Practical operation extraction from electromagnetic leakage for side-channel analysis and reverse engineering

Determining which operations are being executed by a black-box device is an important challenge to tackle in reverse engineering. Furthermore, in order to perform a successful side-channel analysis (SCA) of said operations, their precise timing must be determined. In this paper, we tackle these two challenges in context of an electromagnetic (EM) analysis of a NodeMCU Amica IoT device. More specifically, we propose a convolutional neural network (CNN) architecture that is designed to classify operations performed by the NodeMCU out of a set of 8 possible operations, namely OpenSSL AES, native AES, TinyAES, OpenSSL DES, SHA1-PRF, HMAC-SHA1, SHA1, and SHA1Transform. In addition, we use the same architecture to predict the start and end times of the operation, thereby removing the need for firmware modifications or manual triggers in SCA. Our approach is evaluated using a 66 GB dataset containing 69,632 complex traces of EM leakage, captured with a USRP B210 software defined radio. The best variant of our methodology achieves a classification accuracy of 96.47%, and is able to predict the start and end times of the operation within 34 |is of the ground truth on average. We compare our methodology to classical template matching, and provide our open-source implementation and datasets to the community so that the achieved results can be reproduced.