ProbeShooter: A New Practical Approach for Probe Aiming

Daehyeon Bae; Sujin Park; Minsig Choi; Young Giu Jung; Changmin Jeong; Heeseok Kim; Seokhie Hong

doi:10.1145/3708821.3710815

ProbeShooter: A New Practical Approach for Probe Aiming

Daehyeon Bae
, Sujin Park
, Minsig Choi
, Young Giu Jung
, Changmin Jeong
, Heeseok Kim^*
, Seokhie Hong^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Electromagnetic side-channel analysis is a powerful method for monitoring processor activity and compromising cryptographic systems in air-gapped environments. As analytical methodologies and target devices evolve, the importance of leakage localization and probe aiming becomes increasingly apparent for capturing only the desired signals with a high signal-to-noise ratio. Despite its importance, there remains substantial reliance on unreliable heuristic approaches and inefficient exhaustive searches. Furthermore, related studies often fall short in terms of feasibility, practicality, and performance, and are limited to controlled DUTs and low-end MCUs. To address the limitations and inefficiencies of the previous approaches, we propose a novel methodology - ProbeShooter - for leakage localization and probe aiming. This approach leverages new insights into the spatial characteristics of amplitude modulation and intermodulation distortion in processors. As a result, ProbeShooter provides substantial improvements in various aspects: 1) it is applicable to not only simple MCUs but also complex SoCs, 2) it effectively handles multi-core systems and dynamic frequency scaling, 3) it is adoptable to uncontrollable DUTs, making it viable for constrained real-world attacks, and 4) it performs significantly faster than previous methods. To demonstrate this, we experimentally evaluate ProbeShooter on a high-end MCU (the NXP i. MX RT1061 featuring a single ARM Cortex-M7 core) and a complex SoC (the Broadcom BCM2711 equipped with the Raspberry Pi 4 Model B, featuring four ARM Cortex-A72 cores).

Original language	English
Title of host publication	ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1158-1174
Number of pages	17
ISBN (Electronic)	9798400714108
DOIs	https://doi.org/10.1145/3708821.3710815
Publication status	Published - 2025 Aug 24
Event	20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025 - Hanoi, Viet Nam Duration: 2025 Aug 25 → 2025 Aug 29

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025
Country/Territory	Viet Nam
City	Hanoi
Period	25/8/25 → 25/8/29

Bibliographical note

Publisher Copyright:
© 2025 Copyright held by the owner/author(s).

Keywords

Cartography
Electromagnetic side-channel analysis
Hardware security
Leakage localization

ASJC Scopus subject areas

Software
Computer Networks and Communications

Access to Document

10.1145/3708821.3710815

Cite this

Bae, D., Park, S., Choi, M., Jung, Y. G., Jeong, C., Kim, H., & Hong, S. (2025). ProbeShooter: A New Practical Approach for Probe Aiming. In ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security (pp. 1158-1174). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3708821.3710815

ProbeShooter: A New Practical Approach for Probe Aiming. / Bae, Daehyeon; Park, Sujin; Choi, Minsig et al.
ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security. Association for Computing Machinery, 2025. p. 1158-1174 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bae, D, Park, S, Choi, M, Jung, YG, Jeong, C, Kim, H & Hong, S 2025, ProbeShooter: A New Practical Approach for Probe Aiming. in ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1158-1174, 20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025, Hanoi, Viet Nam, 25/8/25. https://doi.org/10.1145/3708821.3710815

Bae D, Park S, Choi M, Jung YG, Jeong C, Kim H et al. ProbeShooter: A New Practical Approach for Probe Aiming. In ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security. Association for Computing Machinery. 2025. p. 1158-1174. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3708821.3710815

@inproceedings{6030067634514d0284a469d601869a8a,

title = "ProbeShooter: A New Practical Approach for Probe Aiming",

abstract = "Electromagnetic side-channel analysis is a powerful method for monitoring processor activity and compromising cryptographic systems in air-gapped environments. As analytical methodologies and target devices evolve, the importance of leakage localization and probe aiming becomes increasingly apparent for capturing only the desired signals with a high signal-to-noise ratio. Despite its importance, there remains substantial reliance on unreliable heuristic approaches and inefficient exhaustive searches. Furthermore, related studies often fall short in terms of feasibility, practicality, and performance, and are limited to controlled DUTs and low-end MCUs. To address the limitations and inefficiencies of the previous approaches, we propose a novel methodology - ProbeShooter - for leakage localization and probe aiming. This approach leverages new insights into the spatial characteristics of amplitude modulation and intermodulation distortion in processors. As a result, ProbeShooter provides substantial improvements in various aspects: 1) it is applicable to not only simple MCUs but also complex SoCs, 2) it effectively handles multi-core systems and dynamic frequency scaling, 3) it is adoptable to uncontrollable DUTs, making it viable for constrained real-world attacks, and 4) it performs significantly faster than previous methods. To demonstrate this, we experimentally evaluate ProbeShooter on a high-end MCU (the NXP i. MX RT1061 featuring a single ARM Cortex-M7 core) and a complex SoC (the Broadcom BCM2711 equipped with the Raspberry Pi 4 Model B, featuring four ARM Cortex-A72 cores).",

keywords = "Cartography, Electromagnetic side-channel analysis, Hardware security, Leakage localization",

author = "Daehyeon Bae and Sujin Park and Minsig Choi and Jung, \{Young Giu\} and Changmin Jeong and Heeseok Kim and Seokhie Hong",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025 ; Conference date: 25-08-2025 Through 29-08-2025",

year = "2025",

month = aug,

day = "24",

doi = "10.1145/3708821.3710815",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1158--1174",

booktitle = "ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security",

}

TY - GEN

T1 - ProbeShooter

T2 - 20th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2025

AU - Bae, Daehyeon

AU - Park, Sujin

AU - Choi, Minsig

AU - Jung, Young Giu

AU - Jeong, Changmin

AU - Kim, Heeseok

AU - Hong, Seokhie

PY - 2025/8/24

Y1 - 2025/8/24

N2 - Electromagnetic side-channel analysis is a powerful method for monitoring processor activity and compromising cryptographic systems in air-gapped environments. As analytical methodologies and target devices evolve, the importance of leakage localization and probe aiming becomes increasingly apparent for capturing only the desired signals with a high signal-to-noise ratio. Despite its importance, there remains substantial reliance on unreliable heuristic approaches and inefficient exhaustive searches. Furthermore, related studies often fall short in terms of feasibility, practicality, and performance, and are limited to controlled DUTs and low-end MCUs. To address the limitations and inefficiencies of the previous approaches, we propose a novel methodology - ProbeShooter - for leakage localization and probe aiming. This approach leverages new insights into the spatial characteristics of amplitude modulation and intermodulation distortion in processors. As a result, ProbeShooter provides substantial improvements in various aspects: 1) it is applicable to not only simple MCUs but also complex SoCs, 2) it effectively handles multi-core systems and dynamic frequency scaling, 3) it is adoptable to uncontrollable DUTs, making it viable for constrained real-world attacks, and 4) it performs significantly faster than previous methods. To demonstrate this, we experimentally evaluate ProbeShooter on a high-end MCU (the NXP i. MX RT1061 featuring a single ARM Cortex-M7 core) and a complex SoC (the Broadcom BCM2711 equipped with the Raspberry Pi 4 Model B, featuring four ARM Cortex-A72 cores).

AB - Electromagnetic side-channel analysis is a powerful method for monitoring processor activity and compromising cryptographic systems in air-gapped environments. As analytical methodologies and target devices evolve, the importance of leakage localization and probe aiming becomes increasingly apparent for capturing only the desired signals with a high signal-to-noise ratio. Despite its importance, there remains substantial reliance on unreliable heuristic approaches and inefficient exhaustive searches. Furthermore, related studies often fall short in terms of feasibility, practicality, and performance, and are limited to controlled DUTs and low-end MCUs. To address the limitations and inefficiencies of the previous approaches, we propose a novel methodology - ProbeShooter - for leakage localization and probe aiming. This approach leverages new insights into the spatial characteristics of amplitude modulation and intermodulation distortion in processors. As a result, ProbeShooter provides substantial improvements in various aspects: 1) it is applicable to not only simple MCUs but also complex SoCs, 2) it effectively handles multi-core systems and dynamic frequency scaling, 3) it is adoptable to uncontrollable DUTs, making it viable for constrained real-world attacks, and 4) it performs significantly faster than previous methods. To demonstrate this, we experimentally evaluate ProbeShooter on a high-end MCU (the NXP i. MX RT1061 featuring a single ARM Cortex-M7 core) and a complex SoC (the Broadcom BCM2711 equipped with the Raspberry Pi 4 Model B, featuring four ARM Cortex-A72 cores).

KW - Cartography

KW - Electromagnetic side-channel analysis

KW - Hardware security

KW - Leakage localization

UR - https://www.scopus.com/pages/publications/105015985239

U2 - 10.1145/3708821.3710815

DO - 10.1145/3708821.3710815

M3 - Conference contribution

AN - SCOPUS:105015985239

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1158

EP - 1174

BT - ACM ASIA CCS 2025 - Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 25 August 2025 through 29 August 2025

ER -

ProbeShooter: A New Practical Approach for Probe Aiming

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this