The talk I gave at Papers We Love #22 (Singapore) about this academic paper "A2: Analog Malicious Hardware" by a few researchers.
Here is the link to the paper: http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf
1. A2: Analog Malicious Hardware
Authored by:
1. Kaiyuan Yang
2. Matthew Hicks
3. Qing Dong
4. Todd Austin
5. Dennis Sylvester
Department of Electrical Engineering and Computer Science
University of Michigan
Ann Arbor, MI, USA
Paper: http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf
1
Papers We Love #22 (29 Aug 2016) By: Yeo Kheng Meng (yeokm1@gmail.com)
2. Remember “Reflections on Trusting Trust”?
1984 Turing award lecture by Ken Thompson
• Hack compilers to inject malicious code into output binaries
• Conclusion
• “You can’t trust code that you did not totally create yourself”
• “We can go lower to avoid detection like assembler, loader
or hardware microcode”
2
3. Threat Model/Paper Abstract
• “we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack
that is small and stealthy
1. “we construct a circuit that uses capacitors to siphon charge from nearby wires as they
transition between digital values. “
2. “When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a
desired value.”
3. “We weaponize this attack into a remotely-controllable privilege escalation by attaching the
capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for
our processor.”
4. We implement this attack in an OR1200 processor and fabricate a chip
3
Privilege escalation with maliciously-modified hardware
5. Analog vs Digital Circuits
• Analog
• Continuous Signal
• Signal is a fraction of logic level voltage
• Digital
• Discrete
• Usually binary 0 or 1
• 1: High logic voltage
• 0: Low logic voltage
5
Image from:
https://www.renesas.com/en-us/support/technical-resources/engineer-school/digital-circuits-01-and-circuit-or-circuit-not-circuit.html
6. What is a Capacitor?
https://en.wikipedia.org/wiki/Capacitor
• A capacitor is a passive two-terminal electrical component used to store electrical energy
temporarily in an electrostatic field.
• AKA temporary small-capacity battery
• Capacitor “leaks”
6
7. Charge Pump Design
• A charge pump is a kind of DC to DC converter that uses capacitors as energy-storage
elements to create either a higher- or lower-voltage power source.
• Clock/Pulse at regular intervals build up a charge in capacitor
7
8. What is a flip-flop/latch?
• Circuit that has two stable states and can
be used to store state information.
• Example Set-Reset (SR) latch
• 2 Interconnected NOR Gates
An animated SR latch. Black = 1, White = 0
Value is stored in Q, Q’ is the compliment.
https://en.wikipedia.org/wiki/Flip-flop_(electronics)#SR_NOR_latch
https://en.wikipedia.org/wiki/NOR_gate 8
SR Latch Truth table
S R Q Action Qnext
0 0 Q Hold Q
0 1 0 Reset 0
0 1 1 Reset 0
1 0 0 Set 1
1 0 1 Set 1
1 1 X NA NA
NOR Gate Operation
Input Output
A B A NOR B
0 0 1
0 1 0
1 0 0
1 1 0
9. Integrated Circuit (IC)
Design Process
• Similar to Printed Circuit Board Design
1. Digital Design Phase
• Logic Simulation with HDL: VHDL/Verilog
• Circuit schematic design
2. Backend Design
• Routing, layout
• Design Rule Check (DRC)
• Graphic Database System II (GDSII) file is generated
• GDSII to ICs, Gerbels to PCBs
3. Fabrication
4. Verification
9
10. Chip Fabrication Processlayers
• Front End Of Line (FEOL) contains
• Transistors, Capacitors, Resistors, Flip-Flops
• PCB Analogy: Board Components
• Back End Of Line (BEOL) contains
• Layers of tiny Copper Wiring
• PCB Analogy: Trace layers
• Solder-Bump
• Attachment to host PCB or motherboard
10
https://upload.wikimedia.org/wikipedia/commons/e/ee/Cmos-chip_structure_in_2000s_%28en%29.svg
11. Attack Components
• Trigger
• Monitors wires and states till the moment to activate payload
• Payload
• Malicious action accomplished when triggered
11
12. Target Platform
• OpenRISC 1200 processor
• Open source CPU
• Uses 32-bit OR1K instruction set
• 128KB instruction cache
• Implemented as FPGA using VHDL
12
13. OR1200 Supervision Register
• SM bit
• Determines if current process is user or supervisor
• 0 for usermode, 1 for supervisor mode
• OV bit
• If overflow occurred during last arithmetic operation
• 0 for no overflow, 1 for overflow
13
Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0
https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
14. Attack model
1. Show Analog Circuits with a capacitor can create attacks
2. Pick victim wires that will trigger attacks
3. When the capacitors fully charge, they deploy an attack that
changes the flip-flop that holds the privilege bit
4. Stealthily implement this attack in an OR1200 processor
5. Run malicious code to activate the attack
14
15. 15
1. Single-stage Analog trigger circuit behaviour model
• Based on charge-pump design
• When Cap Voltage > Threshold, trigger output
• Trigger Input: Victim Wire
• Trigger Time: Time taken to
activate trigger at certain
trigger frequency
• Retention Time: Time taken
to reset trigger after input
stops
16. 16
1. Multi-stage Analog trigger circuit behaviour model
• Lower probability of false trigger activation
• Normal operations/benchmarks can “accidentally” trigger a wire
• Software flexibility
• Multiple attack vectors
17. 2. Single-stage trigger
victim wire selection
• We use the overflow flag wire as trigger
17
Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0
https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
19. 3. The Attack Payload
• Overwrite register value containing “privilege/supervisor bit”
• Usermode process now given superuser privileges
19
Reset Latch (Active-Low) Set Latch (Active-High)
20. 4. Attack insertion vector?
• Can be done anywhere along the chain
• Adding in Digital Design Phase?
• Easiest to implement on schematic level
• Easily detected during verification checks
• Tight security of designer’s machines
• Backend?
• Moderate difficulty but still able to find insertion location
• Can be discovered by SPICE simulation
• Tight security of designer’s machines
• Final choice: Fabrication
• Relatively lower security at foundry level
• Requires insider access to GDSII between backend and fabrication
• Tough to detect
20
21. 4. Stealth implementation on OR1200
21
• CPU die size is 2.1mm2
• A2 Analog attack
• 1 gate, 13.4um2
• Digital counter-based equivalent of A2
• 91 cells or gates, 382um2
22. 5. Pseudocode for single-stage trigger attack
22Page 54 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0
https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
Divide by 0
24. Test Results
• It works!
• Voltage range: 0.8V to 1.2V
• Temperature range: -25°C to 100°C
• Result Trends
• ↑ temperature -> ↑ capacitor leakage -> ↑ trigger cycles
• ↑ voltage -> ↑ rate of capacitor accumulation -> ↓ trigger cycles
24
25. Possible Defences?
• Side Channel?
• Power difference of extra gate in 100000 gates is negligible
• Visual inspection?
• Detecting anomalous 13.4um2 circuitry in 2.1mm2 die size is impractical
• Split Manufacturing?
• Trusted and expensive
• Untrusted and cheaper
25
26. Intuitive Split Manufacturing strategy
• Goal: Obfuscate design from untrusted fabricator by
withholding some wires on upper layers
• BUT possible to reverse engineer 96% of “some wires” using
knowledge of layout tools
• J. Rajendran, O. Sinanoglu, and R. Karri, “Is split manufacturing secure?” in
Design, Automation and Test in Europe, ser. DATE, 2013, pp. 1259–1264. 26
Trusted Fabricator
And
Assembler
Untrusted/Cheaper
Fabricator
Design
House
GDSII of gates and other wires
GDSII of some wires
Assembled chip
Unfinished bottom portion
27. Proposed Split Manufacturing strategy
• Split at Level 1
• Untrusted Manufacturer does not make any gates
• However…
• Expensive $$$ to join two copper layers at low layers
• No such process exists 27
Trusted Fabricator
And
Assembler
Untrusted/Cheaper
Fabricator
Design
House
Assembled chip
FEOL + Metal Level 1
BEOL – Metal Level 1
Unfinished top portion
28. Potential for x86 attacks?
• Much harder to detect and easier to implement than on OR1200
• x86 has more registers, A2 only needs one
• x86 has more victim wires
• “The only aspect of scaling to an x86-class processor that we anticipate as a
challenge is maintaining controllability as there are many redundant functional
units inside an x86, so a trigger would either need to tap equivalent wires in all
functional units or be open to some probabilistic effects.”
28