designing and implementing malicious hardware
play

Designing and Implementing Malicious Hardware Samuel T. King, - PowerPoint PPT Presentation

Dec 01, 2023 •181 likes •445 views

Designing and Implementing Malicious Hardware Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou Presented by Lauren Biernacki and Shuang Qiu Background Design Fabrication Packaging Testing Assembly

  1. Designing and Implementing Malicious Hardware Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou Presented by Lauren Biernacki and Shuang Qiu

  2. Background Design Fabrication Packaging Testing Assembly https://www.cs.csub.edu/~rabdolee/V http://www.colorcontrol.info/images//p http://img.tomshardware.com/us/2000/ https://upload.wikimedia.org/wikipedia http://www.globalspec.com/ImageRep LSILab/CadenceSoftware.jpeg ageImgs/chipNotes/siliconWafer02.pn 11/20/intel/p4-pic1.jpg /commons/d/d7/PSX-SCPH-5001-Mot ository/LearnMore/20123/pca_area_bi g herboard.jpg g63345179e4954563af7c87b4af7d07 e2.png SoC Supplier Foundry OSAT System OEM EMS Vendor Integrated Circuit (IC) Supply Chain

  3. Previous Work ● IBM has developed a trojan circuit that can leak encryption keys using 406 additional gates ● These trojan circuits are hardcoded modifications to orchestrate simple, specialized attacks on the underlying hardware ● No research has been conducted on hardware modifications that can support multiple types of software based attacks Novel idea: Design and implement general purpose hardware to support the design of software based attacks.

  4. Motivation & Goals Memory Access Mechanism: allows us to bypass the memory management unit ● Privilege Escalation Attack Shadow Mode: allows us to execute invisible malicious firmware ● Login Backdoor ● Stealing Passwords

  5. Motivation & Goals ● Visibility: Whether or not evidence of the attack appears on the data or address bus ● Flexibility: The hardware design can support various software payloads ● Timing Perturbations: Reduce the performance impact the modification has on the processor

  6. Hardware Design: Memory Access Mechanism Microprocessor Main Memory D-Cache I-Cache CPU MMU MMU MA TLB Snoop Address Bus Data Bus

  7. Hardware Design: Memory Access Mechanism Microprocessor Main Memory Protection D-Cache I-Cache Checking Disabled CPU MMU MMU MA TLB Snoop Address Bus Data Bus Magic Bytes

  8. Hardware Design: Memory Access Mechanism ● Visibility: It is visible! Memory accessed when protection checking is disabled still appears on the bus ● Flexibility: Gives us the ability to alter any memory, including that belonging to the operating system ● Timing Perturbations: These modifications do not influence performance Requires attacker to already have software running on the system in order to trigger byte sequence

  9. Hardware Design: Shadow Mode ● Addresses visibility issue by reserving instruction and data cache lines specifically for the malicious process ● Uses software to initiate the attack, supported by hardware alterations ○ Bootstrap code is used to initialize the attack ○ Monitors for a predefined trigger, which initiates malicious firmware ● Details of the bootstrap attack code depend on assumptions about the machine

  10. Hardware Design: Shadow Mode Microprocessor Main Memory D-Cache I-Cache CPU MMU MMU Boots .. Deubugging Debugging Debugging Logic Logic Logic TLB Address Bus Data Bus

  11. Hardware Design: Shadow Mode UDP Header Firmware Microprocessor Main Memory Magic Bytes D-Cache I-Cache UDP H .. Firmw CPU MMU MMU .. Magic .. Boots .. Boots .. Deubugging Deubugging Debugging Logic Logic Logic TLB Address Bus Data Bus

  12. Hardware Design: Shadow Mode Microprocessor Main Memory D-Cache I-Cache UDP H UDP H UDP H .. .. .. .. Firmw Firmw Firmw CPU MMU MMU .. .. .. .. Magic .. Magic .. Magic .. .. Boots .. Boots .. Boots Boots .. .. Deubugging Deubugging Debugging Firmw Logic Logic Logic TLB .. Address Bus Data Bus

  13. Hardware Design: Shadow Mode Microprocessor Microprocessor Main Memory D-Cache I-Cache .. .. CPU MMU .. .. .. .. Boots .. Boots Firmw .. .. Deubugging Debugging Firmw Logic Logic TLB .. .. Address Bus Data Bus

  14. Hardware Design: Shadow Mode ● Visibility: As long as malicious firmware does not access main memory, the attack not visible outside the processor ● Flexibility: Supports “nearly arbitrary” attacks ● Timing Perturbations: Partitioning the cache does have performance ramifications that depend on how long Shadow Mode runs

  15. Attack: Privilege Escalation ● Memory access mechanism ○ Trojaned hardware turns off memory protection. Memory Trojaned Hardware Malicious Program Effective user ID: euid1

  16. Attack: Privilege Escalation ● Memory access mechanism ○ The program changes its effective user ID to root. ○ The program now runs with full system privileges. Memory Kernel memory Trojaned euid1 → root Hardware Malicious Program Effective user ID: euid1

  17. Attack: Login Backdoor ● Shadow mode mechanism - Transient ○ Attacker sends unsolicited UDP packet ○ Monitor notices the magic byte sequence ○ Target OS inspecting UDP packet triggers trojaned hardware Processer network D-Cache I-Cache UDP H UDP .. Firmw .. UDP Header Magic .. Firmware Boots .. Boots .. Magic Bytes Attacker Sends

  18. Attack: Login Backdoor ● Shadow mode mechanism - Transient ○ Firmware is copied to reserved cache area and activated ○ Attacker logs in as root. ○ Shadow firmware uninstalls automatically. Processer D-Cache I-Cache Monitor login application ● Uname: root, pwd: letmein ● Boots .. Boots .. Make pwd checking return True ● Firm-w Evil-d are ata

  19. Attack: Stealing Passwords ● Shadow mode mechanism - Persistent ○ Keep interposing on the write and read library call to steal password Sign In Processer Interpose on write call, searching ● Password: for “Password:” to identify process D-Cache I-Cache receiving passwords 12345 Record potential passwords on the ● Boots .. Boots .. following read call Malicious Service

  20. Attack: Stealing Passwords ● Shadow mode mechanism - Persistent ○ Use two techniques to leak password out Processer D-Cache I-Cache Password:12345 Boots .. Boots .. ● Directly use system network call ● Overwrite existing network packet Malicious Service

  21. Evaluation ● Circuit-level perturbations ○ Implemented on FPGA development board with Leon3 processor ○ Modify the processor at the VHDL level ○ Memory access ■ Modify data caches & MMU ■ Memory permission checks are ignored for malicious software ○ Shadow mode ■ Modify instruction and data caches ■ Add new watchpoints and make minor changes to the existing watchpoints Logic gates increment Lines of VHDL VHDL code increment Processor Logic gates w.r.t. Baseline CPU codes w.r.t. Baseline CPU Baseline CPU 1,787,958 -- 11,195 -- CPU + memory access 1,788,917 959 (0.05%) 11,263 68 CPU + shadow mode 1,789,299 1341 (0.08%) 11,312 117 Table is from the paper “Designing and implementing malicious hardware”

  22. Evaluation ● Timing perturbations ○ Various benchmarks ■ Four CPU bound benchmarks: bzip2, gcc, parser, and twolf ■ One I/O bound benchmark: wget Four experimental cases (Login backdoor attack) ○ ■ Baseline: Unmodified hardware and without attacking ■ Known Root: Unmodified hardware. Log in with root password and steal the /etc/shadow file. ■ Transient: Hardware with shadow mode support. “Hit-and-run” style attack. ■ Persistent: Hardware with shadow mode support. Continuously active login backdoor. Figure is from the paper “Designing and implementing malicious hardware”

  23. Defense Strategies ● Detecting via analog perturbations ○ Power analysis ■ Countermeasure: constant power draw circuits ● Detecting via digital perturbations ○ IC testing with various inputs and outputs ■ Countermeasure: wait for a specific sequence as a trigger ○ Reverse engineering ■ Time-consuming, expensive, destructive ○ Fault-tolerance techniques ■ Hardware redundancy ( 3m+1 ICs are needed to cope with m malicious ICs ) [1] ● Each single approach is completely ineffective. ● Malicious hardware defense is a potential research direction. [1] Lamport, Leslie, Robert Shostak, and Marshall Pease. "The Byzantine generals problem." ACM Transactions on Programming Languages and Systems, 1982

  24. Conclusions ● This paper has laid the groundwork for constructing malicious processors. ● Proposed Two mechanisms: memory access and shadow mode. ● Implemented 3 attacks: privilege escalation, login backdoor, stealing password. ● Few hardware modification with less possibility of detection. ● Malicious hardware defense is a potential research direction.

  25. Discussion Points ● Are these attacks truly “invisible”? ● Should these malicious processors be used over standard Trojan circuits for an attack? ● It seems that all the possible defenses are not feasible. Are there any other potential defense strategies? ● Is this threat realistic?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

S9219 Designing and Implementing a VDI project powered with GPU hardware Veterans United Home

S9219 Designing and Implementing a VDI project powered with GPU hardware Veterans United Home

S9219 Designing and Implementing a VDI project powered with GPU hardware Veterans United Home Loans Steve Massman System Engineer Steve Massman System Engineer on End User Computing team steve.massman@vu.com Twitter: @SteveMassman

612 views • 43 slides
Designing and Implementing an Award- Designing and Implementing an Award- Winning Energy

Designing and Implementing an Award- Designing and Implementing an Award- Winning Energy

Designing and Implementing an Award- Designing and Implementing an Award- Winning Energy Management Winning Energy Management Program at the USPS Program at the USPS William Golove WHGolove@lbl.gov Lawrence Berkeley National Laboratory

305 views • 26 slides
HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate

HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate

HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate and malicious change to an IC that adds or removes functionality or reduces reliability The modifications may be designed to leak sensitive

394 views • 23 slides
A2:$Analog$Malicious$Hardware$ Kaiyuan$Yang,$Ma8hew$Hicks,$Qing$Dong,$Todd$Aus>n,$and$Dennis$

A2:$Analog$Malicious$Hardware$ Kaiyuan$Yang,$Ma8hew$Hicks,$Qing$Dong,$Todd$Aus>n,$and$Dennis$

A2:$Analog$Malicious$Hardware$ Kaiyuan$Yang,$Ma8hew$Hicks,$Qing$Dong,$Todd$Aus>n,$and$Dennis$ Sylvester$ $ University$of$Michigan$ Founda>ons$are$important$ 2$ Applica5ons) Opera5ng)System) Weakened$hardware$ Hypervisor)

507 views • 38 slides
Designing an adaptive VM that combines vectorized and JIT execution on heterogeneous hardware

Designing an adaptive VM that combines vectorized and JIT execution on heterogeneous hardware

Designing an adaptive VM that combines vectorized and JIT execution on heterogeneous hardware Tim Gubner ICDE PhD Symposium, 2018 1 Modern hardware vs. data processing systems ASIC Dark Silicon CPU GPU FPGA 2 State of the art System

221 views • 21 slides
Implementing the New Revenue Recognition Standards Under ASC 606 Designing an Implementation Plan

Implementing the New Revenue Recognition Standards Under ASC 606 Designing an Implementation Plan

Implementing the New Revenue Recognition Standards Under ASC 606 Designing an Implementation Plan to Minimize Financial and Operational Upheaval MONDAY , DECEMBER 21, 2015, 1:00-2:50 pm Eastern IMPORTANT INFORMATION This program is approved for

957 views • 73 slides
De Designing a and i implementing effective t team amwork assignments ts Fall 2020 This

De Designing a and i implementing effective t team amwork assignments ts Fall 2020 This

De Designing a and i implementing effective t team amwork assignments ts Fall 2020 This session is being recorded This work is licensed under a Creative Commons Attribution-Non-Commercial 4.0 International License. Outcomes Describe key

407 views • 22 slides
Elements of Improvement Designing and implementing improvement strategies in schools OCTOBER 25,

Elements of Improvement Designing and implementing improvement strategies in schools OCTOBER 25,

Elements of Improvement Designing and implementing improvement strategies in schools OCTOBER 25, 2018 #ElementsofImprovement WHO WE ARE INDEPENDENT. EVIDENCE-BASED. ACTION TANK. NON-PARTISAN VOICE IN PUBLIC EDUCATION REFORM. Our mission is

594 views • 35 slides
Securing Hardware Platforms Against Malicious Circuits Through Static Analysis Matthew Hicks -

Securing Hardware Platforms Against Malicious Circuits Through Static Analysis Matthew Hicks -

Securing Hardware Platforms Against Malicious Circuits Through Static Analysis Matthew Hicks - University of Illinois Samuel T. King - University of Illinois Milo M. K. Martin - University of Pennsylvania Jonathan M. Smith - University of

625 views • 27 slides
Designing and Implementing Competition Law Policy and Training Minimizing Cost of Noncompliance,

Designing and Implementing Competition Law Policy and Training Minimizing Cost of Noncompliance,

Presenting a live 90-minute webinar with interactive Q&A Designing and Implementing Competition Law Policy and Training Minimizing Cost of Noncompliance, Drafting Compliant Contracts, Training Business Clients on Commercial Communications

686 views • 57 slides
Prometheus: Designing and Implementing a Modern Monitoring Solution in Go Bjrn Beorn

Prometheus: Designing and Implementing a Modern Monitoring Solution in Go Bjrn Beorn

Prometheus: Designing and Implementing a Modern Monitoring Solution in Go Bjrn Beorn Rabenstein, Production Engineer, SoundCloud Ltd. http://prometheus.io Architecture Go client library Counter interface (almost complete) type

489 views • 37 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The Humble Keylogger Malware Malicious Hardware In-Cable Devices Malicious Keyboards Supply Chain Attacks Malicious BIOS

591 views • 14 slides
Designing and Implementing an Emergency HOME TBRA Program Part 2: Developing Policies &

Designing and Implementing an Emergency HOME TBRA Program Part 2: Developing Policies &

Designing and Implementing an Emergency HOME TBRA Program Part 2: Developing Policies & Procedures June 17, 2020 1 Welcome & Introductions Sponsored by HUDs Office of Affordable Housing Programs ) Presenters Stephen

1.04k views • 44 slides
Can low-income countries afford social protection? Designing and Implementing Social Transfer

Can low-income countries afford social protection? Designing and Implementing Social Transfer

International Labour Office Can low-income countries afford social protection? Designing and Implementing Social Transfer Programmes 22 July - 4 August 2007 Cape Town, South Africa Krzysztof Hagemejer Social Security Department,

385 views • 34 slides
CMU 15-896 Fair division 3: Rent division Teacher: Ariel Procaccia A true story In 2001 I

CMU 15-896 Fair division 3: Rent division Teacher: Ariel Procaccia A true story In 2001 I

CMU 15-896 Fair division 3: Rent division Teacher: Ariel Procaccia A true story In 2001 I moved into an apartment in Jerusalem with Naomi and Nir One larger bedroom, two smaller bedrooms Naomi and I searched for the apartment, Nir

417 views • 25 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides
Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak , Venkatesh Raman, and Stefan Szeider SAT 2013 Backdoor Sets Introduced by Crama et al. 1997 and independently by Williams et al. 2003 in an

768 views • 12 slides
Mixed strategy equilibria (msNE) with N players Felix Munoz-Garcia EconS 424 - Strategy and Game

Mixed strategy equilibria (msNE) with N players Felix Munoz-Garcia EconS 424 - Strategy and Game

Mixed strategy equilibria (msNE) with N players Felix Munoz-Garcia EconS 424 - Strategy and Game Theory Washington State University Summarizing... We learned how to nd msNE in games: with 2 players, each with 2 available strategies (2x2

615 views • 37 slides
Next Generation ACO Model Open Door Forum: Next Generation ACO Application Overview March 29,

Next Generation ACO Model Open Door Forum: Next Generation ACO Application Overview March 29,

Next Generation ACO Model Open Door Forum: Next Generation ACO Application Overview March 29, 2016 Agenda Model Overview Application and Selection Timeline Letter of Intent Application Overview 2 Next Generation ACO Model

750 views • 27 slides
Causal Inference CMPUT 366: Intelligent Systems Bar 3.4 Lecture Outline 1. Recap &

Causal Inference CMPUT 366: Intelligent Systems Bar 3.4 Lecture Outline 1. Recap &

Causal Inference CMPUT 366: Intelligent Systems Bar 3.4 Lecture Outline 1. Recap & Logistics 2. Causal Queries 3. Identifiability Labs & Assignment #1 Assignment #1 was due Feb 4 (today) before lecture Today's lab is

432 views • 24 slides
Battery ry-Free Id Identifi fication Token for Touch Se Sensing Devices Phuc Nguyen , Ufuk

Battery ry-Free Id Identifi fication Token for Touch Se Sensing Devices Phuc Nguyen , Ufuk

Battery ry-Free Id Identifi fication Token for Touch Se Sensing Devices Phuc Nguyen , Ufuk Muncuk, Ashwin Ashok, Kaushik R Chowdhury, Marco Gruteser, and Tam Vu Phone & Laptop Existing touch surfaces serve as an interface between Smart

990 views • 25 slides
Mu2e Remote Handling Shield Door, Air Seal, and Transfer Cart Design Status Dave Pushka Mu2e

Mu2e Remote Handling Shield Door, Air Seal, and Transfer Cart Design Status Dave Pushka Mu2e

Mu2e Remote Handling Shield Door, Air Seal, and Transfer Cart Design Status Dave Pushka Mu2e Target, Remote Handling, and Heat & Radiation Shield Review November 16-18, 2015 Items Addressed in this Talk: Shield Door between the

569 views • 29 slides

More recommend