TATER: Tamper Analysis via Transient Electromagnetic Response

TATER will be a tamper analysis system for monitoring deterministic programs and detecting unauthorized modifications by collecting and comparing electromagnetic emanations from the target processor. Its declared purpose is to prevent changes from being made to IOT devices.

Background
Sometimes, it is impractical to physically modify a system in order to monitor it. The goal of TATER is to assess whether the code of a system has been changed without actually modifying the system it is monitoring, using electromagnetic signals emanating from the processor.

Specifications
Our product should not require modification of the target system. It should be sensitive enough to detect relatively small changes in the boot code but flexible enough to allow multiple configurations. It should be possible to update the monitoring system to continue correctly characterizing the boot code if it is updated. Analysis should take no longer than a couple of minutes.

Alternatives and Decisions
We considered using an FPGA to process signals, but ultimately decided that the best choice for research and development purposes would be to use Linux on a laptop. This is a diagram of our setup design:



Our strategy is to design an antenna to pick up electromagnetic signals emanating from a processor and analyze peaks in the frequency compared with an established baseline to identify modifications in the boot code. Various statistical analysis techniques may be of use in pursuing this goal.

Antenna Design
We are still considering alternatives for the final antenna design. One of the top candidates at this point is a ferrite rod. The other likely option is a patch antenna.

Algorithm Design
We are planning to use cross correlation to align our waveform sequences, which will also allow us to compare how similar the sequences are in regards to location of peaks and time in between. In addition to using cross correlation, we also intend to compare the amplitude of the corresponding peaks found using cross correlation.

Implementation and Testing
So far, we have been using a probe and an oscilloscope to collect readings from the target processor. Initial results indicate that the easiest instructions to identify are loads, stores, and port accesses.

Test Results
To the left is an example of signals captured by an oscilloscope. To the right is a graph showing the difference between specific instructions and a NOP instruction.

Meeting Minutes






























Presentations and Monthly Status Reports