WIXLIB

Hardware Vulnerabilities

Hardware VulnerabilitiesImportanceA device may be designed in the US but implementedabroad. How do we know whether something maliciouswas or was not added to the implementation?Some devices are designed and manufactured abroad!It is possible to design a backdoor into hardwareHardware, of course, is the bottom level componentof systems that are critical to telecommunications, health,US economic system, and national defenseTrying to find malicious behavior in hardware is a nightmare

Hardware VulnerabilitiesHardware BackdoorA hardware backdoor might be removed by replacingthe hardware or reflashing BIOS, or firmware for net devices,graphics processing, power management, etc.A hardware backdoor might easily be installed throughreflashing BIOS, etc.A hardware backdoor typically has full access to the deviceit runs on (forget about authorization)Hardware changes may be nearly impossible to detectIt is possible to 'dope' transistors of a chip to change functionbehaviorThis was done successfully to change the random numbergenerator of Ivy Bridge intel processorsRNGs are the basis for encryption systems and abovechanges resulted in fixed output of the RNG!http://link.springer.com/chapter/10.1007%2F978 3 642 40349 1 12

Hardware VulnerabilitiesSemiconductor Dopingthe process of adding impurities to silicon-based semiconductors to change or control their electrical propertiesmaterials used to dope silicon include phosphorus, arsenic,antimony which add 'free' electrons to the silicon, causingan 'outward' current flow (n-type) and boron, gallium,aluminum, indium for fewer 'free' electrons causing an'inward' flow of current (p-type)positive voltage to the gate creates an electric field andallows current to flow from source to drain with positivevoltage from drain to source

Hardware VulnerabilitiesSemiconductor Dopinghere is what it looks like at the molecular levelA cross section of a circuit looks something like this

Hardware VulnerabilitiesSemiconductor DopingAn inverter (left) is modified to always output VDD (right)Only dopant masks are modified – changes are not visible

Hardware VulnerabilitiesSemiconductor DopingA schematic view

Hardware VulnerabilitiesSemiconductor DopingAgainst Intel's Secure Random Number GeneratorDesign verified by Cryptography Research Inc.NIST SP800-90, FIPS 140-2, and ANSI X9.82 compliantModified Trojan passes the built-in self testGenerates random numbers that pass the NISTtest suite for random numbersThe built-in self test is only designed for reportingmanufacturing defects or operational defectsthat might occur after a period of time (aging)The built-in self test does not include tests for stuck-atfaults at interconnects and output pins; are no test ports(said to improve security by leaving these out)

Hardware VulnerabilitiesSemiconductor DopingBlock diagram of the original design of the random number generatorShowing placement of the dopantEntropy Source generates random numbersEntropy of the random numbers is monitored by the OHTRandom numbers are input to the Conditioner which sometimesreseeds the Rate Matcher for random bit generation at RnRand

Hardware VulnerabilitiesSemiconductor DopingAgainst Intel's Secure Random Number GeneratorReseeding:Internal state: c, K new c, K computedc c 1, x AESK(c)c c 1, y AESK(c)K K x ss,t are the new seedc c y tfrom the conditionerRandom number generated:r AESK(c)Attack:Dope flip-flops of K so K is always constantDope 128-n flip-flops of c so c can be one of 2n numbersr depends on n random bitsOutput of AES appears random (large differencesfrom one output to the next) but only a small numberof random numbers will be generated

Hardware VulnerabilitiesState of BeingBudget cuts resulted in reduced funding for manufacturingand security validationLed to decrease in orders from 'authorized' resellers(business partner of, e.g. Apple, licensed to sell products)Orders are now mainly given to far east providers (cheaper)There are many designers and engineers associated witha product – any one could insert malicious functionalitysupporting espionage or sabotage

Hardware VulnerabilitiesCommon Hardware AttacksManufacturing backdoors, for malware or other penetrativepurposes including embedded radio-frequency identification(RFID) chips and memoryManufacturing backdoors for bypassing normalauthentication systemsEavesdropping by gaining access to protected memorywithout opening other hardwareInducing faults, causing the interruption of normal behaviorHardware modification with invasive procedures,appliances, or jailbroken softwareCounterfeiting product assets resulting in financial lossor malicious access to alification/

Hardware VulnerabilitiesAlso Hardware Side-Channel AttacksTimingPower AnalysisElectromagnetic (reading monitor content)Fault induction (smartcards)

Hardware VulnerabilitiesProducts AffectedAccess Control /access-control-hardwareNetwork Applianceshttp://www.webopedia.com/quick ref/network appliance.asphttps://www.sophos.com/en us/products/next gen firewall.aspx?cmp 70130000001xJilAAE&utm source Google&utm medium cpc&utm campaign NA NetworkIndustrial Control Systems (SCADA, DCS)https://en.wikipedia.org/wiki/Industrial control systemSurveillance Systemshttps://www.google.com/url?sa t&rct j&q &esrc s&source web&cd 1&cad rja&uact 8&ved 0ahUKEwjgqfmfm HLAhXLKyYKHc7LBBcQFghDMAA&url ssue6%2F5 6SurveillanceSystems slides.ppt&usg AFQjCNFWFzXFhwI3N2HXZbdhsVEGmxlSlg&bvm bv.117868183,d.eWECommunication InfrastructureRF, fibre, etc.

Hardware VulnerabilitiesHypothetical AttacksTime BombAn attacker might program a time bomb backdoor into HDLcode that automatically triggers backdoors after apre-determined fixed amount. A device could be forced tocrash or operate maliciously after a determined number ofclock cycles. An attacker could design a kill switch functionthat could be undetectable by any validation methods.Cheat CodesAn attacker might program backdoor triggers based onspecific input data (called “cheat codes” - secret data that anattacker uses to identify itself to hardware backdoor logic).A cheat code must be unique to avoid being accidentallyprovided during validation tests. An attacker could providecheat codes which send a single data value containing theentire code (single-shot “cheat codes”) or a large cheat codein multiple pieces (sequential “cheat codes.”)

Hardware VulnerabilitiesAttack MotivationIntellectual PropertyClone hardware: steal the designLeak information: enable copy of design, then implementedTheft or diversion of ServiceRedirect packets to another server which may do anythingfrom planting malicious code to delivering unwanted adsEnter a systemBypass access controls to do anything from setting upcommand and control for future attacks to gatheringemployee information with spam delivery in mind, tounlocking hidden features, to unlocking devices

Hardware VulnerabilitiesHistoryBombePlaintext attack against Enigma cipher machinesDynamic mapping of keys to cipher charactersAttack took advantage of1. Poor operational control of the machine esp. in the fieldEarly training manual had example encryptions!Many messages began with ANX – 'to' with 'X' spacerOnly six plugboard leads were usedSome operators used 'HIT' 'LER' to set keysSome operators used German obscenities to set keysSame messages were sent by Enigma and 2nd cipherLots more.2. The 'reflector' required that no key could map to itself3. Rotor notches were in different positions so wheel ordercould be determined by observing when the middlerotor was turned over by the rightmost rotor

Hardware VulnerabilitiesHistoryRowhammer AttackDRAM (memory) cells (mainly found in X86 computers)influence each other because they are densely packedA given row of memory can cause bits in another row to flipOn laptops manufactured from 2010-2014, involving fivedifferent DRAM vendors 15 of 29 could be attackedsuccessfully to escalate privilege and allow access to allphysical memory – bit flips were induced in page tableentriesDesktops were not vulnerable, using ECC DRAM

Hardware VulnerabilitiesHistoryThingbots (e.g. refrigerators) send spamApproximately 2014 – 100,000 or so TVs, routers,refrigerators sent 750,000 spam messagesSmall number sent from each IP address – hard to protectagainst"Many of these devices are poorly protected at best andconsumers have virtually no way to detect or fix infectionswhen they do occur. Enterprises may find distributedattacks increasing as more and more of these devicescome on-line and attackers find additional ways to exploitthem." – David Knight, ProofpointSmart power meters could be vulnerable – imagine powerbeing turned off to all customers of a city at one time

Hardware VulnerabilitiesHistoryHardware Involved Software tures/PDF/Forristal Hardware Involved Software Attacks.pdfSee page 16 and following

Hardware VulnerabilitiesHardware Lifecycle TrustMalicious mods to an IC should be detectable by pre-siliconverification/simulation and post-silicon testingBut, this requires a golden model of the entire IC whichmight not be available, e.g. for IP designs from 3rd-party vendorsAnyway, verification is currently not practical for complex circuitsPost-manufacturing logic testing doesn't work because attackerbuilds trigger on rare circuit event to avoid detection

Hardware VulnerabilitiesClassification of Hardware TrojansCombinationally triggered Trojan – subclass of digitally triggeredOccurrence of condition A 0, B 0 at the trigger nodes A, Bcauses payload node C to have an incorrect value at Cmodif iedAttacker chooses a rare activation condition from low-controllableinputs making trojan unlikely to trigger during manufacturing test

Hardware VulnerabilitiesClassification of Hardware TrojansSequentially triggered, synchronous Trojan (Time Bomb) –subclass of digitally triggeredTrigger is at a particular count of a circuit component that countsNormal output ER is diverted to an xor gate and controlled by thetrigger outputThe idea is to trigger on a rare sequence of events

Hardware VulnerabilitiesClassification of Hardware TrojansSequentially triggered, asynchronous Trojan (Time Bomb) –subclass of digitally triggeredTrigger is at a particular count of a circuit component that countsBut p and q changing to cause a change in the output of the ANDgate on the left is what drives the countThe idea is to trigger on a rare sequence of events

Hardware VulnerabilitiesClassification of Hardware TrojansHybrid triggered Trojan – subclass of digitally triggeredTrigger point depends on synchronous and asynchronous countsMore challenging to detect sequential Trojans using conventionaltest generation and application: requires satisfying a sequenceof rare conditions at internal circuit nodes to activate themUnmanageably large number of events for logic testing approach

Hardware VulnerabilitiesClassification of Hardware TrojansAnalog triggered TrojanTrigger point depends on on-chip sensorsIn this example, capacitor voltage rises and falls as q1 and q2values change. After a long time, voltage goes high enough toregister a value in the xor gate, triggering the Trojan

Hardware VulnerabilitiesClassification of Hardware TrojansAnalog triggered TrojanTriggered when high activity raises chip temperature that issensed by the temperature sensorNote: by adding circuitry to raise activity of the chip, an attackeralso ages the chip faster – this is considered a form of attack

Hardware VulnerabilitiesClassification of Hardware TrojansTrojans can also be classified on their payload typeDigital payload: can either affect the logic valuesat chosen internal payload nodes, or can modifythe contents of memory locationsAnalog payload: can affect performance, power margin,noise margin, and other circuit meta functions. Additionof resistor to circuit on the left causes a bridging fault(two signals connected when they should be isolated)addition of capacitor on the right causes delay intransmission of signal