Efficient and Secure Group Key Management in IoT using Multistage Interconnected PUF

Secure group-oriented communication is crucial to a wide range of applications in Internet of Things (IoT). Security problems related to group-oriented communications in IoT-based applications placed in a privacy-sensitive environment have become a major concern along with the development of the technology. Unfortunately, many IoT devices are designed to be portable and light-weight; thus, their functionalities, including security modules, are heavily constrained by the limited energy resources (e.g., battery capacity). To address these problems, we propose a group key management scheme based on a novel physically unclonable function (PUF) design: multistage interconnected PUF (MIPUF) to secure group communications in an energy-constrained environment. Our design is capable of performing key management tasks such as key distribution, key storage and rekeying securely and efficiently. We show that our design is secure against multiple attack methods and our experimental results show that our design saves 47.33% of energy globally comparing to state-of-the-art Elliptic-curve cryptography (ECC)-based key management scheme on average.Comment: 6 pages, 4 figures, International Symposium on Low Power Electronics and Desig

Securing IT/OT Links for Low Power IIoT Devices:Design considerations for industry 4.0

Manufacturing is facing a host of new security challenges due to the convergence of information technology (IT) and operational technology (OT) in the industry. This article addresses the challenges that arise due to the use of low power Industrial Internet of Things (IIoT) devices in modular manufacturing systems of Industry 4.0. First, we analyze security challenges concerning the manufacturing execution system (MES) and programmable logic controllers (PLC) in IIoT through a selective literature review. Second, we present an exploratory case study to determine a protocol for cryptographic key management and key exchange suitable for the Smart Production Lab of Aalborg University (a learning cyber-physical factory). Finally, we combine the findings of the case study with a quality function deployment (QFD) method to determine design requirements for Industry 4.0. We identify specific requirements from both the high-level domain of factory capabilities and the low-level domain of cryptography and translate requirements between these domains using a QFD analysis. The recommendations for designing a secure smart factory focus on how security can be implemented for low power and low-cost IIoT devices. Even though there have been a few studies on securing IT to OT data exchange, we conclude that the field is not yet in a state where it can be applied in practice with confidence

Printed Electronics-Based Physically Unclonable Functions for Lightweight Security in the Internet of Things

Die moderne Gesellschaft strebt mehr denn je nach digitaler Konnektivität - überall und zu jeder Zeit - was zu Megatrends wie dem Internet der Dinge (Internet of Things, IoT) führt. Bereits heute kommunizieren und interagieren „Dinge“ autonom miteinander und werden in Netzwerken verwaltet. In Zukunft werden Menschen, Daten und Dinge miteinander verbunden sein, was auch als Internet von Allem (Internet of Everything, IoE) bezeichnet wird. Milliarden von Geräten werden in unserer täglichen Umgebung allgegenwärtig sein und über das Internet in Verbindung stehen. Als aufstrebende Technologie ist die gedruckte Elektronik (Printed Electronics, PE) ein Schlüsselelement für das IoE, indem sie neuartige Gerätetypen mit freien Formfaktoren, neuen Materialien auf einer Vielzahl von Substraten mit sich bringt, die flexibel, transparent und biologisch abbaubar sein können. Darüber hinaus ermöglicht PE neue Freiheitsgrade bei der Anpassbarkeit von Schaltkreisen sowie die kostengünstige und großflächige Herstellung am Einsatzort. Diese einzigartigen Eigenschaften von PE ergänzen herkömmliche Technologien auf Siliziumbasis. Additive Fertigungsprozesse ermöglichen die Realisierung von vielen zukunftsträchtigen Anwendungen wie intelligente Objekte, flexible Displays, Wearables im Gesundheitswesen, umweltfreundliche Elektronik, um einige zu nennen. Aus der Sicht des IoE ist die Integration und Verbindung von Milliarden heterogener Geräte und Systeme eine der größten zu lösenden Herausforderungen. Komplexe Hochleistungsgeräte interagieren mit hochspezialisierten, leichtgewichtigen elektronischen Geräten, wie z.B. Smartphones mit intelligenten Sensoren. Daten werden in der Regel kontinuierlich gemessen, gespeichert und mit benachbarten Geräten oder in der Cloud ausgetauscht. Dabei wirft die Fülle an gesammelten und verarbeiteten Daten Bedenken hinsichtlich des Datenschutzes und der Sicherheit auf. Herkömmliche kryptografische Operationen basieren typischerweise auf deterministischen Algorithmen, die eine hohe Schaltungs- und Systemkomplexität erfordern, was sie wiederum für viele leichtgewichtige Geräte ungeeignet macht. Es existieren viele Anwendungsbereiche, in denen keine komplexen kryptografischen Operationen erforderlich sind, wie z.B. bei der Geräteidentifikation und -authentifizierung. Dabei hängt das Sicherheitslevel hauptsächlich von der Qualität der Entropiequelle und der Vertrauenswürdigkeit der abgeleiteten Schlüssel ab. Statistische Eigenschaften wie die Einzigartigkeit (Uniqueness) der Schlüssel sind von großer Bedeutung, um einzelne Entitäten genau unterscheiden zu können. In den letzten Jahrzehnten hat die Hardware-intrinsische Sicherheit, insbesondere Physically Unclonable Functions (PUFs), eine große Strahlkraft hinsichtlich der Bereitstellung von Sicherheitsfunktionen für IoT-Geräte erlangt. PUFs verwenden ihre inhärenten Variationen, um gerätespezifische eindeutige Kennungen abzuleiten, die mit Fingerabdrücken in der Biometrie vergleichbar sind. Zu den größten Potenzialen dieser Technologie gehören die Verwendung einer echten Zufallsquelle, die Ableitung von Sicherheitsschlüsseln nach Bedarf sowie die inhärente Schlüsselspeicherung. In Kombination mit den einzigartigen Merkmalen der PE-Technologie werden neue Möglichkeiten eröffnet, um leichtgewichtige elektronische Geräte und Systeme abzusichern. Obwohl PE noch weit davon entfernt ist, so ausgereift und zuverlässig wie die Siliziumtechnologie zu sein, wird in dieser Arbeit gezeigt, dass PE-basierte PUFs vielversprechende Sicherheitsprimitiven für die Schlüsselgenerierung zur eindeutigen Geräteidentifikation im IoE sind. Dabei befasst sich diese Arbeit in erster Linie mit der Entwicklung, Untersuchung und Bewertung von PE-basierten PUFs, um Sicherheitsfunktionen für ressourcenbeschränkte gedruckte Geräte und Systeme bereitzustellen. Im ersten Beitrag dieser Arbeit stellen wir das skalierbare, auf gedruckter Elektronik basierende Differential Circuit PUF (DiffC-PUF) Design vor, um sichere Schlüssel für Sicherheitsanwendungen für ressourcenbeschränkte Geräte bereitzustellen. Die DiffC-PUF ist als hybride Systemarchitektur konzipiert, die siliziumbasierte und gedruckte Komponenten enthält. Es wird eine eingebettete PUF-Plattform entwickelt, um die Charakterisierung von siliziumbasierten und gedruckten PUF-Cores in großem Maßstab zu ermöglichen. Im zweiten Beitrag dieser Arbeit werden siliziumbasierte PUF-Cores auf Basis diskreter Komponenten hergestellt und statistische Tests unter realistischen Betriebsbedingungen durchgeführt. Eine umfassende experimentelle Analyse der PUF-Sicherheitsmetriken wird vorgestellt. Die Ergebnisse zeigen, dass die DiffC-PUF auf Siliziumbasis nahezu ideale Werte für die Uniqueness- und Reliability-Metriken aufweist. Darüber hinaus werden die Identifikationsfähigkeiten der DiffC-PUF untersucht, und es stellte sich heraus, dass zusätzliches Post-Processing die Identifizierbarkeit des Identifikationssystems weiter verbessern kann. Im dritten Beitrag dieser Arbeit wird zunächst ein Evaluierungsworkflow zur Simulation von DiffC-PUFs basierend auf gedruckter Elektronik vorgestellt, welche auch als Hybrid-PUFs bezeichnet werden. Hierbei wird eine Python-basierte Simulationsumgebung vorgestellt, welche es ermöglicht, die Eigenschaften und Variationen gedruckter PUF-Cores basierend auf Monte Carlo (MC) Simulationen zu untersuchen. Die Simulationsergebnisse zeigen, dass die Sicherheitsmetriken im besten Betriebspunkt nahezu ideal sind. Des Weiteren werden angefertigte PE-basierte PUF-Cores für statistische Tests unter verschiedenen Betriebsbedingungen, einschließlich Schwankungen der Umgebungstemperatur, der relativen Luftfeuchtigkeit und der Versorgungsspannung betrieben. Die experimentell bestimmten Resultate der Uniqueness-, Bit-Aliasing- und Uniformity-Metriken stimmen gut mit den Simulationsergebnissen überein. Der experimentell ermittelte durchschnittliche Reliability-Wert ist relativ niedrig, was durch die fehlende Passivierung und Einkapselung der gedruckten Transistoren erklärt werden kann. Die Untersuchung der Identifikationsfähigkeiten basierend auf den PUF-Responses zeigt, dass die Hybrid-PUF ohne zusätzliches Post-Processing nicht für kryptografische Anwendungen geeignet ist. Die Ergebnisse zeigen aber auch, dass sich die Hybrid-PUF zur Geräteidentifikation eignet. Der letzte Beitrag besteht darin, in die Perspektive eines Angreifers zu wechseln. Um die Sicherheitsfähigkeiten der Hybrid-PUF beurteilen zu können, wird eine umfassende Sicherheitsanalyse nach Art einer Kryptoanalyse durchgeführt. Die Analyse der Entropie der Hybrid-PUF zeigt, dass seine Anfälligkeit für Angriffe auf Modellbasis hauptsächlich von der eingesetzten Methode zur Generierung der PUF-Challenges abhängt. Darüber hinaus wird ein Angriffsmodell eingeführt, um die Leistung verschiedener mathematischer Klonangriffe auf der Grundlage von abgehörten Challenge-Response Pairs (CRPs) zu bewerten. Um die Hybrid-PUF zu klonen, wird ein Sortieralgorithmus eingeführt und mit häufig verwendeten Classifiers für überwachtes maschinelles Lernen (ML) verglichen, einschließlich logistischer Regression (LR), Random Forest (RF) sowie Multi-Layer Perceptron (MLP). Die Ergebnisse zeigen, dass die Hybrid-PUF anfällig für modellbasierte Angriffe ist. Der Sortieralgorithmus profitiert von kürzeren Trainingszeiten im Vergleich zu den ML-Algorithmen. Im Falle von fehlerhaft abgehörten CRPs übertreffen die ML-Algorithmen den Sortieralgorithmus

Future Internet of Things: Connecting the Unconnected World and Things Based on 5/6G Networks and Embedded Technologies

Undeniably, the Internet of Things (IoT) ecosystem keeps on advancing at a fast speed, far above all predictions for growth and ubiquity. From sensor to cloud, this massive network continues to break technical limits in a variety of ways, and wireless sensor nodes are likely to become more prevalent as the number of Internet of Things devices increases into the trillions to connect the world and unconnected objects. However, their future in the IoT ecosystem remains uncertain, as various difficulties as with device connectivity, edge artificial intelligence (AI), security and privacy concerns, increased energy demands, the right technologies to use, and continue to attract opposite forces. This chapter provides a brief, forward-looking overview of recent trends, difficulties, and cutting-edge solutions for low-end IoT devices that use reconfigurable computing technologies like FPGA SoC and next-generation 5/6G networks. Tomorrow’s IoT devices will play a critical role. At the end of this chapter, an edge FPGA SoC computing-based IoT application is proposed, to be a novel edge computing for IoT solution with low power consumption and accelerated processing capability in data exchange

Practical Lightweight Security: Physical Unclonable Functions and the Internet of Things

In this work, we examine whether Physical Unclonable Functions (PUFs) can act as lightweight security mechanisms for practical applications in the context of the Internet of Things (IoT). In order to do so, we first discuss what PUFs are, and note that memory-based PUFs seem to fit the best to the framework of the IoT. Then, we consider a number of relevant memory-based PUF designs and their properties, and evaluate their ability to provide security in nominal and adverse conditions. Finally, we present and assess a number of practical PUF-based security protocols for IoT devices and networks, in order to confirm that memory-based PUFs can indeed constitute adequate security mechanisms for the IoT, in a practical and lightweight fashion. More specifically, we first consider what may constitute a PUF, and we redefine PUFs as inanimate physical objects whose characteristics can be exploited in order to obtain a behaviour similar to a highly distinguishable (i.e., “(quite) unique”) mathematical function. We note that PUFs share many characteristics with biometrics, with the main difference being that PUFs are based on the characteristics of inanimate objects, while biometrics are based on the characteristics of humans and other living creatures. We also note that it cannot really be proven that PUFs are unique per instance, but they should be considered to be so, insofar as (human) biometrics are also considered to be unique per instance. We, then, proceed to discuss the role of PUFs as security mechanisms for the IoT, and we determine that memory-based PUFs are particularly suited for this function. We observe that the IoT nowadays consists of heterogeneous devices connected over diverse networks, which include both high-end and resource-constrained devices. Therefore, it is essential that a security solution for the IoT is not only effective, but also highly scalable, flexible, lightweight, and cost-efficient, in order to be considered as practical. To this end, we note that PUFs have been proposed as security mechanisms for the IoT in the related work, but the practicality of the relevant security mechanisms has not been sufficiently studied. We, therefore, examine a number of memory-based PUFs that are implemented using Commercial Off-The-Shelf (COTS) components, and assess their potential to serve as acceptable security mechanisms in the context of the IoT, not only in terms of effectiveness and cost, but also under both nominal and adverse conditions, such as ambient temperature and supply voltage variations, as well as in the presence of (ionising) radiation. In this way, we can determine whether memory-based PUFs are truly suitable to be used in the various application areas of the IoT, which may even involve particularly adverse environments, e.g., in IoT applications involving space modules and operations. Finally, we also explore the potential of memory-based PUFs to serve as adequate security mechanisms for the IoT in practice, by presenting and analysing a number of cryptographic protocols based on these PUFs. In particular, we study how memory-based PUFs can be used for key generation, as well as device identification, and authentication, their role as security mechanisms for current and next-generation IoT devices and networks, and their potential for applications in the space segment of the IoT and in other adverse environments. Additionally, this work also discusses how memory-based PUFs can be utilised for the implementation of lightweight reconfigurable PUFs that allow for advanced security applications. In this way, we are able to confirm that memory-based PUFs can indeed provide flexible, scalable, and efficient security solutions for the IoT, in a practical, lightweight, and inexpensive manner

Nano-intrinsic security primitives for internet of everything

With the advent of Internet-enabled electronic devices and mobile computer systems, maintaining data security is one of the most important challenges in modern civilization. The innovation of physically unclonable functions (PUFs) shows great potential for enabling low-cost low-power authentication, anti-counterfeiting and beyond on the semiconductor chips. This is because secrets in a PUF are hidden in the randomness of the physical properties of desirably identical devices, making it extremely difficult, if not impossible, to extract them. Hence, the basic idea of PUF is to take advantage of inevitable non-idealities in the physical domain to create a system that can provide an innovative way to secure device identities, sensitive information, and their communications. While the physical variation exists everywhere, various materials, systems, and technologies have been considered as the source of unpredictable physical device variation in large scales for generating security primitives. The purpose of this project is to develop emerging solid-state memory-based security primitives and examine their robustness as well as feasibility. Firstly, the author gives an extensive overview of PUFs. The rationality, classification, and application of PUF are discussed. To objectively compare the quality of PUFs, the author formulates important PUF properties and evaluation metrics. By reviewing previously proposed constructions ranging from conventional standard complementary metal-oxide-semiconductor (CMOS) components to emerging non-volatile memories, the quality of different PUFs classes are discussed and summarized. Through a comparative analysis, emerging non-volatile redox-based resistor memories (ReRAMs) have shown the potential as promising candidates for the next generation of low-cost, low-power, compact in size, and secure PUF. Next, the author presents novel approaches to build a PUF by utilizing concatenated two layers of ReRAM crossbar arrays. Upon concatenate two layers, the nonlinear structure is introduced, and this results in the improved uniformity and the avalanche characteristic of the proposed PUF. A group of cell readout method is employed, and it supports a massive pool of challenge-response pairs of the nonlinear ReRAM-based PUF. The non-linear PUF construction is experimentally assessed using the evaluation metrics, and the quality of randomness is verified using predictive analysis. Last but not least, random telegraph noise (RTN) is studied as a source of entropy for a true random number generation (TRNG). RTN is usually considered a disadvantageous feature in the conventional CMOS designs. However, in combination with appropriate readout scheme, RTN in ReRAM can be used as a novel technique to generate quality random numbers. The proposed differential readout-based design can maintain the quality of output by reducing the effect of the undesired noise from the whole system, while the controlling difficulty of the conventional readout method can be significantly reduced. This is advantageous as the differential readout circuit can embrace the resistance variation features of ReRAMs without extensive pre-calibration. The study in this thesis has the potential to enable the development of cost-efficient and lightweight security primitives that can be integrated into modern computer mobile systems and devices for providing a high level of security

Hardware security design from circuits to systems

The security of hardware implementations is of considerable importance, as even the most secure and carefully analyzed algorithms and protocols can be vulnerable in their hardware realization. For instance, numerous successful attacks have been presented against the Advanced Encryption Standard, which is approved for top secret information by the National Security Agency. There are numerous challenges for hardware security, ranging from critical power and resource constraints in sensor networks to scalability and automation for large Internet of Things (IoT) applications. The physically unclonable function (PUF) is a promising building block for hardware security, as it exposes a device-unique challenge-response behavior which depends on process variations in fabrication. It can be used in a variety of applications including random number generation, authentication, fingerprinting, and encryption. The primary concerns for PUF are reliability in presence of environmental variations, area and power overhead, and process-dependent randomness of the challenge-response behavior. Carbon nanotube field-effect transistors (CNFETs) have been shown to have excellent electrical and unique physical characteristics. They are a promising candidate to replace silicon transistors in future very large scale integration (VLSI) designs. We present the Carbon Nanotube PUF (CNPUF), which is the first PUF design that takes advantage of unique CNFET characteristics. CNPUF achieves higher reliability against environmental variations and increases the resistance against modeling attacks. Furthermore, CNPUF has a considerable power and energy reduction in comparison to previous ultra-low power PUF designs of 89.6% and 98%, respectively. Moreover, CNPUF allows a power-security tradeoff in an extended design, which can greatly increase the resilience against modeling attacks. Despite increasing focus on defenses against physical attacks, consistent security oriented design of embedded systems remains a challenge, as most formalizations and security models are concerned with isolated physical components or a high-level concept. Therefore, we build on existing work on hardware security and provide four contributions to system-oriented physical defense: (i) A system-level security model to overcome the chasm between secure components and requirements of high-level protocols; this enables synergy between component-oriented security formalizations and theoretically proven protocols. (ii) An analysis of current practices in PUF protocols using the proposed system-level security model; we identify significant issues and expose assumptions that require costly security techniques. (iii) A System-of-PUF (SoP) that utilizes the large PUF design-space to achieve security requirements with minimal resource utilization; SoP requires 64% less gate-equivalent units than recently published schemes. (iv) A multilevel authentication protocol based on SoP which is validated using our system-level security model and which overcomes current vulnerabilities. Furthermore, this protocol offers breach recognition and recovery. Unpredictability and reliability are core requirements of PUFs: unpredictability implies that an adversary cannot sufficiently predict future responses from previous observations. Reliability is important as it increases the reproducibility of PUF responses and hence allows validation of expected responses. However, advanced machine-learning algorithms have been shown to be a significant threat to the practical validity of PUFs, as they can accurately model PUF behavior. The most effective technique was shown to be the XOR-based combination of multiple PUFs, but as this approach drastically reduces reliability, it does not scale well against software-based machine-learning attacks. We analyze threats to PUF security and propose PolyPUF, a scalable and secure architecture to introduce polymorphic PUF behavior. This architecture significantly increases model-building resistivity while maintaining reliability. An extensive experimental evaluation and comparison demonstrate that the PolyPUF architecture can secure various PUF configurations and is the only evaluated approach to withstand highly complex neural network machine-learning attacks. Furthermore, we show that PolyPUF consumes less energy and has less implementation overhead in comparison to lightweight reference architectures. Emerging technologies such as the Internet of Things (IoT) heavily rely on hardware security for data and privacy protection. The outsourcing of integrated circuit (IC) fabrication introduces diverse threat vectors with different characteristics, such that the security of each device has unique focal points. Hardware Trojan horses (HTH) are a significant threat for IoT devices as they process security critical information with limited resources. HTH for information leakage are particularly difficult to detect as they have minimal footprint. Moreover, constantly increasing integration complexity requires automatic synthesis to maintain the pace of innovation. We introduce the first high-level synthesis (HLS) flow that produces a threat-targeted and security enhanced hardware design to prevent HTH injection by a malicious foundry. Through analysis of entropy loss and criticality decay, the presented algorithms implement highly resource-efficient targeted information dispersion. An obfuscation flow is introduced to camouflage the effects of dispersion and reduce the effectiveness of reverse engineering. A new metric for the combined security of the device is proposed, and dispersion and obfuscation are co-optimized to target user-supplied threat parameters under resource constraints. The flow is evaluated on existing HLS benchmarks and a new IoT-specific benchmark, and shows significant resource savings as well as adaptability. The IoT and cloud computing rely on strong confidence in security of confidential or highly privacy sensitive data. As (differential) power attacks can take advantage of side-channel leakage to expose device-internal secrets, side-channel leakage is a major concern with ongoing research focus. However, countermeasures typically require expert-level security knowledge for efficient application, which limits adaptation in the highly competitive and time-constrained IoT field. We address this need by presenting the first HLS flow with primary focus on side-channel leakage reduction. Minimal security annotation to the high-level C-code is sufficient to perform automatic analysis of security critical operations with corresponding insertion of countermeasures. Additionally, imbalanced branches are detected and corrected. For practicality, the flow can meet both resource and information leakage constraints. The presented flow is extensively evaluated on established HLS benchmarks and a general IoT benchmark. Under identical resource constraints, leakage is reduced between 32% and 72% compared to the baseline. Under leakage target, the constraints are achieved with 31% to 81% less resource overhead

Securing Critical Infrastructures

1noL'abstract è presente nell'allegato / the abstract is in the attachmentopen677. INGEGNERIA INFORMATInoopenCarelli, Albert

A multi-layer approach to designing secure systems: from circuit to software

In the last few years, security has become one of the key challenges in computing systems. Failures in the secure operations of these systems have led to massive information leaks and cyber-attacks. Case in point, the identity leaks from Equifax in 2016, Spectre and Meltdown attacks to Intel and AMD processors in 2017, Cyber-attacks on Facebook in 2018. These recent attacks have shown that the intruders attack different layers of the systems, from low-level hardware to software as a service(SaaS). To protect the systems, the defense mechanisms should confront the attacks in the different layers of the systems. In this work, we propose four security mechanisms for computing systems: (i ) using backside imaging to detect Hardware Trojans (HTs) in Application Specific Integrated Circuits (ASICs) chips, (ii ) developing energy-efficient reconfigurable cryptographic engines, (iii) examining the feasibility of malware detection using Hardware Performance Counters (HPC). Most of the threat models assume that the root of trust is the hardware running beneath the software stack. However, attackers can insert malicious hardware blocks, i.e. HTs, into the Integrated Circuits (ICs) that provide back-doors to the attackers or leak confidential information. HTs inserted during fabrication are extremely hard to detect since their overheads in performance and power are below the variations in the performance and power caused by manufacturing. In our work, we have developed an optical method that identifies modified or replaced gates in the ICs. We use the near-infrared light to image the ICs because silicon is transparent to near-infrared light and metal reflects infrared light. We leverage the near-infrared imaging to identify the locations of each gate, based on the signatures of metal structures reflected by the lowest metal layer. By comparing the imaged results to the pre-fabrication design, we can identify any modifications, shifts or replacements in the circuits to detect HTs. With the trust of the silicon, the computing system must use secure communication channels for its applications. The low-energy cost devices, such as the Internet of Things (IoT), leverage strong cryptographic algorithms (e.g. AES, RSA, and SHA) during communications. The cryptographic operations cause the IoT devices a significant amount of power. As a result, the power budget limits their applications. To mitigate the high power consumption, modern processors embed these cryptographic operations into hardware primitives. This also improves system performance. The hardware unit embedded into the processor provides high energy-efficiency, low energy cost. However, hardware implementations limit flexibility. The longevity of theIoTs can exceed the lifetime of the cryptographic algorithms. The replacement of the IoT devices is costly and sometimes prohibitive, e.g., monitors in nuclear reactors.In order to reconfigure cryptographic algorithms into hardware, we have developed a system with a reconfigurable encryption engine on the Zedboard platform. The hardware implementation of the engine ensures fast, energy-efficient cryptographic operations. With reliable hardware and secure communication channels in place, the computing systems should detect any malicious behaviors in the processes. We have explored the use of the Hardware Performance Counters (HPCs) in malware detection. HPCs are hardware units that count micro-architectural events, such as cache hits/misses and floating point operations. Anti-virus software is commonly used to detect malware but it also introduces performance overhead. To reduce anti-virus performance overhead, many researchers propose to use HPCs with machine learning models in malware detection. However, it is counter-intuitive that the high-level program behaviors can manifest themselves in low-level statics. We perform experiments using 2 ∼ 3 × larger program counts than the previous works and perform a rigorous analysis to determine whether HPCs can be used to detect malware. Our results show that the False Discovery Rate of malware detection can reach 20%. If we deploy this detection system on a fresh installed Windows 7 systems, among 1,323 binaries, 198 binaries would be flagged as malware