Towards Detection Of Modified Firmware On Solid State Drives Via Side Channel Analysis

Modern embedded devices are getting cheaper, easier to produce, and smarter. These smarter devices are able to store and process data locally at a scale that would have been infeasible until recent years. Functions that used to be performed on more powerful, dedicated systems and servers with security features are now being pushed to these unsecured commercial embedded devices. In the Internet of Things (IoT) space, this problem is manifesting itself with almost daily reports of compromise of network-connected embedded systems. While IoT device insecurity makes for attention-grabbing headlines, there are entire classes of embedded devices which do not have direct Internet connectivity for which security is still vitally important.One such class of systems are Solid State Drives (SSDs). Whereas once the bulk of computer data was stored on simpler, mechanical Hard Disk Drives (HDDs), SSDs now offer the best speed and latency performance on the market. These performance improvements are partly due to architectural and design advancements, but also to smart on-board controllers that optimize drive operations. SSD manufacturers are now responsible not only for performance but for security as well, since the complex firmware that controls these smart drives presents vectors for attack beyond what was possible with mechanical HDD firmware. If an attacker were able to alter or replace the firmware on an SSD, the potential damage could be severe. To make matters worse, the visibility of installed firmware on SSDs is intentionally restricted by manufacturers to protect intellectual property.In this work, we make source code modifications to an open source SSD development board firmware and demonstrate an automated method for discriminating the modified version from the authentic firmware using side channel analysis of observed current draw. Using cross-validation with Quadratic Discriminant Analysis and Principal Component Analysis, we are able to confirm whether firmware contains our modification with 95% certainty. This work shows that despite the lack of readily available tools for detecting malicious behavior, there are perhaps steps that customers can take to have reasonable assurance that their SSD firmware is genuine.