Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A2: Analog Malicious Hardware
Authored by:
1. Kaiyuan Yang
2. Matthew Hicks
3. Qing Dong
4. Todd Austin
5. Dennis Sylveste...
Remember “Reflections on Trusting Trust”?
1984 Turing award lecture by Ken Thompson
• Hack compilers to inject malicious c...
Threat Model/Paper Abstract
• “we show how a fabrication-time attacker can leverage analog circuits to create a hardware a...
First some concepts
4
Analog vs Digital Circuits
• Analog
• Continuous Signal
• Signal is a fraction of logic level voltage
• Digital
• Discrete...
What is a Capacitor?
https://en.wikipedia.org/wiki/Capacitor
• A capacitor is a passive two-terminal electrical component ...
Charge Pump Design
• A charge pump is a kind of DC to DC converter that uses capacitors as energy-storage
elements to crea...
What is a flip-flop/latch?
• Circuit that has two stable states and can
be used to store state information.
• Example Set-...
Integrated Circuit (IC)
Design Process
• Similar to Printed Circuit Board Design
1. Digital Design Phase
• Logic Simulatio...
Chip Fabrication Processlayers
• Front End Of Line (FEOL) contains
• Transistors, Capacitors, Resistors, Flip-Flops
• PCB ...
Attack Components
• Trigger
• Monitors wires and states till the moment to activate payload
• Payload
• Malicious action a...
Target Platform
• OpenRISC 1200 processor
• Open source CPU
• Uses 32-bit OR1K instruction set
• 128KB instruction cache
•...
OR1200 Supervision Register
• SM bit
• Determines if current process is user or supervisor
• 0 for usermode, 1 for supervi...
Attack model
1. Show Analog Circuits with a capacitor can create attacks
2. Pick victim wires that will trigger attacks
3....
15
1. Single-stage Analog trigger circuit behaviour model
• Based on charge-pump design
• When Cap Voltage > Threshold, tr...
16
1. Multi-stage Analog trigger circuit behaviour model
• Lower probability of false trigger activation
• Normal operatio...
2. Single-stage trigger
victim wire selection
• We use the overflow flag wire as trigger
17
Page 29-30 of OpenRISC 1000 Ar...
2. Two-stage trigger
victim wire selection
• Trigger 1: Signed Division wire
• Trigger 2: Unsigned Division wire
18
Page 2...
3. The Attack Payload
• Overwrite register value containing “privilege/supervisor bit”
• Usermode process now given superu...
4. Attack insertion vector?
• Can be done anywhere along the chain
• Adding in Digital Design Phase?
• Easiest to implemen...
4. Stealth implementation on OR1200
21
• CPU die size is 2.1mm2
• A2 Analog attack
• 1 gate, 13.4um2
• Digital counter-bas...
5. Pseudocode for single-stage trigger attack
22Page 54 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Do...
5. Pseudocode for two-stage trigger attack
23
Page 9 of the Paper
Test Results
• It works!
• Voltage range: 0.8V to 1.2V
• Temperature range: -25°C to 100°C
• Result Trends
• ↑ temperature...
Possible Defences?
• Side Channel?
• Power difference of extra gate in 100000 gates is negligible
• Visual inspection?
• D...
Intuitive Split Manufacturing strategy
• Goal: Obfuscate design from untrusted fabricator by
withholding some wires on upp...
Proposed Split Manufacturing strategy
• Split at Level 1
• Untrusted Manufacturer does not make any gates
• However…
• Exp...
Potential for x86 attacks?
• Much harder to detect and easier to implement than on OR1200
• x86 has more registers, A2 onl...
Upcoming SlideShare
Loading in …5
×

A2: Analog Malicious Hardware

726 views

Published on

The talk I gave at Papers We Love #22 (Singapore) about this academic paper "A2: Analog Malicious Hardware" by a few researchers.

Here is the link to the paper: http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf

Published in: Technology
  • Login to see the comments

A2: Analog Malicious Hardware

  1. 1. A2: Analog Malicious Hardware Authored by: 1. Kaiyuan Yang 2. Matthew Hicks 3. Qing Dong 4. Todd Austin 5. Dennis Sylvester Department of Electrical Engineering and Computer Science University of Michigan Ann Arbor, MI, USA Paper: http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf 1 Papers We Love #22 (29 Aug 2016) By: Yeo Kheng Meng (yeokm1@gmail.com)
  2. 2. Remember “Reflections on Trusting Trust”? 1984 Turing award lecture by Ken Thompson • Hack compilers to inject malicious code into output binaries • Conclusion • “You can’t trust code that you did not totally create yourself” • “We can go lower to avoid detection like assembler, loader or hardware microcode” 2
  3. 3. Threat Model/Paper Abstract • “we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small and stealthy 1. “we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. “ 2. “When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value.” 3. “We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor.” 4. We implement this attack in an OR1200 processor and fabricate a chip 3 Privilege escalation with maliciously-modified hardware
  4. 4. First some concepts 4
  5. 5. Analog vs Digital Circuits • Analog • Continuous Signal • Signal is a fraction of logic level voltage • Digital • Discrete • Usually binary 0 or 1 • 1: High logic voltage • 0: Low logic voltage 5 Image from: https://www.renesas.com/en-us/support/technical-resources/engineer-school/digital-circuits-01-and-circuit-or-circuit-not-circuit.html
  6. 6. What is a Capacitor? https://en.wikipedia.org/wiki/Capacitor • A capacitor is a passive two-terminal electrical component used to store electrical energy temporarily in an electrostatic field. • AKA temporary small-capacity battery • Capacitor “leaks” 6
  7. 7. Charge Pump Design • A charge pump is a kind of DC to DC converter that uses capacitors as energy-storage elements to create either a higher- or lower-voltage power source. • Clock/Pulse at regular intervals build up a charge in capacitor 7
  8. 8. What is a flip-flop/latch? • Circuit that has two stable states and can be used to store state information. • Example Set-Reset (SR) latch • 2 Interconnected NOR Gates An animated SR latch. Black = 1, White = 0 Value is stored in Q, Q’ is the compliment. https://en.wikipedia.org/wiki/Flip-flop_(electronics)#SR_NOR_latch https://en.wikipedia.org/wiki/NOR_gate 8 SR Latch Truth table S R Q Action Qnext 0 0 Q Hold Q 0 1 0 Reset 0 0 1 1 Reset 0 1 0 0 Set 1 1 0 1 Set 1 1 1 X NA NA NOR Gate Operation Input Output A B A NOR B 0 0 1 0 1 0 1 0 0 1 1 0
  9. 9. Integrated Circuit (IC) Design Process • Similar to Printed Circuit Board Design 1. Digital Design Phase • Logic Simulation with HDL: VHDL/Verilog • Circuit schematic design 2. Backend Design • Routing, layout • Design Rule Check (DRC) • Graphic Database System II (GDSII) file is generated • GDSII to ICs, Gerbels to PCBs 3. Fabrication 4. Verification 9
  10. 10. Chip Fabrication Processlayers • Front End Of Line (FEOL) contains • Transistors, Capacitors, Resistors, Flip-Flops • PCB Analogy: Board Components • Back End Of Line (BEOL) contains • Layers of tiny Copper Wiring • PCB Analogy: Trace layers • Solder-Bump • Attachment to host PCB or motherboard 10 https://upload.wikimedia.org/wikipedia/commons/e/ee/Cmos-chip_structure_in_2000s_%28en%29.svg
  11. 11. Attack Components • Trigger • Monitors wires and states till the moment to activate payload • Payload • Malicious action accomplished when triggered 11
  12. 12. Target Platform • OpenRISC 1200 processor • Open source CPU • Uses 32-bit OR1K instruction set • 128KB instruction cache • Implemented as FPGA using VHDL 12
  13. 13. OR1200 Supervision Register • SM bit • Determines if current process is user or supervisor • 0 for usermode, 1 for supervisor mode • OV bit • If overflow occurred during last arithmetic operation • 0 for no overflow, 1 for overflow 13 Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0 https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
  14. 14. Attack model 1. Show Analog Circuits with a capacitor can create attacks 2. Pick victim wires that will trigger attacks 3. When the capacitors fully charge, they deploy an attack that changes the flip-flop that holds the privilege bit 4. Stealthily implement this attack in an OR1200 processor 5. Run malicious code to activate the attack 14
  15. 15. 15 1. Single-stage Analog trigger circuit behaviour model • Based on charge-pump design • When Cap Voltage > Threshold, trigger output • Trigger Input: Victim Wire • Trigger Time: Time taken to activate trigger at certain trigger frequency • Retention Time: Time taken to reset trigger after input stops
  16. 16. 16 1. Multi-stage Analog trigger circuit behaviour model • Lower probability of false trigger activation • Normal operations/benchmarks can “accidentally” trigger a wire • Software flexibility • Multiple attack vectors
  17. 17. 2. Single-stage trigger victim wire selection • We use the overflow flag wire as trigger 17 Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0 https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
  18. 18. 2. Two-stage trigger victim wire selection • Trigger 1: Signed Division wire • Trigger 2: Unsigned Division wire 18 Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0 https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
  19. 19. 3. The Attack Payload • Overwrite register value containing “privilege/supervisor bit” • Usermode process now given superuser privileges 19 Reset Latch (Active-Low) Set Latch (Active-High)
  20. 20. 4. Attack insertion vector? • Can be done anywhere along the chain • Adding in Digital Design Phase? • Easiest to implement on schematic level • Easily detected during verification checks • Tight security of designer’s machines • Backend? • Moderate difficulty but still able to find insertion location • Can be discovered by SPICE simulation • Tight security of designer’s machines • Final choice: Fabrication • Relatively lower security at foundry level • Requires insider access to GDSII between backend and fabrication • Tough to detect 20
  21. 21. 4. Stealth implementation on OR1200 21 • CPU die size is 2.1mm2 • A2 Analog attack • 1 gate, 13.4um2 • Digital counter-based equivalent of A2 • 91 cells or gates, 382um2
  22. 22. 5. Pseudocode for single-stage trigger attack 22Page 54 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0 https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf Divide by 0
  23. 23. 5. Pseudocode for two-stage trigger attack 23 Page 9 of the Paper
  24. 24. Test Results • It works! • Voltage range: 0.8V to 1.2V • Temperature range: -25°C to 100°C • Result Trends • ↑ temperature -> ↑ capacitor leakage -> ↑ trigger cycles • ↑ voltage -> ↑ rate of capacitor accumulation -> ↓ trigger cycles 24
  25. 25. Possible Defences? • Side Channel? • Power difference of extra gate in 100000 gates is negligible • Visual inspection? • Detecting anomalous 13.4um2 circuitry in 2.1mm2 die size is impractical • Split Manufacturing? • Trusted and expensive • Untrusted and cheaper 25
  26. 26. Intuitive Split Manufacturing strategy • Goal: Obfuscate design from untrusted fabricator by withholding some wires on upper layers • BUT possible to reverse engineer 96% of “some wires” using knowledge of layout tools • J. Rajendran, O. Sinanoglu, and R. Karri, “Is split manufacturing secure?” in Design, Automation and Test in Europe, ser. DATE, 2013, pp. 1259–1264. 26 Trusted Fabricator And Assembler Untrusted/Cheaper Fabricator Design House GDSII of gates and other wires GDSII of some wires Assembled chip Unfinished bottom portion
  27. 27. Proposed Split Manufacturing strategy • Split at Level 1 • Untrusted Manufacturer does not make any gates • However… • Expensive $$$ to join two copper layers at low layers • No such process exists 27 Trusted Fabricator And Assembler Untrusted/Cheaper Fabricator Design House Assembled chip FEOL + Metal Level 1 BEOL – Metal Level 1 Unfinished top portion
  28. 28. Potential for x86 attacks? • Much harder to detect and easier to implement than on OR1200 • x86 has more registers, A2 only needs one • x86 has more victim wires • “The only aspect of scaling to an x86-class processor that we anticipate as a challenge is maintaining controllability as there are many redundant functional units inside an x86, so a trigger would either need to tap equivalent wires in all functional units or be open to some probabilistic effects.” 28

×