breakthrough silicon scanning discovers backdoor in
play

Breakthrough silicon scanning discovers backdoor in military chip - PowerPoint PPT Presentation

Aug 27, 2023 •139 likes •353 views

Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods

  1. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods http://www.cl.cam.ac.uk/~sps32 http://www.quovadislabs.com email: sps32@cam.ac.uk email: chris@quovadislabs.com

  2. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Introduction • Many semiconductor devices are vulnerable to attacks – theft of service – gaining access to information (IP, data, ID) – cloning and overbuilding – denial of service • How secure is the design? – What security features are implemented? – Who has access to the design? – How easy is it to modify the design or add extra capabilities? – How is the integrity of the design verified? • Hardware security challenges – keys and passwords storage – get design engineers educated on security – developing countermeasures – patching the holes 2

  3. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Introduction • Hardware Assurance (HWA) concerns – ensuring hardware has not been manipulated – industry dependence on limited fabs and design templates • Trojans and backdoors – production outside of chip manufacturers' control – most devices are produced in Asia – recognised problem but no ultimate solution in place • Cloned or counterfeit parts – verify design integrity – identify the source of production – test quickly in assembly line before use • Research with responsible disclosure of findings – prevents dishonest exploitation of security vulnerabilities – allows chip manufacturers to implement countermeasures 3

  4. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Trojan, Backdoor or Feature? • Trojans are normally introduced by adversaries – post design insertion but before production – modifying production masks at chip foundry • Backdoors are expected to be introduced by contractors – third party libraries and designs – design engineer – deliberate insertion made by the design house • Undocumented features are inserted by many chip vendors – used for factory testing and debugging • Outsider attacker cannot distinguish between those options – analyses the device as a black box – usually very limited information is provided about low-level features – some form of reverse engineering is usually required – “backdoor – an undocumented way to get access to a computer system or the data it contains” 4

  5. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Find ideal research target • Requirements – available samples and development tools without restrictions – high security specifications by manufacturer – use in military and critical infrastructure – FPGA vs microcontroller – SRAM FPGAs offer low security, tougher challenge for Flash FPGA • ´Highly secure´ Actel/Microsemi ProASIC3 Flash FPGAs – “offer one of the highest levels of design security in the industry” – “having inherent resistance to both invasive and noninvasive attacks on valuable IP” – used in military applications according to the manufacturer – used in sensitive industrial applications • automotive, avionics and space industry • medical equipment • power plants • critical infrastructure 5

  6. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Actel/Microsemi Flash FPGA • ProASIC3 Flash-based A3P250 FPGA – FPGA Array, user FROM, user UROW, AES key, Passkey, configuration fuses – JTAG interface to configure the chip – 0.13μm process with 7 metal layers – “ The contents of a programmed ProASIC3 device cannot be read back, although secure design verification is possible. ” • Access via JTAG interface – no documentation available on JTAG commands – development kits and tools are available – STAPL programming file is generated by design software – bitstream configuration commands: Erase, Write, Verify 6

  7. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Experimental setup • A3P250 chip in ZIF test socket on a test board • control board with 40MIPS PIC24 microcontroller • DPA analysis setup with A3P250 chip in test socket, 20Ω resistor in V CC and 1130A differential probe • Agilent MSO8104A oscilloscope and Matlab software for analysis of acquired power traces 7

  8. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Results • Power analysis on different JTAG operations – high noise in the power traces (SNR of –20dB) – long averaging is required to distinguish single bit of data (Av=4096) – AES 128-bit key extraction takes over an hour to succeed 8

  9. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Results • Simple power analysis to distinguish between commands – high noise in the power traces and no specific bandwidth to filter • AES vs Passkey (bitstream encryption and user access) • Array verify vs FROM reading • Additional hidden functions were found, but their unlocking required a key with similar to passkey protection • DPA attack on passkey with off-the-shelf equipment would require hundreds of years to succeed 9

  10. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Results • Scanning JTAG for command space – find depth of DR registers associated with each command – test if those DR registers can be amended • Analysing STAPL programming file from design software – hints on unused spaces 10

  11. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Improvements • New side-channel analysis technique which proved to be effective for AES key extraction from ProASIC3 devices – down to 0.01 second time vs over 1 hour with off-the-shelf DPA – S. Skorobogatov, C. Woods: In the blink of an eye: There goes your AES key. IACR Cryptology ePrint Archive, Report 2012/296, 2012. http://eprint.iacr.org/2012/296 • Pipeline emission analysis (PEA) technique improves SCA – dedicated hardware rather than off-the-shelf equipment – lower noise, higher precision, low latency, fast processing 11

  12. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Experimental setup • Same ProASIC3 A3P250 chip on the test board • Dedicated hardware for waveform analysis using patented PEA technique – same measurement resistor in V CC core supply line – analog waveform conditioning and pre-processing before the ADC – cost of components below $100 USD 12

  13. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Results • For both backdoor key and passkey the extraction time of 32 hours was achieved compared to estimated 2000 years required with an off-the-shelf DPA setup • Backdoor key unlocks additional undocumented functionality (factory test and debug mode), but does not automatically allow readback of the design IP • Additional reverse engineering of the control registers bit fields was required and this was made using PEA technique • Is this Backdoor or Trojan? – STAPL file contains some characteristic variable names associated with security fuses – searching for those names in the installed Actel Libero design software under Windows XP using Search option. This returns some templates and algorithm description files – inside some of those files there are traces of the designed backdoor 13

  14. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Simplified ProASIC3 security • AES encryption engine can only send data in one direction • Passkey only unlocks FROM readback • Hidden JTAG functions include different areas – factory settings, debug features and control registers – no references were found in their tools or documentation that readback of the design was a possibility 14

  15. Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Testing security levels • Security with no readback is not the only one in ProASIC3 – passkey access protection – AES encryption – security fuses – permanent lock • Evaluated against Non-invasive and Semi-invasive attacks – brute forcing, glitching, bumping, side-channel emission – optical fault injection, optical emission analysis Secure area Read access Verify access Write access Secure lock AES crypto Expected security Attack time FROM (Flash) Yes Yes Yes Yes Yes Medium Hours FPGA Array No Yes Yes Yes Yes High Days AES key No Yes Yes Yes No Medium Seconds Passkey No Yes Yes Yes No Very high Hours Backdoor key No Yes Yes Yes No Very high Hours Permanent lock No No Yes No No Ultra high Minutes 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Research Agenda 2 Breakthrough Commercialization Post-breakthrough Pre-Breakthrough

Research Agenda 2 Breakthrough Commercialization Post-breakthrough Pre-Breakthrough

6/11/12 Emergence of Creative Breakthroughs using 1 Author-ity database Sen Chai Harvard Business School UIUC Workshop on Disambiguation June 2012 Research Agenda 2 Breakthrough Commercialization Post-breakthrough

359 views • 13 slides
Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak , Venkatesh Raman, and Stefan Szeider SAT 2013 Backdoor Sets Introduced by Crama et al. 1997 and independently by Williams et al. 2003 in an

768 views • 12 slides
10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by

10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by

10. The breakthrough #influencer @simongharris @burlington_ips Breakthrough! i. Surprised by what it looks like Genesis 41:39-40 Then Pharaoh said to Joseph, You shall be in charge of my palace, and all my people are to submit to your

427 views • 11 slides
Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim

Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim

Breakthrough Change Breakthrough Change Recommendations Recommendations Part 2 Part 2 Jim Walton Jim Walton ZZZZZZZZZZZZZZZZZZZZZZZZZ Hey! Someone, wake up Its a Workin Day Why Breakthrough Change? Structural Deficit The Growing

535 views • 51 slides
Silicon Labs Corporate Overview J A N U A R Y 2 0 2 0 The leader in silicon, software and

Silicon Labs Corporate Overview J A N U A R Y 2 0 2 0 The leader in silicon, software and

Silicon Labs Corporate Overview J A N U A R Y 2 0 2 0 The leader in silicon, software and solutions for a smarter, more connected world. Silicon Labs REVENUE FOUNDED IN 1996 $868M $838M A leading provider of silicon, software $698M $769M and

624 views • 27 slides
What were going to talk about Breakthrough (the brand) DaJie (the business)

What were going to talk about Breakthrough (the brand) DaJie (the business)

BREAKTHROUGH growing positive behaviours Rob Han Lina Bartuseviciute Liisa Yu Betty Tian Derrie Guan Tony Won What were going to talk about Breakthrough (the brand) DaJie (the business) Business model Action

860 views • 53 slides
WE MAKE DIGITAL HUMANS CONTENTS SCANNING 3D EXTRAS - FACIAL SCANNING - HAIR + CLOTH -

WE MAKE DIGITAL HUMANS CONTENTS SCANNING 3D EXTRAS - FACIAL SCANNING - HAIR + CLOTH -

WE MAKE DIGITAL HUMANS CONTENTS SCANNING 3D EXTRAS - FACIAL SCANNING - HAIR + CLOTH - BODY SCANNING - REAL-TIME INTEGRATION MODELLING/TEXTURING - LIGHTING + RENDERING - CAMERA ANIMATION - MODELLING - HEAD TRACKING -

728 views • 42 slides
The Bicho An Advanced Car Backdoor Maker by @UnaPibaGeek and @holesec Who we are? And Where

The Bicho An Advanced Car Backdoor Maker by @UnaPibaGeek and @holesec Who we are? And Where

The Bicho An Advanced Car Backdoor Maker by @UnaPibaGeek and @holesec Who we are? And Where We are from? When we start with this? Ekoparty / 2016 Why? A quick review 5) Signal 4) Chassis ground 6) CAN High ground 2) J1850 Bus +

681 views • 47 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
Indirect Access SCANNING 2 Switch Step Scanning (get/select, move/scan)

Indirect Access SCANNING 2 Switch Step Scanning (get/select, move/scan)

3/12/20 Cases & Straps Mounts, stands, clamps. Types of Scanning 1 Switch Automatic Step/Dwell Indirect Access SCANNING 2 Switch Step Scanning (get/select, move/scan) Switches SG SGD Sc Scan an

270 views • 4 slides
PV Technology Based on Crystalline Silicon Wafers Manufacturing of Crystalline Silicon Week 4.2

PV Technology Based on Crystalline Silicon Wafers Manufacturing of Crystalline Silicon Week 4.2

PV Technology Based on Crystalline Silicon Wafers Manufacturing of Crystalline Silicon Week 4.2 Arno Smets Monocrystalline Multicrystalline The processing of silicon Quartzite Metallurgical silicon Movie 1 The processing of silicon

580 views • 18 slides
Patentable Patents 101 Whoever invents or discovers any new and useful process,

Patentable Patents 101 Whoever invents or discovers any new and useful process,

Patentable Subject Matter -- 101 Utility -- 101 Novelty -- 102 Disclosure Req. Non-obvious 112 -- 103 | | Patentable Patents 101 Whoever invents or discovers any new and useful process, machine,

936 views • 71 slides
Introduction to Static LiDAR Scanning Presented By: Anthony Falbo P.L.S. September 2020 LiDAR

Introduction to Static LiDAR Scanning Presented By: Anthony Falbo P.L.S. September 2020 LiDAR

Introduction to Static LiDAR Scanning Presented By: Anthony Falbo P.L.S. September 2020 LiDAR Scanning Overview Scanning background Applications Strengths Weaknesses Scanning Examples Fisher Associates LiDAR = light

610 views • 20 slides
Enabling Silicon-as-a-Service ENABLING SILICON-AS-A-SERVICE Algodone at a Glance When/Where

Enabling Silicon-as-a-Service ENABLING SILICON-AS-A-SERVICE Algodone at a Glance When/Where

Adding SALT TM to Product Lifecycle Management (PLM) for IP tracking and Silicon Configuration Enabling Silicon-as-a-Service ENABLING SILICON-AS-A-SERVICE Algodone at a Glance When/Where Founders Vision Technology Jrme Rampon Founded

712 views • 16 slides
A Solder-Defined Computer Architecture for Backdoor and Malware Resistance Examinee: Marc W.

A Solder-Defined Computer Architecture for Backdoor and Malware Resistance Examinee: Marc W.

Welcome! A Solder-Defined Computer Architecture for Backdoor and Malware Resistance Examinee: Marc W. Abel Committee: Travis Doom, Ph.D. (chair) Jack Jean, Ph.D. Michael Raymer, Ph.D. Krishnaprasad Thirunarayan, Ph.D. (T.K. Prasad) Vincent

1.94k views • 28 slides
Silicon Europe - your connection to innovative European SMEs! www.silicon-europe.eu Silicon

Silicon Europe - your connection to innovative European SMEs! www.silicon-europe.eu Silicon

Silicon Europe - your connection to innovative European SMEs! www.silicon-europe.eu Silicon Europe Alliance: Our ambition In the context of the European Commission actions towards the digital single market, our ambition is to foster cooperation

149 views • 13 slides
Dual EC a standardized back door Ruben Niederhagen Joint work with Stephen Checkoway 1 , Matthew

Dual EC a standardized back door Ruben Niederhagen Joint work with Stephen Checkoway 1 , Matthew

Dual EC a standardized back door Ruben Niederhagen Joint work with Stephen Checkoway 1 , Matthew Fredrikson 2 , Matthew Green 1 , Tanja Lange 3 , Thomas Ristenpart 2 , Daniel J. Bernstein 3,5 Jake Maskiewicz 4 , and Hovav Shacham 4 , . Related

1.97k views • 161 slides
Sterile Neutrinos Carlo Giunti INFN, Sezione di Torino and Dipartimento di Fisica Teorica,

Sterile Neutrinos Carlo Giunti INFN, Sezione di Torino and Dipartimento di Fisica Teorica,

Sterile Neutrinos Carlo Giunti INFN, Sezione di Torino and Dipartimento di Fisica Teorica, Universit` a di Torino giunti@to.infn.it Neutrino Unbound: http://www.nu.to.infn.it 52nd Winter School of Theoretical Physics Ladek Zdroj, Poland

1.55k views • 94 slides
10 reasons to Choose Annapolis Valley NOVA SCOTIA, CANADA Learn more at

10 reasons to Choose Annapolis Valley NOVA SCOTIA, CANADA Learn more at

10 reasons to Choose Annapolis Valley NOVA SCOTIA, CANADA Learn more at chooseannapolisvalley.ca Vvvvvv Located near the capital city of Nova Scotia, the Annapolis Valley offers a rich concentration of talent, post-secondary institutions

387 views • 13 slides
Incremental Learning of Robot Dynamics using Random Features Arjan Gijsberts, Giorgio Metta

Incremental Learning of Robot Dynamics using Random Features Arjan Gijsberts, Giorgio Metta

Incremental Learning of Robot Dynamics using Random Features Arjan Gijsberts, Giorgio Metta Cognitive Humanoids Laboratory Dept. of Robotics, Brain and Cognitive Sciences Italian Institute of Technology general setting learning

388 views • 23 slides
Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Motivation Illustrative Example: ATT with One-Sided Noncompliance Application: JTPA Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door and Hybrid Adjustments 1 Adam Glynn and Konstantin Kashin

928 views • 53 slides
Backdoors for SAT Marco Gario Supervisor: Steffen H olldobler Advisor: Norbert Manthey EMCL

Backdoors for SAT Marco Gario Supervisor: Steffen H olldobler Advisor: Norbert Manthey EMCL

Backdoors for SAT Marco Gario Supervisor: Steffen H olldobler Advisor: Norbert Manthey EMCL / TUD February 21, 2012 Marco Gario (EMCL / TUD) Backdoors for SAT February 21, 2012 1 / 24 Content Introduction 1 Backdoors 2 Experimental

729 views • 50 slides
A primer, J. Pearl, M Glymur and N. Jewell Rina Dechter Bren School of Information and Computer

A primer, J. Pearl, M Glymur and N. Jewell Rina Dechter Bren School of Information and Computer

Causal Inference in Statistics A primer, J. Pearl, M Glymur and N. Jewell Rina Dechter Bren School of Information and Computer Sciences 6/7/2018 dechter, class 8, 276-18 The book of Why Pearl

686 views • 45 slides
LEVERAGING VMWARE'S RPC INTERFACE FOR FUN AND PROFIT 1 Agenda Introduction VMware

LEVERAGING VMWARE'S RPC INTERFACE FOR FUN AND PROFIT 1 Agenda Introduction VMware

LEVERAGING VMWARE'S RPC INTERFACE FOR FUN AND PROFIT 1 Agenda Introduction VMware General Architecture (Simplified) Host <-> Guest Communication Backdoor Interface VM RPC Interface Functions

491 views • 48 slides

More recommend