sys1. The models we obtain have a dimension of 4 (i.e., m = n = 4 in Equa- tion 3). The system identication approach is powerful to capture the relationship between the inputs and outputs. The input weights are set depending on the relative over- head of changing each input. In our system, all inputs have similar changing overheads. Hence, we set all the input weights to 1. Next, we specify the uncertainty guardband by evaluating several choices. For each uncertainty guardband choice, Matlab tools [ 18 ] give the smallest output deviation bounds the controller can pr ovide. Based on prior work [ 33 ], we set the guardband to be 40%, which allows the output deviation bounds for power to be within 10%. With the model and these spe cications, standard to ols [ 18 ] generate the set of matrices that encode the controller (Sec- tion 2.2). This controller’s dimension is 11 i.e. the numb er of elements in the state vector of Equation 1 is 11. The con- troller runs periodically every 20 ms. W e set this duration based on the update rate of the power sensors. 5.2 Mask Generator As indicated in Section 4.3, our choice of mask is a gaussian sinusoid (Figure 4(e)). This signal is the sum of a sinusoid and a gaussian, and its value as a function to time (T) is: O f f s e t + A mp × sin ( 2 π × T F r e q ) + N oi s e ( µ , σ ) (4) where the Oset, Amp, Freq, µ and σ parameters keep chang- ing. Each of these parameters is selected at random fr om a range of values, subject to two constraints. First, the maxi- mum power cannot be over the Thermal Design Power (TDP) of the system. Second, the frequency has to be smaller than half of the power sampling frequency; otherwise, the sampler would not be able to identify the curve. Once a particular set of parameters is chosen, the mask generator uses them for N h ol d samples, after which the parameters are up dated again. N h ol d itself varies randomly between 6 to 120 samples. 6 Evaluation Metho dology W e analyze the security oered by Maya in two ways. First, we consider two machine learning-based power analysis attacks and evaluate how Maya can prev ent them. Second, we use signal processing metrics to evaluate the power-shaping properties of Maya . 6.1 Machine Learning Base d Power Attacks Pattern recognition is at the core of nearly all power anal- ysis attacks [ 19 , 24 , 26 , 46 , 49 ]. Therefore, we use multiple machine learning-based attacks to test Maya . 1. Detecting the Active Application: This is a fundamen- tal attack that is reported in several works [ 19 , 26 , 46 , 49 ]. The goal is to infer the application running on the system using power traces. Initially , attackers gather several power traces of the applications that must be detecte d, and train a machine learning classier to predict the application fr om the power trace. Then, they use this classier to predict which application is creating a new signal from the system. This attack tells the attackers whether a pow er signal is of 6 use to the them, and enables them to identify more serious information from the power trace . For example, if the attack- ers know that the power signal belongs to a video encoder , they can infer that the repeating patterns in it correspond to successive frames being encoded. W e implement this attack on Sys1 using applications from P ARSEC 3.0 ( blackscholes, b odytrack, freqmine, raytrace, and vips) and SPLASH2x (radiosity , water_nsquared, and water_spatial). W e run each application 1,000 times with na- tive datasets on Sys1 and collect a total of 8,000 power traces. W e collect power measurements using unprivileged RAPL counters – an ideal case for an attacker b ecause this does not need physical access and has accurate measurements. For robust classication under noise, we congure the machine in each run with a dierent frequency and level of idle activity before launching the application. The idle activity results in a noisy power trace be cause of the interference between the idle threads and the actual applications. From each trace , we extract multiple segments of 15,000 RAPL measurements, and average the 5 consecutive mea- surements in each segment to remov e eects of noise. This reduces each segment length to 3,000. Then, we convert the values in the segment into one-hot representation by quan- tizing the values into one of 10 levels encoded in one-hot format. This gives us 30,000-long samples that we feed into a classier . Among the samples from all traces, we use 60% of them for training, 20% for validation, and leave 20% as the test set. Our classier is a multilay er perceptron neural netw ork with two hidden ReLU layers of dimensions 1,500 and 600. The output layer uses Logsoftmax and has 8 nodes, corre- sponding to the 8 applications we classify . With this model, we achieve a training accuracy of 99%, and validation and test accuracies of 92%. 2. Detecting the Application Data: This attack is used to infer the dierences in data that a given application uses – such as the websites accessed by a browser , or the videos processed by an encoder . This is also a common attack de- scribed in multiple works [ 26 , 31 , 46 , 49 , 51 ]. W e implement this attack on Sys2 targeting the mpeg video encoding appli- cation [ 15 ]. W e use three videos saved in raw format: tractor , riverbed and wind. They are commonly used for video test- ing [ 48 ]. W e transco de each video with x264 compression using mpeg and record the power trace. Since the power consumed by video encoding dep ends on the content of the frames, each video has a distinct power pattern. W e colle ct the power traces from 300 runs of encoding each video with dierent frequency and idle activity le vels. Next, we choose multiple windows of 1,000 measurements from each trace. As with the previous attack, we average 5 consecutive measurements and use on-hot enco ding to obtain samples that are 2,000 values long. The classier for this attack is also a multilayer perceptron neural network with two hidden ReLU layers of dimensions 100 and 40. The output layer uses Logsoftmax and has 3 nodes corresponding to the 3 videos we classify . With this model, we achieve training, validation and test accuracies of 99%. 3. Adaptive Attacks: W e consider an advance d scenario where the attacker records the distorte d power traces of applications when Maya is running, and knows which ap- plication is running. She then trains models to perform the previous attacks. The data collection and model training is the same as described ab ove . 6.2 Signal Processing Analysis In addition to the machine learning attacks, we analyze Maya ’s distortion using the following signal processing met- rics. 1. Signal A veraging: A veraging multiple power signals re- moves random noise in the signals, allowing attackers to detect even small changes. W e test this using signal averag- ing analysis on Sys1 . For each application, w e collect three sets of 1,000 noisy power signals with: (i) no Maya , (ii) Maya Constant, and (iii) Maya Gaussian Sinusoid. When Maya is not used, noise is created by changing frequency and idle activity . Then, we av erage the signals for each application and analyze the distribution of values in the averaged sig- nals. Ee ctive obfuscation would cause the values in the averaged traces to be distributed in the same manner across applications. 2. Change Detection: This is a signal pr ocessing technique used to identify times when the properties of a signal change. The properties can b e the signal mean, variance, edges, or fourier coecients. W e use a standard Change Point Detec- tion algorithm [ 29 ] to compare the change points found in the baseline and in the re-shaped signals on Sys2 . 7 Evaluating Maya 7.1 Evading Machine Learning Attacks Application Detection Attack: Figure 5 shows the confu- sion matrices for performing the application dete ction attack and its adaptive variant on Sys1 . The rows of the matrix cor- respond to the true labels of the traces and the columns are the predicted labels by the machine learning models. The 8 applications we detect are numbered from 0 to 7. A cell in the i t h row and j t h column of the matrix lists the fraction of traces b elonging to lab el i that were classied as j. V alues close to 1 along the diagonal indicate accurate prediction. W e use Baseline to refer to the envir onment without Maya , and Obfuscated to refer when Maya runs. Recall that the mo del trained on Noisy Baseline signals can classify unobfuscated signals with 92% accuracy . When this classier is applied to signals produced when Maya runs with a Constant mask, the accuracy drops to 12% (average of the diagonal values in Figure 5a). How ever , when an advance d 7 0 1 2 3 4 5 6 7 Predicted label 0 1 2 3 4 5 6 7 True label 0.00 0.08 0.00 0.00 0.01 0.00 0.91 0.00 0.00 0.16 0.00 0.00 0.01 0.00 0.83 0.00 0.00 0.12 0.00 0.00 0.06 0.00 0.82 0.00 0.00 0.07 0.00 0.00 0.09 0.00 0.84 0.00 0.00 0.19 0.00 0.00 0.01 0.00 0.79 0.00 0.00 0.34 0.00 0.00 0.06 0.00 0.60 0.00 0.00 0.16 0.00 0.00 0.07 0.00 0.77 0.00 0.00 0.23 0.00 0.00 0.08 0.00 0.68 0.00 (a) Noisy Baseline → Maya Constant (12%) 0 1 2 3 4 5 6 7 Predicted label 0 1 2 3 4 5 6 7 True label 0.80 0.04 0.04 0.01 0.02 0.02 0.01 0.05 0.01 0.76 0.03 0.01 0.09 0.03 0.05 0.03 0.01 0.02 0.68 0.06 0.06 0.03 0.11 0.04 0.01 0.09 0.10 0.60 0.10 0.04 0.06 0.01 0.02 0.08 0.07 0.05 0.59 0.07 0.10 0.03 0.00 0.01 0.03 0.02 0.19 0.59 0.11 0.05 0.01 0.03 0.05 0.02 0.10 0.07 0.72 0.01 0.10 0.02 0.08 0.05 0.06 0.02 0.04 0.62 (b) Maya Constant → Maya Constant (67%) 0 1 2 3 4 5 6 7 Predicted label 0 1 2 3 4 5 6 7 True label 0.00 0.87 0.01 0.01 0.05 0.00 0.05 0.01 0.00 0.87 0.01 0.00 0.03 0.00 0.08 0.02 0.00 0.88 0.01 0.00 0.04 0.00 0.05 0.02 0.00 0.85 0.01 0.01 0.04 0.00 0.08 0.02 0.00 0.85 0.00 0.00 0.05 0.00 0.07 0.02 0.00 0.86 0.00 0.00 0.05 0.00 0.07 0.01 0.00 0.85 0.01 0.00 0.06 0.00 0.06 0.02 0.00 0.89 0.01 0.00 0.03 0.00 0.06 0.02 (c) Noisy Baseline → Maya Gaussian Sinusoid (13%) 0 1 2 3 4 5 6 7 Predicted label 0 1 2 3 4 5 6 7 True label 0.27 0.11 0.12 0.13 0.08 0.10 0.08 0.12 0.10 0.23 0.12 0.12 0.12 0.10 0.09 0.12 0.11 0.11 0.18 0.06 0.12 0.18 0.14 0.10 0.15 0.12 0.10 0.15 0.08 0.16 0.15 0.10 0.09 0.12 0.11 0.11 0.15 0.16 0.17 0.10 0.10 0.15 0.13 0.13 0.07 0.24 0.05 0.13 0.11 0.11 0.11 0.09 0.11 0.06 0.37 0.05 0.13 0.10 0.16 0.11 0.11 0.14 0.13 0.12 (d) Maya Gaussian Sinusoid → Maya Gaussian Sinusoid (20%) Figure 5. Confusion matrices for a machine learning attack to identify the active application from power signals. The gures are labeled in the format: Train dataset → T est dataset and the average accuracy is in parenthesis. Higher fractions are in darker squares. attacker trains on the obfuscate d traces, the classication accuracy is 67% (Figure 5b). The poor security oered by a Constant mask in the ad- vanced attack is due to two reasons. First, it cannot hide the natural power variations of an application as described in Section 4.3. Second, the power signals of an application with a Constant mask are similar across multiple runs. Hence, a Constant mask is ineective at preventing information leakage. Next, consider the Gaussian Sinusoid mask. When a Noisy Baseline-trained classier is used, the accuracy is 13% (Fig- ure 5c). Even in an Adaptive attack that trains on the ob- fuscated traces, the classication accuracy is only 20% (Fig- ure 5d). This indicates an excellent obfuscation, considering that the random-chance of guessing the correct application is 13%. The Gaussian Sinusoid introduces several typ es of variation in the power signals, eectively eliminating any original patterns. Moreover , each run with this mask gen- erates a new form. Therefor e, there is no common pattern between dierent runs that a machine learning module could learn. Video Data Detection Attack: Figure 6 shows the confu- sion matrices for the attack that identies the video being en- coded on Sys2 . Recall that the attack has to choose among one of three videos for each power trace. The classier trained on baseline signals had a 99% test accuracy in predicting the video from the baseline traces. The classication accuracy when using this model on signals with Maya ’s Constant mask is 21% (Figure 6a). Howev er , the accuracy rises to 79% when the attacker is able to train with the power signals generated by Maya using the constant mask (Figure 6b). When the Gaussian Sinusoid mask is used, the classica- tion accuracy when using the Noisy Baseline-trained mo del is 34% (Figure 6c). Even when the attacker trains with ob- fuscated traces, the classication accuracy is only 39%(Fig- ure 6d). This is a high degree of obfuscation because the 0 1 2 Predicted label 0 1 2 True label 0.51 0.06 0.42 0.74 0.01 0.25 0.81 0.09 0.11 (a) Noisy Baseline → Maya Constant (21%) 0 1 2 Predicted label 0 1 2 True label 0.89 0.11 0.00 0.05 0.80 0.15 0.07 0.24 0.69 (b) Maya Constant → Maya Constant (79%) 0 1 2 Predicted label 0 1 2 True label 0.55 0.25 0.20 0.49 0.29 0.22 0.53 0.30 0.18 (c) Noisy Baseline → Maya Gaussian Sinusoid (34%) 0 1 2 Predicted label 0 1 2 True label 0.40 0.27 0.34 0.29 0.40 0.31 0.33 0.31 0.36 (d) Maya Gaussian Sinusoid → Maya Gaussian Sinusoid (39%) Figure 6. Confusion matrices for a machine learning attack to identify the video b eing encoded. The gures are labeled as in Figure 5. random-chance of assigning the correct video to a power signal is 33%. Overall, the results fr om the machine learning-based at- tacks establish that Maya with the Gaussian Sinusoid mask is successful in falsifying pattern recognition attacks. Maya ’s strength is highlighted when it resisted the attacks where the attacker could record thousands of signals generated from Maya . This comes from using an eective mask (Gaussian Sinusoid) and a control-theory controller that keeps power close to the mask. Finally , the results also show the Constant 8 0 1 2 3 4 5 6 7 Applications 8 10 12 14 16 18 Power (W) (a) Noisy Baseline 0 1 2 3 4 5 6 7 Applications 20 21 22 23 24 Power (W) (b) Maya Constant 0 1 2 3 4 5 6 7 Applications 16.5 17 17.5 18 18.5 19 Power (W) (c) Maya Gaussian Sinusoid Figure 7. Summar y statistics of the average of 1,000 signals. The Y axis of each chart is drawn to a dierent scale . 0 2500 5000 7500 10000 12500 15000 Samples 0 5 10 15 Avg. Power (W) blacksholes bodytrack water_nsquared (a) Noisy Baseline 0 2500 5000 7500 10000 12500 15000 Samples 15 20 25 Avg. Power (W) blacksholes bodytrack water_nsquared (b) Maya Constant 0 2500 5000 7500 10000 12500 15000 Samples 15 16 17 18 19 Avg. Power (W) blacksholes bodytrack water_nsquared (c) Maya Gaussian Sinusoid Figure 8. A verage of 1,000 signals over time samples. The Y axis of each chart is drawn to a dierent scale . mask to be ineective because it do es not hav e all the needed traits of a mask. 7.2 Signal Processing Analysis Signal A veraging: Figure 7 shows the b ox plots of value distribution in the averaged traces from Sys1 with the Noisy Baseline, Maya Constant mask, and Maya Gaussian Sinusoid mask. The applications are labele d on the horizontal axis from 0 to 7. Ther e is a b ox plot for each application. Each b ox shows the 25 t h and 75 t h percentile values for the application. The line inside the box is the median value. The whiskers of the box extend up to values not considered as statistical outliers. The statistical outliers are shown by a tail of ‘+’ markers. Note that the Y axis on the three charts is dierent – Figures 7b and 7c have a magnied view of the values for legibility . With the Noisy Baseline, the average trace of each applica- tion has a distinct distribution of values, leaving a ngerprint of that application. With a Constant mask, the median val- ues of the applications are closer than they were with the Baseline. The lengths of the boxes do not dier as much as they did with the Baseline. Unfortunately , each application has a dierent statistical ngerprint sucient to distinguish it from the others. Finally , with Maya Gaussian Sinusoid mask, the distribu- tions are near-identical . This is because the patterns in each run are not corr elated with those in other runs. Therefore, averaging multiple Maya signals cancels out the patterns — simply leaving a constant-like value with small variance . Hence, the median, mean, variance , and the distribution of the samples are v ery close. Note that the r esolution of this data is 0.01W , indicating a high degree of obfuscation. T o highlight the dierences further , Figure 8 shows the averaged signals of three applications over timesteps for the Noisy Baseline, Maya Constant and Maya Gaussian Sinusoid. Again, the Y axis for Figures 8b and 8c is magnied for leg- ibility . With Noisy Baseline, after the noise is remov ed by the averaging eect, the patterns in the averaged signals of each application are clearly visible. Further , these patterns are dierent for each application. When the Constant mask is use d, the magnitude of the variation is lower , but the lines are not identical across ap- plications. The pattern of blackscholes is clearly visible. With the Gaussian Sinusoid mask, the average signal of an application has only a small variance, and is close to the average signals of the other applications. As a result, the average traces of dier ent applications are indistinguishable , and do not resemble the baseline at all. This results in the highest degree of obfuscation. Change Point Detection: W e present the highlights of this analysis using blackscholes on Sys2 . W e monitor the execu- tion for 100 s, even if the application completes before 100 s. Figure 9 shows the power signals in the time and frequency domains for blackscholes with the Noisy Baseline, Maya Constant, and Maya Gaussian Sinusoid. The time-domain 9 0 20 40 60 80 100 Time 0 50 100 150 200 Power (W) 0 20 40 60 80 100 Time 0 50 100 150 200 Power (W) 0 20 40 60 80 100 Time 0 50 100 150 200 Power (W) 0 5 10 15 20 25 Frequency (Hz) 0 1 2 3 4 5 6 |FFT(Power)| (a) Noisy Baseline 0 5 10 15 20 25 Frequency (Hz) 0 1 2 3 4 5 6 |FFT(Power)| (b) Maya Constant 0 5 10 15 20 25 Frequency (Hz) 0 1 2 3 4 5 6 |FFT(Power)| (c) Maya Gaussian Sinusoid Figure 9. Change point detection in blackscholes on Sys2 . The top row shows the time-domain signals, along with the detected phases. The bottom row shows the frequency-domain signals. plots also show the detected phases from the change point algorithm. In the Noisy Baseline (Figure 9a), the dierence between the dierent phases is less visible due to interfer ence from the idle threads. Nonetheless, the algorithm detects four major phases. They correspond to the sequential, parallel, sequential, and fully idle activity , respectively . The sudden changes between phases can b e seen as a small spike in the FFT tail of this signal. Figure 9b shows blackscholes with a Constant mask. Change point analysis reveals changes in the signal at 20s, 40s and 60s, yielding four phases. These phases can be related di- rectly to those in the Baseline signal because the Constant mask does not introduce articial changes. The change in signal variance between these phases is visible from the time series. Also, the FFT tail has a small spike at the same loca- tion as with the Baseline. As a result, the attacker can easily identify this signal. Figure 9c shows the behavior with the Gaussian Sinusoid mask. Change p oint analysis detects several instances of phase change, but these are all articial . Notice that the FFT of this signal is dierent from the Baseline FFT , eliminating any identity of the application. Finally , it is also not possible to infer when the application execution is complete . Spe cically , the application actually completed around 55 s, but the p ower signal has no distinguishing change at that time. 7.3 Eectiveness of a Control- The ory Controller Figure 10 shows the target pow er given by a Maya Gaussian Sinusoid mask generator during one execution of blacksc- holes on Sys1 (a), and the actual power that was measured from the computer (b). It can be seen that the control-theory controller is eective at making the measured p ower appear close to the target mask. This is thanks to the advantages of using a MIMO control theoretic controller . Indeed, this accu- rate tracking is what helps Maya in eectively re-shaping the system’s power and hide application activity . 7.4 Overheads and Power-Performance Impact Finally , we examine the overheads and the power-performance impact of Maya . Overheads of Maya : The controller reads one output, sets three inputs and, it can be shown, has a state vector x ( T ) that is 11-element long (Equation 1). Therefor e, the controller needs less than 1 KB of storage . At each invocation, it per- forms ≈ 200 xed-point operations to make a decision. This completes within one µ s. The Mask Generator requires (pseudo) random numbers from a Gaussian distribution to compute the mask (Equa- tion 4). It also needs another set of random numbers to set the properties of the Gaussian distribution and the Sinusoid. In our implementation, we use a software library that takes less than 10 µ s to generate all our random numb ers. For a hardware implementation, there are o-the-shelf hardware instructions and IP modules to obtain these random numbers in sub- µ s [20, 21]. 10 0 5 10 15 20 25 30 35 Time 0 7 14 21 28 Target Power (W) Target@CPUPower (a) Ideal target power given by the mask. 0 5 10 15 20 25 30 35 Time 0 7 14 21 28 Power(W) CPUPower (b) Measured power fr om the system. Figure 10. T arget and measured powers for a run of blacksc- holes with Maya Gaussian Sinusoid on Sys1 , showing the high-delity power-shaping with control theory . Maya needs few resources to control the system, making Maya attractive for both hardwar e and software implementa- tions. The primary b ottlenecks in our implementation were the sensing and actuation latencies, which are in the ms time scale. Application-Level Impact: W e run the P ARSEC and SPLASH2x applications on Sys1 and Sys2 , with and without Maya , to measure the power and performance overheads. Our Base- line conguration runs at the highest available frequency without interference from the idle threads or the balloon program. It oers no security . W e also evaluate the Noisy Baseline design, in which the system runs with a random D VFS level and percentage of idle activity . Figure 11 shows the power and execution time of the Noisy Baseline , Maya Constant and Maya Gaussian Sinusoid environments normalized to that of the high-performance Baseline. From Figure 11a, we see that the average power consumed by the applications with the three environments is 35%, 41%, and 29% lower than that of the high performance Baseline, respectively . The power is lower due to the idle threads and low DVFS values that appear in these environ- ments. Figure 11b shows the normalized execution times with the Noisy Baseline, Maya Constant, and Maya Gaussian Sinusoid environments. These envir onments hav e, on average, perfor- mance slowdo wns of 63%, 100% and 50% r espectively , over bla bod fre ray vip rad wn ws Avg 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 Normalized Power Noisy Baseline Maya Constant Maya Gaussian Sinusoid (a) Power bla bod fre ray vip rad wn ws Avg 0 1 2 3 4 Normalized Duration Noisy Baseline Maya Constant Maya Gaussian Sinusoid (b) Execution Time Figure 11. Overheads of our environments on Sys1 relative to a high-performance insecure Baseline. the Baseline. Maya Constant uses a single power target that is lower than the maximum power at which Baseline runs. Therefore , its performance is the worst. On the other hand, Maya Gaussian Sinusoid spans multiple power levels in the available range, allowing applications to run at higher power occasionally . As a result, execution times are relatively b etter . Maya Gaussian Sinusoid also has a b etter performance than Noisy Baseline and oers high security . It can be shown that the power and p erformance over- heads of our environments in Sys2 are similar to those in Sys1 shown in Figure 11. This shows that our methodology is robust across dierent machine congurations. One approach to reduce the slowdown from Maya is to enable obfuscation only on demand. A uthenticated users or secure applications can activate Maya before commencing a secure-sensitive task, and stop Maya once the task is com- plete. While this approach giv es away the information that a se cure task is being run, at least does not slow down all applications. 7.5 Overall Remarks Using machine learning-based attacks and signal analysis, we showed how the Maya Gaussian Sinusoid mask can obfuscate power signals fr om a computer . Maya ’s security comes from an eective mask, and from the control-theoretic controller that can shape the computer’s power into the given mask. W e implemented Maya on two dier ent machines without modi- fying the controller or the mask generator , demonstrating our proposal’s robustness, security and ease of deployment on existing computers. 11 8 Related W ork Power , temperature, and EM emissions from a computer are a set of physical side channels that have b een use d by many attackers to compromise security [ 24 , 55 , 56 ]. K ocher et al. [ 24 ] give a detailed overview of attacks exploiting p ower signals with Simple Power analysis (SP A) and Dierential Power Analysis (DP A). Machine Learning (ML) is commonly-used to perform power analysis attacks. Using ML, Y an et al. developed an attack to identify the running application, login screens and the number of keystrokes typed by the user [ 49 ]. Lifshits et al. considered malicious smart batteries and demonstrated another attack that predicted the character of a keystroke and user’s p ersonal information such as browser , camera, and location activity [ 26 ]. Y ang et al. snooped the p ower drawn by a mobile phone from a public USB charging b ooth to predict the user’s browser activity . Hlavacs et al. showed that the virtual machines running on a server could be identied using power signals [ 19 ]. Finally , W ei et al. use d ML to detect malware from power signals [47]. Other attacks are ev en more sophisticated. Michalevsky et al. developed a malicious smartphone application that could track the user’s location using OS-le vel power coun- ters, without reading the GPS module [ 31 ]. Schellenberg et al. showed how malicious on-board modules can measure another chip’s pow er activity [39]. As power , temperature, and EM emissions are correlated, attackers used temperature and EM measurements to iden- tify application activity [ 2 , 13 , 16 , 17 , 22 , 46 ]. These attacks have targeted many environments, like smart cards, mo- bile systems, laptops, and Io T devices. Recently , Masti et al. showed how temp erature can be used to identify another core ’s activity in multicores [ 28 ]. This broadens the thr eat from physical side channels because attackers can read EM signals from a distance, or measure temperature through co- location, even when the system does not support per-core power counters. Several countermeasures against power side channels have been proposed [ 7 , 14 , 24 , 38 , 42 , 52 , 53 , 55 ]. They usually operate along one of two principles: keep power consump- tion invariant to any activity [ 14 , 34 , 38 , 42 , 54 ], or make power consumption noisy such that the impact of appli- cation activity is lost [ 24 , 55 ]. A common approach is to randomize D VFS using special hardware [ 7 , 52 , 52 ]. A vir- neni and Somani also propose new circuits for randomizing D VFS, and change voltage and frequency independently [ 7 ]. Baddam and Zwolinski sho wed that randomizing DVFS is not a viable defense because attackers can identify clock frequency changes through high-resolution power traces [ 8 ]. Y ang et al. proposed using random task scheduling at the OS level in addition to ne w hardware for randomly setting the processor frequency and clock phase [ 50 ]. Real et al. show ed that simple approaches to introduce noise or empty activity into the system can be ltered out [35]. Trusted execution environments like Intel SGX [ 30 ] or ARM Trustzone [ 6 ] can sandbox the architectural events of applications. Howev er , they do not establish boundaries for physical signals. One approach for power side channel isolation is blinking [ 3 ], where a circuit is temporarily cut-o from the outside and is run with a small amount of energy stored inside itself [3]. T o the b est of our knowledge, Maya is the rst defense against power side channels that uses control theory . 9 Conclusions This paper presented a simple and eective solution against power side channels. The idea, called Maya , is to use a controller from contr ol theory to distort, in an application- transparent way , the power consumed by an application – so that the attacker cannot obtain information. With control theory te chniques, the controller can keep outputs close to desired targets even when runtime conditions change un- predictably . Then, by changing these targets appropriately , Maya makes the power signal appear to carr y activity infor- mation which, in reality , is unrelated to the program. Maya controllers can be implemented in privileged software or in simple hardware. In this paper , we implemente d Maya on two multiprocessor machines using OS threads, and showed that it is very eective at falsifying application activity . References [1] [n. d.]. Power Proles for Android. hps://source.android.com/de vices/ tech/power/ . Android Open Source Project. [2] Monjur Alam, Haider Adnan Khan, Moumita Dey , Nishith Sinha, Robert Callan, Alenka Zajic, and Milos Prvulovic. 2018. One&Done: A Single-Decryption EM-Base d Attack on OpenSSL’s Constant- Time Blinded RSA. In USENIX Security . USENIX Association, Baltimore, MD, 585–602. hps://www .usenix.org/conference/usenixsecurity18/ presentation/alam [3] A. Altho, J. McMahan, L. V ega, S. Davidson, T . Sherwood, M. Taylor , and R. Kastner . 2018. Hiding Intermittent Information Leakage with Architectural Support for Blinking. In ISCA . 638–649. hps://doi.org/ 10.1109/ISCA.2018.00059 [4] ARM. [n. d.]. ARM ® Cortex ® - A15 Processor. hps://ww w .arm.com/ products/processors/cortex- a/cortex- a15.php . [5] ARM. [n. d.]. ARM ® Cortex ® - A7 Processor. hps://ww w .arm.com/ products/processors/cortex- a/cortex- a7.php . [6] ARM. 2009. ARM Security T e chnology Building a Secure System using TrustZone T echnology . hp://infocenter .arm.com/help/topic/com. arm.doc.prd29- genc- 009492c/PRD29- GENC- 009492C_trustzone_ security_whitepaper .p df . [7] N. D. P . A virneni and A. K. Somani. 2014. Countering Power Analysis Attacks UsingReliable and Aggr essive Designs. IEEE Trans. Comput. 63, 6 (jun 2014), 1408–1420. hps://doi.org/10.1109/TC.2013.9 [8] K. Baddam and M. Zwolinski. 2007. Evaluation of D ynamic V oltage and Frequency Scaling as a Dierential Power Analysis Countermeasure. In VLSID . 854–862. hps://doi.org/10.1109/VLSID.2007.79 [9] Noah Beck, Sean White, Milam Paraschou, and Samuel Naziger . 2018. “Zeppelin”: An SoC for Multichip Architectures. In ISSCC . [10] E. M. Benhani and L. Bossuet. 2018. D VFS as a Security Failure of TrustZone-enabled Heterogeneous SoC. In International Conference 12 on Ele ctronics, Circuits and Systems (ICECS) . 489–492. hps://doi.org/ 10.1109/ICECS.2018.8618038 [11] Christian Bienia, Sanjeev Kumar , Jaswinder Pal Singh, and Kai Li. 2008. The P ARSEC Benchmark Suite: Characterization and Architectural Implications. In P ACT . [12] Sebanjila Kevin Bukasa, Ronan Lashermes, Hélène Le Bouder , Jean- Louis Lanet, and Axel Legay . 2018. How TrustZone Could Be Bypassed: Side-Channel Attacks on a Modern System-on-Chip. In Information Security Theory and Practice , Gerhard P. Hancke and Ernesto Damiani (Eds.). Springer International Publishing, Cham, 93–109. [13] R. Callan, N. Popovic, A. Daruna, E. Pollmann, A. Zajic, and M. Prvulovic. 2015. Comparison of electromagnetic side-channel en- ergy available to the attacker from dier ent computer systems. In 2015 IEEE International Symposium on Ele ctromagnetic Compatibility (EMC) . 219–223. hps://doi.org/10.1109/ISEMC.2015.7256162 [14] D. Das, S. Maity , S. B. Nasir , S. Ghosh, A. Raychowdhury , and S. Sen. 2017. High eciency pow er side-channel attack immunity using noise injection in attenuated signature domain. In HOST . 62–67. hps: //doi.org/10.1109/HST .2017.7951799 [15] FFmp eg Developers. 2016. mp eg tool. hp://mpeg.org/ . [16] Daniel Genkin, Lev Pachmanov , Itamar Pipman, Eran Tromer , and Y uval Y arom. 2016. ECDSA Key Extraction fr om Mobile Devices via Nonintrusive Physical Side Channels. In CCS (CCS ’16) . ACM, New Y ork, NY, USA, 1626–1638. hps://doi.org/10.1145/2976749.2978353 [17] Daniel Genkin, Itamar Pipman, and Eran Tromer . 2014. Get Y our Hands O My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs. In Proceedings of the 16th International W orkshop on Crypto- graphic Hardware and Embedded Systems — CHES 2014 - V olume 8731 . Springer- V erlag, Berlin, Heidelb erg, 242–260. hps://doi.org/10.1007/ 978- 3- 662- 44709- 3_14 [18] Da- W ei Gu, Petko H. Petkov , and Mihail M. Konstantinov . 2013. Robust Control Design with MA TLAB (2nd ed.). Springer . [19] H. Hlavacs, T . Treutner, J. Gelas, L. Lefevre, and A. Orgerie. 2011. Energy Consumption Side-Channel Attack at Virtual Machines in a Cloud. In International Conference on Dependable, Autonomic and Secure Computing . 605–612. hps://doi.org/10.1109/DASC.2011.110 [20] Intel. 2017. Random Number Generator IP Core User Guide . hps://www.intel.com/content/www/us/en/programmable/ documentation/dmi1455632999173.html . [21] John M. 2018. Intel Digital Random Number Generator (DRNG) Software Implementation Guide. hps://soware.intel.com/en- us/ articles/intel- digital- random- number- generator- drng- soware- \ implementation- guide . [22] Timo Kasper , David Oswald, and Christof Paar . 2009. EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equip- ment. In Information Security A pplications , Heung Y oul Y oum and Moti Y ung (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 79–93. [23] Paul Kocher , Joshua Jae, and Benjamin Jun. 1999. Dierential power analysis. In Annual International Cr yptology Conference . Springer , 388– 397. [24] Paul Kocher , Joshua Jae, Benjamin Jun, and Pankaj Rohatgi. 2011. Introduction to dierential power analysis. Journal of Crypto- graphic Engineering 1, 1 (01 Apr 2011), 5–27. hps://doi.org/10.1007/ s13389- 011- 0006- y [25] Daniel Lezcano . [n. d.]. Idle Injection. hps://www .linuxplumbersconf. org/event/2/contributions/184/aachments/42/49/LPC2018_- _ Thermal_- _Idle_injection_1.p df . Linux Plumbers Conference, 2018. [26] Pavel Lifshits, Roni Forte, Y e did Hoshen, Matt Halpern, Manuel Phili- pose, Mohit Tiwari, and Mark Silberstein. 2018. Power to peep-all: Inference Attacks by Malicious Batteries on Mobile De vices. PoPET s 2018, 4 (2018), 141–158. hps://content.sciendo.com/view/journals/ popets/2018/4/article- p141.xml [27] Lennart Ljung. 1999. System Identication : Theory for the User (2 ed.). Prentice Hall PTR, Upper Saddle River , NJ, USA. [28] Ramya Jayaram Masti, Devendra Rai, A anjhan Ranganathan, Christian Müller , Lothar Thiele, and Srdjan Capkun. 2015. Thermal Co vert Chan- nels on Multi-core Platforms. In USENIX Security . USENIX Associa- tion, W ashington, D. C., 865–880. hps://www .usenix.org/conference/ usenixsecurity15/technical- sessions/presentation/masti [29] MathW orks. [n. d.]. Find abrupt changes in signal. hps://w ww . mathworks.com/help/signal/ref/findchangepts.html . Accessed: April, 2019. [30] Frank McKeen, Ilya Ale xandrovich, Alex Ber enzon, Carlos V . Rozas, Hisham Sha, V edvyas Shanbhogue, and Uday R. Savagaonkar . 2013. Innovative Instructions and Software Mo del for Isolated Execution. In Proceedings of the 2Nd International W orkshop on Hardware and A rchitectural Support for Security and Privacy (HASP ’13) . ACM, New Y ork, NY, USA, Article 10, 1 pages. hps://doi.org/10.1145/2487726. 2488368 [31] Y an Michalevsky , Aaron Schulman, Gunaa Arumugam V eer- apandian, Dan Boneh, and Gabi Nakibly . 2015. PowerSpy: Location Tracking Using Mobile Device Power Analysis. In USENIX Security . USENIX Association, W ashington, D.C., 785– 800. hps://www.usenix.org/confer ence/usenixsecurity15/ technical- sessions/presentation/michalevsky [32] Srinivas Pandruvada. [n. d.]. Running A verage Power Limit – RAPL. hps://01.org/blogs/2014/running- average- p ower- limit- - rapl . Pub- lished: June, 2014. [33] Raghavendra Pradyumna Pothukuchi, Amin Ansari, Petros V oulgaris, and Josep T orrellas. 2016. Using Multiple Input, Multiple Output Formal Control to Maximize Resource Eciency in Architectures. In ISCA . [34] Girish B. Ratanpal, Ronald D . Williams, and Travis N. Blalock. 2004. An On-Chip Signal Suppression Countermeasure to Po wer Analysis Attacks. IEEE Trans. Dependable Se cure Comput. 1, 3 (jul 2004), 179–189. hps://doi.org/10.1109/TDSC.2004.25 [35] D. Real, C. Cano vas, J. Clediere, M. Drissi, and F. V alette. 2008. Defeat- ing classical Hardware Countermeasur es: a new processing for Side Channel Analysis. In DA TE . 1274–1279. hps://doi.org/10.1109/DA TE. 2008.4484854 [36] Efraim Rotem. 2015. Intel Architecture, Code Name Skylake Deep Dive: A New Architecture to Manage Power Performance and Energy Eciency. Intel Developer Forum. [37] E. Rotem, A. Naveh, D. Rajwan, A. Ananthakrishnan, and E. W eiss- mann. 2012. Power-Management Architecture of the Intel Microarchi- tecture Code-Named Sandy Bridge. MICRO 32, 2 (mar 2012), 20–27. hps://doi.org/10.1109/MM.2012.12 [38] H. Saputra, N. Vijaykrishnan, M. Kandemir , M. J. Irwin, R. Brooks, S. Kim, and W . Zhang. 2003. Masking the energy b ehavior of DES encryption [smart cards]. In DA TE . 84–89. hps://doi.org/10.1109/ DA TE.2003.1253591 [39] Falk Schellenberg, Dennis R. E. Gnad, Amir Moradi, and Mehdi B. T ahoori. 2018. Remote Inter-chip Po wer Analysis Side-channel Attacks at Board-level. In ICCAD (ICCAD ’18) . ACM, New Y ork, N Y , USA, Article 114, 7 pages. hps://doi.org/10.1145/3240765.3240841 [40] Y . S. Shao and D. Brooks. 2013. Energy characterization and instruction- level energy model of Intel’s Xeon Phi processor. In ISLPED . 389–394. hps://doi.org/10.1109/ISLPED.2013.6629328 [41] Sigurd Skogestad and Ian Postlethwaite. 2005. Multivariable Fee dback Control: A nalysis and Design . John Wiley & Sons. [42] K. Tiri and I. V erbauwhede. 2005. Design method for constant power consumption of dierential logic circuits. In DA TE . 628–633 V ol. 1. hps://doi.org/10.1109/DA TE.2005.113 [43] Z. T oprak-Deniz, M. Sperling, J. Bulzacchelli, G. Still, R. Kruse, Seong- won Kim, D. Boerstler , T . Gloekler , R. Robertazzi, K. Stawiasz, T . Diemoz, G. English, D. Hui, P. Muench, and J. Friedrich. 2014. 5.2 Distributed system of digitally controlled microregulators enabling per-core D VFS for the POWER8TM microprocessor . In ISSCC . 98–99. 13 hps://doi.org/10.1109/ISSCC.2014.6757354 [44] Arjan van de V en and Jacob Pan. [n. d.]. Intel Power clamp Driver . hps://ww w .kernel.org/doc/Documentation/thermal/intel_ powerclamp.txt . Last modie d: April, 2017. [45] Evangelos V asilakis. 2015. An instruction level energy characterization of arm processors. hps://w ww .ics.forth.gr/car v/greenvm/files/tr450. pdf . [46] Xiao W ang, Quan Zhou, Jacob Harer , Gavin Brown, Shangran Qiu, Zhi Dou, John W ang, Alan Hinton, Carlos Aguayo Gonzalez, and Peter Chin. 2018. Deep learning-based classication and anomaly detection of side-channel signals. In Proc. SPIE 10630, Cyber Sensing . hps://doi.org/10.1117/12.2311329 [47] S. W ei, A. A ysu, M. Orshansky , A. Gerstlauer , and M. Tiwari. 2019. Us- ing Power- Anomalies to Counter Evasive Micro-Architectural Attacks in Embedded Systems. In HOST . 111–120. hps://doi.org/10.1109/HST . 2019.8740838 [48] Xiph.org Video T est Media. [n. d.]. derf ’s collection. hps://media. xiph.org/ . [49] Lin Y an, Y ao Guo, Xiangqun Chen, and Hong Mei. 2015. A Study on Power Side Channels on Mobile Devices. In Pr oceedings of the 7th Asia-Pacic Symposium on Internetware (Internetware ’15) . ACM, New Y ork, NY, USA, 30–38. hps://doi.org/10.1145/2875913.2875934 [50] Jianwei Y ang, Fan Dai, Jielin W ang, Jianmin Zeng, Zhang Zhang, Jun Han, and Xiaoyang Zeng. 2018. Countering p ower analysis attacks by exploiting characteristics of multicore processors. IEICE Electronics Express advpub (2018). hps://doi.org/10.1587/elex.15.20180084 [51] Q. Y ang, P . Gasti, G. Zhou, A. Farajidavar , and K. S. Balagani. 2017. On Inferring Browsing Activity on Smartphones via USB Power Analysis Side-Channel. IEEE Trans. Inf. Forensics Security 12, 5 (may 2017), 1056–1066. hps://doi.org/10.1109/TIFS.2016.2639446 [52] Shengqi Y ang, Pallav Gupta, Marilyn W olf, Dimitrios Serpanos, Vi- jaykrishnan Narayanan, and Y uan Xie. 2012. Power Analysis Attack Resistance Engineering by Dynamic V oltage and Frequency Scaling. A CM Trans. Emb ed. Comput. Syst. 11, 3, Article 62 (sep 2012), 16 pages. hps://doi.org/10.1145/2345770.2345774 [53] Shengqi Y ang, W ayne W olf, Narayanan Vijaykrishnan, Dimitrios N. Serpanos, and Yuan Xie . 2005. Power attack resistant cryptosystem design: A dynamic voltage and frequency switching approach. In DA TE . IEEE, 64–69. [54] W eize Y u, Orhun Aras Uzun, and Selçuk Köse. 2015. Leveraging On- chip V oltage Regulators As a Countermeasure Against Side-channel Attacks. In DA C (DA C ’15) . ACM, New Y ork, N Y , USA, Article 115, 6 pages. hps://doi.org/10.1145/2744769.2744866 [55] Lu Zhang, Luis V ega, and Michael T aylor . 2016. Power Side Channels in Security ICs: Hardware Countermeasures. arXiv:cs.CR/1605.00681 [56] Y ongBin Zhou and DengGuo Feng. 2005. Side-Channel Attacks: T en Y ears After Its Publication and the Impacts on Cr yptographic Module Security T esting. hp://eprint.iacr .org/2005/388 zyb@is.iscas.ac.cn 13083 received 27 Oct 2005. 14