SlideShare a Scribd company logo

Designing and implementing malicious processors

N
NebyueAwoke

Research Review PowerPoint

Education
1 of 19
Download to read offline
Designing and implementing malicious processors Sam King, Joe Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, Yuanyuan Zhou Presented by: Nebiyu Awoke
Outlines 2 o Introduction o System Design o Hardware Design o Implementation o Evaluation o Defending Strategy o Conclusions o Discussion
3 Introduction https://i1.wp.com/semiengineering.com/wp content/uploads/Synopsys_silicon-lifecycle-fig1.jpg?ssl=1  Commercial-off-the-shelf (COTS)  Insecure IC supply chain - design, manufacturing and testing a diverse set of countries  Why Hardware attack? - lower level of control
4 Cont.. IBM “trojan circuit” - To steal encryption keys - 406 additional gates Limitations - Operates on hardware-level abstractions directly. - Ignore higher-level abstractions and system-level aspects - Defensive strategy, - Ignored existing counter-strategies an attacker may employ - Hard-coded attack; - The malicious circuit is useful for only this one specific purpose.
5 Cont .. What’s new?  Design and implementation of general purpose hardware to support software based attacks.
6 System Design  Circuit design space: - Memory access mechanism - Shadow mode mechanism  Potential attacks: - Privilege escalation attack - Login backdoor - Stealing passwords
7 Cont..  Memory access mechanism: bypass MMU - Privilege escalation attack - Gives a root without checking credentials or creating log entries  Shadow mode mechanism: - Login backdoor - Lets an attacker log in as root without supplying a password, - Stealing passwords
8 Hardware Design  Tradeoff and assumptions - Timing perturbations: - The performance impact of the modification - Visibility of the attack: - Weather or not sign of the attack appears on the data or address bus - Flexibility: - Can it support various software payloads?
9 Memory Access Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573 provides hardware support for unprivileged malicious software by allowing access to privileged memory regions..
10 Cont.. Visibility: visible Flexibility: flexible Timing Perturbations: have no effect Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
11 Shadow Mode  Have full processor privileges and are invisible to software.  Reserve instruction cache lines and data cache lines for the attack - hide attack from hardware outside of IMP  Two bootstrap mechanisms - a small section of bootstrap code that initializes the attack or - a predefined trigger, which initiates malicious FW  The exact mechanism used to bootstrap attacks depends on the goals of the attacker and the IMP architect.  Debugging hardware: support transitions into shadow mode
12 Cont.. Hardware differences when shadow mode is active Visibility: not visible as long as accessing main memory Flexibility: flexible Timing Perturbations: will have a performance effect
13 Malicious Services  Privilege escalation - Turn off protection to privileged memory regions. - Escalates the privileges of a user process to root privilege level Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
14 Cont..  Login backdoor  Stealing passwords - Interposes on the write library call, searching for the string “Password:” - On the following read call it interposes to record potential passwords. - Leak passwords - Uses system calls to access the network interface. - Overwrite existing network frames with our own packets.
15 Implementation  Development board: FPGA  Processor: Leon3 implements SPARC v8 IS  Modify the design at the VHDL level  OS: Linux  Memory access mechanism modify the data cache and the MMU  Shadow mode mechanism modify instruction and data caches  Run at 40 MHz, which is the recommended clock speed
16 Evaluation  Circuit-level perturbations The circuit-level impact of IMPs compared to a baseline (unmodified) Leon3 processor. 0.05% and 0.08% increase in logic add 68 lines of code for MAM & 117 lines of code for SM  Timing perturbation - CPU bound SPEC benchmarks: bzip2, gcc, parse , and twolf - I/O bound benchmark: wget 1.32% overhead 1.34% overhead 13.0% overhead
17 Defending Strategy  Analog side effects - Using power analysis: however, power analysis began as an attack technique .  Digital perturbations - IC testing: waiting for a specific triggering input will pass testing - Reverse engineering: time-consuming, expensive, destructive - Fault-tolerance techniques: Hw redundancy make it expensive because of cost, power consumption, and board real estate.  The best defense is most likely a combination approach.
18 Conclusions - Hardware Trojan (HT), has emerged as an important research topic in recent years. - IC supply chain is large and vulnerable - Designed two general purpose mechanisms: MAM & SM - Implement attacks: privilege escalation, back-door logins and steal passwords - Hw modification of high level flexibility with low detectability - Defending approaches are to inefficient to detect
Discussions ◉ Is it possible to design ICs with self protection awareness? ◉ Are these attacks able to escape all the existing counter strategies? ◉ How can assure a high level defending strategy like on-chip monitoring during run time? ◉ Is IMP feasible in terms of performance, power, area and security costs? ◉ What about other attacks like disabling or destroying a system at some future time? 19

Recommended

Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsAbdullah Deeb
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
MIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityMIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityCharles Guillemet
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectreyeokm1
 
2464
24642464
2464Amin Khorsandi
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems Naveen Jakhar, I.T.S
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 

Recommended

Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsAbdullah Deeb
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
MIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityMIT Bitcoin Expo 2018 - Hardware Wallets Security
MIT Bitcoin Expo 2018 - Hardware Wallets SecurityCharles Guillemet
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
Meltdown and Spectre
Meltdown and SpectreMeltdown and Spectre
Meltdown and Spectreyeokm1
 
2464
24642464
2464Amin Khorsandi
 
Security in Embedded systems
Security in Embedded systems Security in Embedded systems
Security in Embedded systems Naveen Jakhar, I.T.S
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Jonny doin safe io t- lt_spice failsafe
Jonny doin safe io t- lt_spice failsafeJonny doin safe io t- lt_spice failsafe
Jonny doin safe io t- lt_spice failsafeJonny Doin
 
Osd diksha presentation
Osd diksha presentationOsd diksha presentation
Osd diksha presentationdikshagupta111
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
 
Careful Packing
Careful PackingCareful Packing
Careful PackingFlavio Toffalini
 
Defense
DefenseDefense
DefenseTawfiq Shah
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
DSDConference07
DSDConference07DSDConference07
DSDConference07Adam Taylor CEng FIET
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...IEEEMEMTECHSTUDENTPROJECTS
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsPriyanka Aash
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsSergey Gordeychik
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
System-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecuritySystem-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Chap 4 lesson02emsysnewinterruptbasedi_os
Chap 4 lesson02emsysnewinterruptbasedi_osChap 4 lesson02emsysnewinterruptbasedi_os
Chap 4 lesson02emsysnewinterruptbasedi_osMontassar BEN ABDALLAH
 
IJCSE Paper
IJCSE PaperIJCSE Paper
IJCSE PaperSowmya Kambhampati
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdfParasPatel967737
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdfKalsoomTahir2
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdfParvezAhmed59842
 

More Related Content

What's hot

Jonny doin safe io t- lt_spice failsafe
Jonny doin safe io t- lt_spice failsafeJonny doin safe io t- lt_spice failsafe
Jonny doin safe io t- lt_spice failsafeJonny Doin
 
Osd diksha presentation
Osd diksha presentationOsd diksha presentation
Osd diksha presentationdikshagupta111
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...IEEEMEMTECHSTUDENTPROJECTS
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsPriyanka Aash
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsSergey Gordeychik
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
System-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecuritySystem-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Chap 4 lesson02emsysnewinterruptbasedi_os
Chap 4 lesson02emsysnewinterruptbasedi_osChap 4 lesson02emsysnewinterruptbasedi_os
Chap 4 lesson02emsysnewinterruptbasedi_osMontassar BEN ABDALLAH
 

What's hot (18)

Jonny doin safe io t- lt_spice failsafe
Jonny doin safe io t- lt_spice failsafeJonny doin safe io t- lt_spice failsafe
Jonny doin safe io t- lt_spice failsafe
 
Osd diksha presentation
Osd diksha presentationOsd diksha presentation
Osd diksha presentation
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
 
Careful Packing
Careful PackingCareful Packing
Careful Packing
 
Defense
DefenseDefense
Defense
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
DSDConference07
DSDConference07DSDConference07
DSDConference07
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
 
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
System-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product SecuritySystem-level Threats: Dangerous Assumptions in modern Product Security
System-level Threats: Dangerous Assumptions in modern Product Security
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
Chap 4 lesson02emsysnewinterruptbasedi_os
Chap 4 lesson02emsysnewinterruptbasedi_osChap 4 lesson02emsysnewinterruptbasedi_os
Chap 4 lesson02emsysnewinterruptbasedi_os
 

Similar to Designing and implementing malicious processors

CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginnaveendurga557
 
Critical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack ModelingCritical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack ModelingBlaz Ivanc
 
xDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsxDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsVivek Venugopalan
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Test versus security @ IEEE Concept
Test versus security @ IEEE ConceptTest versus security @ IEEE Concept
Test versus security @ IEEE Conceptkodela3
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561RAKESH_CSU
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Wireless sensor Network using Zero Knowledge Protocol ppt
Wireless sensor Network using Zero Knowledge Protocol pptWireless sensor Network using Zero Knowledge Protocol ppt
Wireless sensor Network using Zero Knowledge Protocol pptsofiakhatoon
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)Hamid Reza
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System SecurityAdel Barkam
 

Similar to Designing and implementing malicious processors (20)

IJCSE Paper
IJCSE PaperIJCSE Paper
IJCSE Paper
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for login
 
Critical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack ModelingCritical infrastructure Protection and Cyber Attack Modeling
Critical infrastructure Protection and Cyber Attack Modeling
 
xDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsxDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
xDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the core
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Test versus security @ IEEE Concept
Test versus security @ IEEE ConceptTest versus security @ IEEE Concept
Test versus security @ IEEE Concept
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoT
 
Vishwanath rakesh ece 561
Vishwanath rakesh ece 561Vishwanath rakesh ece 561
Vishwanath rakesh ece 561
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
Wireless sensor Network using Zero Knowledge Protocol ppt
Wireless sensor Network using Zero Knowledge Protocol pptWireless sensor Network using Zero Knowledge Protocol ppt
Wireless sensor Network using Zero Knowledge Protocol ppt
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 

Recently uploaded

Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxabhijeetpadhi001
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 

Recently uploaded (20)

Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
MICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptxMICROBIOLOGY biochemical test detailed.pptx
MICROBIOLOGY biochemical test detailed.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 

Designing and implementing malicious processors

  • 1. Designing and implementing malicious processors Sam King, Joe Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, Yuanyuan Zhou Presented by: Nebiyu Awoke
  • 2. Outlines 2 o Introduction o System Design o Hardware Design o Implementation o Evaluation o Defending Strategy o Conclusions o Discussion
  • 3. 3 Introduction https://i1.wp.com/semiengineering.com/wp content/uploads/Synopsys_silicon-lifecycle-fig1.jpg?ssl=1  Commercial-off-the-shelf (COTS)  Insecure IC supply chain - design, manufacturing and testing a diverse set of countries  Why Hardware attack? - lower level of control
  • 4. 4 Cont.. IBM “trojan circuit” - To steal encryption keys - 406 additional gates Limitations - Operates on hardware-level abstractions directly. - Ignore higher-level abstractions and system-level aspects - Defensive strategy, - Ignored existing counter-strategies an attacker may employ - Hard-coded attack; - The malicious circuit is useful for only this one specific purpose.
  • 5. 5 Cont .. What’s new?  Design and implementation of general purpose hardware to support software based attacks.
  • 6. 6 System Design  Circuit design space: - Memory access mechanism - Shadow mode mechanism  Potential attacks: - Privilege escalation attack - Login backdoor - Stealing passwords
  • 7. 7 Cont..  Memory access mechanism: bypass MMU - Privilege escalation attack - Gives a root without checking credentials or creating log entries  Shadow mode mechanism: - Login backdoor - Lets an attacker log in as root without supplying a password, - Stealing passwords
  • 8. 8 Hardware Design  Tradeoff and assumptions - Timing perturbations: - The performance impact of the modification - Visibility of the attack: - Weather or not sign of the attack appears on the data or address bus - Flexibility: - Can it support various software payloads?
  • 9. 9 Memory Access Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573 provides hardware support for unprivileged malicious software by allowing access to privileged memory regions..
  • 10. 10 Cont.. Visibility: visible Flexibility: flexible Timing Perturbations: have no effect Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
  • 11. 11 Shadow Mode  Have full processor privileges and are invisible to software.  Reserve instruction cache lines and data cache lines for the attack - hide attack from hardware outside of IMP  Two bootstrap mechanisms - a small section of bootstrap code that initializes the attack or - a predefined trigger, which initiates malicious FW  The exact mechanism used to bootstrap attacks depends on the goals of the attacker and the IMP architect.  Debugging hardware: support transitions into shadow mode
  • 12. 12 Cont.. Hardware differences when shadow mode is active Visibility: not visible as long as accessing main memory Flexibility: flexible Timing Perturbations: will have a performance effect
  • 13. 13 Malicious Services  Privilege escalation - Turn off protection to privileged memory regions. - Escalates the privileges of a user process to root privilege level Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
  • 14. 14 Cont..  Login backdoor  Stealing passwords - Interposes on the write library call, searching for the string “Password:” - On the following read call it interposes to record potential passwords. - Leak passwords - Uses system calls to access the network interface. - Overwrite existing network frames with our own packets.
  • 15. 15 Implementation  Development board: FPGA  Processor: Leon3 implements SPARC v8 IS  Modify the design at the VHDL level  OS: Linux  Memory access mechanism modify the data cache and the MMU  Shadow mode mechanism modify instruction and data caches  Run at 40 MHz, which is the recommended clock speed
  • 16. 16 Evaluation  Circuit-level perturbations The circuit-level impact of IMPs compared to a baseline (unmodified) Leon3 processor. 0.05% and 0.08% increase in logic add 68 lines of code for MAM & 117 lines of code for SM  Timing perturbation - CPU bound SPEC benchmarks: bzip2, gcc, parse , and twolf - I/O bound benchmark: wget 1.32% overhead 1.34% overhead 13.0% overhead
  • 17. 17 Defending Strategy  Analog side effects - Using power analysis: however, power analysis began as an attack technique .  Digital perturbations - IC testing: waiting for a specific triggering input will pass testing - Reverse engineering: time-consuming, expensive, destructive - Fault-tolerance techniques: Hw redundancy make it expensive because of cost, power consumption, and board real estate.  The best defense is most likely a combination approach.
  • 18. 18 Conclusions - Hardware Trojan (HT), has emerged as an important research topic in recent years. - IC supply chain is large and vulnerable - Designed two general purpose mechanisms: MAM & SM - Implement attacks: privilege escalation, back-door logins and steal passwords - Hw modification of high level flexibility with low detectability - Defending approaches are to inefficient to detect
  • 19. Discussions ◉ Is it possible to design ICs with self protection awareness? ◉ Are these attacks able to escape all the existing counter strategies? ◉ How can assure a high level defending strategy like on-chip monitoring during run time? ◉ Is IMP feasible in terms of performance, power, area and security costs? ◉ What about other attacks like disabling or destroying a system at some future time? 19