1260–1180 BC Bronze Age
After a fruitless 10-year siege, the Greeks constructed a huge wooden horse, and hid a select force of men inside. The Greeks pretended to sail away and that night the Greek force crept out of the horse and opened the gates for the rest of the Greek army and destroyed the city of Troy
HARDWARETROJANS
The views expressed in this presentation are Mere Apne. Reference to any specific products, process, or service do not necessarily constitute or imply endorsement, recommendation, or favoring by any Government or the Department of Defense
ALL FIGURES IN THE PPT ARE ONLY FOR DEPICTION PURPOSE.
Not here to
A Hardware Trojan is a Malicious Modification of the
circuitry of an integrated circuit.
“Outsourcing the fabrication and design to third parties imputed to the huge scales of requirements and economies involved”
Bogus packaging could disguise a
questionable chip as legitimate one &
baking a chip for 24 hours after
fabrication could shorten its life span
from 15 years to a scant 6 months
Adding 1000 extra transistors during
either the design or the fabrication
process could create a kill switch or a
trapdoor or could enable access for a
hidden code that shuts off all.
NICK THE WIREA notch in few interconnects would be almost impossible to detect but would cause eventual mechanical failure as the wire become overloaded.
ADD OR RECONNECT WIRINGDuring the layout process, new circuit traces and wiring can be added to the circuit. A skilled engineer familiar with the chips blueprint could reconnect the wires to undesired output.
DESIGN• Untrusted Third
party IP cores• Untrusted CAD
tools• Untrusted
automation scripts
• Untrusted Libraries
FABRICATION• Untrusted
Foundries
TEST & VALIDATIONS• Untrusted if not
done in-house• Trusted if done in
house
LEADING SEMICONDUCTOR IP CORE
COMPANIES
The IP core can be described as being for chip design what a library is for computer programming .
Electronic Design Automation (EDA) is a category of software tools for designing Electronic systems such as Printed circuit boards and Integrated Circuits.
The tools work together in a design flow that chip designers use to design
and analyze entire semiconductor chips.
****Focused ion beam is a technique used particularly in the semiconductor industry, materials science for deposition, and ablation of materials.
Hardware Trojans
Physical
Distribution
Structure
Size
Type
ActivationExternally
Antenna
Sensor
Internally
Always on
ConditionalLogicSensor
Action
Transmit
Modify Specs
Modify Function
Hardware TrojansDesign PhaseSpecs
Fabrication
Test
Assembly and
Package
Abstraction Level
System Level
Development
RT Level
Gate Level
Physical Level
EffectsChange
Function
Change Specs
Leak Info
Denial of Service
LocationPart/
Identity
Processor
Memory
I/O
Power Supply
Clock
ActivationAlways on
Triggere
dInternallyExternally
Internet of Things
• 10 billion Devices and Counting
• Everything right from your computer to your phone to your microwave can be compromised without you ever knowing about it.
Logistics Systems and Support domain: Transport Infrastructure, Traffic Control, Metro/Rail Monitoring & Control
Civil Critical Applications: Banking, Stock market IT Infrastructure
Military Systems: Weapon Control systems, Satellite controls, Radar
systems, Surveillance Systems, Decision support Systems.
Aviation and Aeronautics industry : Flight control systems, Space Shuttles, Satellites etc.
Miscellaneous Data centers IT Infrastructure, Personal Info stored in Clouds, Government Systems in Critical Setups etc
Attribute Hardware Trojans Software Trojans
Agency involved to infect
Pre fabrication embedding in the hardware IC during manufacturing or retrofitted later.
Resides in code of the OS or in the running applications and gets activated whilst execution.
Mode
Third party untrusted agencies involved to manufacture ICs in various stages of fabrication.
Downloading malicious files from internet or via social engineering methods executing malicious files or commonly sources USB etc.
Current Remedial Measure available
Currently none since one embedded there is no way to remove the same other then destroying.
Signatures released by antivirus companies and software patches based on behavioral pattern observed.
Behavioral Attribute
Once activated the behavioral action of the Hardware Trojan cannot be changed.
A Trojan behavior can change by further update or patch application etc
Anatomy of a
Events which enable the Trojan Payload
Stealth depends on Triggers
The Ammo / firepower
Size is not proportional to destruction
Prior to triggering, a hardware trojan lies dormant without interfering with the operation of any electronics.
“September 2007, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of Syrian radar, supposedly state of the art, to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident ofelectronic warfare and not just any kind. Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar”Source : IEEE spectrum, 2007
Syrian RADAR Case
Computer Chip in a Commercial Jet Compromised
• The method involves accessing and sending instructions to the chip housed on smart batteries
• Completely disables the batteries on laptops, making them permanently unusable,
• Perform a number of other unintended actions like false reporting of battery levels, temperature etc.
• Could also be used for more malicious purposes down the road.
Laptop Batteries Can Be Bricked
A advantageously contrived and implanted backdoor at an untrusted fabrication facility involved in manufacturing the typical pc processor can be victimized by a software antagonist at a later scheduled time line.
This kind of a backdoor in a processor will never be
divulged by the run of the mill or state of the art antivirus
versions predominately available COTS.
• Sabotage on the Cryptographic Capability of Intel Processor
• Reduces the entropy of the random number generator from 128 bits to 32 bits.
• Accomplished by changing the doping polarity of a few transistors.
• Undetectable by built in self tests and physical inspection.
Intel Ivy Bridge Can’t Keep Your Secret
**entropy is the randomness collected by an application for use in cryptography
A hardware Trojan to operate, needs ground and power supply which can be low or high depending on the design it is based on.
A Trojan that requires a low end power supply will have low chances of being detected
whereas a Trojan requiring higher power supply would be at a larger
chance of detection.
GOLDEN MODEL FABRICATION
A Golden Chip is a chip which is known to not include malicious
modifications
The HINT (Holistic Approaches for Integrity of ICT-Systems)
project addresses these challenges by proposing the
development of novel technologies to provide a means of
approval that a system is genuine and unmodified and helps
to ensure the authenticity and integrity of the hardware
components used in a given system.
Countermeasures For Hardware Trojans
Trojan Detection
ApproachesDesign For
Security
Prevent
Insertion
Facilitate Detection
Run Time Monitoring
Hardware is the Root of Trust; Even a small malicious modification can be devastating to system security
Key Takeaway #1
Key Takeaway #2
Virtually any and every Electronic
System around uscan be potentially
Compromised.
Key Takeaway #3
Most semiconductor companies OUTSOURCE their manufacturing due to the high capital and operational costs
Key Takeaway #4
The trust in the chip Design process
is Broken
A Hardware Trojan is near Impossible to detect in tests because its designed to trigger in mission mode
Key Takeaway #5
Long term research can bring built in
security and tamper resistance in IC
designs. However, for short term, the
threat can be mitigated by making
the supply chaintrusted.
Key Takeaway #6
http://www.eetimes.com/electronics-news/4373667/Report-reveals-fake-chips-in-military-hardware• http://www.theatlanticwire.com/technology/2011/06/us-military-fake-microchips-china/39359/• https://citp.princeton.edu/research/memory/media/• Cyber security in federal government, Booz Allen Hamilton• The hunt for the kill switch, IEEE Spectrum, May 2008• Report of the Defense Science Board Task Force on High Performance Microchip Supply,’’ Defense ScienceBoard, US DoD, Feb. 2005; http://www.acq.osd.mil/dsb/ reports/2005-02-HPMS_Report_Final.pdf.• ‘‘Innovation at Risk Intellectual Property Challenges and Opportunities,’’ Semiconductor Equipmentand Materials International, June 2008.• www.darpa.mil/mto/solicitations/baa07-24/index.html• The hunt for the kill switch, IEEE Spectrum, May 2008• Towards a comprehensive and systematic classification of hardware Trojans, J Rajendran et.al.• http://larc.ee.nthu.edu.tw/~cww/n/625/6251/05DFT0603.pdf• X. Wang, M. Tehranipoor, and J. Plusquellic, ‘‘Detecting Malicious Inclusions in Secure Hardware: Challenges and• Hardware Trojan: Threats and Emerging Solutions, Rajat Subhra Chakraborty et al.
I am at :
http://about.me/anupam.tiwari