1. Designing and implementing
malicious processors
Sam King, Joe Tucek, Anthony Cozzie, Chris
Grier, Weihang Jiang, Yuanyuan Zhou
Presented by: Nebiyu Awoke
2. Outlines
2
o Introduction
o System Design
o Hardware Design
o Implementation
o Evaluation
o Defending Strategy
o Conclusions
o Discussion
4. 4
Cont..
IBM “trojan circuit”
- To steal encryption keys
- 406 additional gates
Limitations
- Operates on hardware-level abstractions directly.
- Ignore higher-level abstractions and system-level aspects
- Defensive strategy,
- Ignored existing counter-strategies an attacker may employ
- Hard-coded attack;
- The malicious circuit is useful for only this one specific purpose.
5. 5
Cont ..
What’s new?
Design and implementation of general purpose hardware to
support software based attacks.
7. 7
Cont..
Memory access mechanism: bypass MMU
- Privilege escalation attack
- Gives a root without checking credentials or creating log entries
Shadow mode mechanism:
- Login backdoor
- Lets an attacker log in as root without supplying a password,
- Stealing passwords
8. 8
Hardware Design
Tradeoff and assumptions
- Timing perturbations:
- The performance impact of the modification
- Visibility of the attack:
- Weather or not sign of the attack appears on the data or address bus
- Flexibility:
- Can it support various software payloads?
9. 9
Memory Access
Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
provides hardware support for
unprivileged malicious software
by allowing access to privileged
memory regions..
11. 11
Shadow Mode
Have full processor privileges and are invisible to software.
Reserve instruction cache lines and data cache lines for the attack
- hide attack from hardware outside of IMP
Two bootstrap mechanisms
- a small section of bootstrap code that initializes the attack or
- a predefined trigger, which initiates malicious FW
The exact mechanism used to bootstrap attacks depends on the goals of the
attacker and the IMP architect.
Debugging hardware: support transitions into shadow mode
12. 12
Cont..
Hardware differences when shadow mode is active
Visibility: not visible as long as accessing
main memory
Flexibility: flexible
Timing Perturbations: will have a
performance effect
13. 13
Malicious Services
Privilege escalation
- Turn off protection to privileged
memory regions.
- Escalates the privileges of a user
process to root privilege level
Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
14. 14
Cont..
Login backdoor Stealing passwords
- Interposes on the write library call,
searching for the string “Password:”
- On the following read call it interposes
to record potential passwords.
- Leak passwords
- Uses system calls to access
the network interface.
- Overwrite existing network frames
with our own packets.
15. 15
Implementation
Development board: FPGA
Processor: Leon3 implements SPARC v8 IS
Modify the design at the VHDL level
OS: Linux
Memory access mechanism modify the data cache and the MMU
Shadow mode mechanism modify instruction and data caches
Run at 40 MHz, which is the recommended clock speed
16. 16
Evaluation
Circuit-level perturbations
The circuit-level impact of IMPs compared to a
baseline (unmodified) Leon3 processor.
0.05% and 0.08% increase in logic
add 68 lines of code for MAM &
117 lines of code for SM
Timing perturbation
- CPU bound SPEC benchmarks: bzip2, gcc, parse
, and twolf
- I/O bound benchmark: wget
1.32% overhead 1.34% overhead 13.0% overhead
17. 17
Defending Strategy
Analog side effects
- Using power analysis: however, power analysis began as an attack
technique .
Digital perturbations
- IC testing: waiting for a specific triggering input will pass testing
- Reverse engineering: time-consuming, expensive, destructive
- Fault-tolerance techniques: Hw redundancy make it expensive because
of cost, power consumption, and board real estate.
The best defense is most likely a combination approach.
18. 18
Conclusions
- Hardware Trojan (HT), has emerged as an important
research topic in recent years.
- IC supply chain is large and vulnerable
- Designed two general purpose mechanisms: MAM & SM
- Implement attacks: privilege escalation, back-door logins and
steal passwords
- Hw modification of high level flexibility with low detectability
- Defending approaches are to inefficient to detect
19. Discussions
◉ Is it possible to design ICs with self protection awareness?
◉ Are these attacks able to escape all the existing counter strategies?
◉ How can assure a high level defending strategy like on-chip
monitoring during run time?
◉ Is IMP feasible in terms of performance, power, area and security
costs?
◉ What about other attacks like disabling or destroying a system at
some future time?
19