- June 15, 2016
- What's Behind
During the 37th IEEE Symposium on Security and Privacy, researchers from the University of Michigan presented a paper called "A2: Analog Malicious Hardware", which won the "best paper" award. The researchers introduced a novel hardware attack, which can be implemented during the fabrication process of a chip. The researchers inserted a tiny and stealthy hardware backdoor (Trojan) into a processor, which enabled them to controllably trigger privilege escalation in the hardware level and essentially gain full access to the operating system. The backdoor is undetectable and existing defences from malicious hardware injections during fabrication are not effective against this new attack. Hence, this attack is quite alarming since it is a reminder that a compromise on the hardware level could render correctly implemented security policies on the software level useless.
Transistors are getting smaller and smaller while increasing their performance and keeping their power at low levels. This comes with additional cost and makes chip fabrication expensive especially due to the additional retooling costs introduced by each new generation of transistors. For that reason, most companies outsource their hardware fabrication. This loss of control exposes them to any mischief that can be done by a malicious contractor, leaving these companies open to hardware attacks. Furthermore, the whole design process of a chip involves different parties worldwide and even different teams within the same company, which is a window of opportunity for attacks in different stages of the design process.
How does the attack work?
The researchers introduced a fabrication-time attack, i.e. it can be implemented after the design of the chip, when it is ready to be fabricated. Hence, the assumption is that the attacker is someone with access to the chip fabrication facility, e.g. a rogue engineer. A fabrication-time attack in comparison to an attack during the initial design stages is more likely to succeed since it passes through less verification steps and more people involved in the process, i.e. more potential attackers.
The researchers used the open source OR1200 processor for the proof of concept. To keep the backdoor small and undetectable instead of adding a new piece of circuit or modifying the existing circuit layout they only added a capacitor and a few transistors within a single gate in a free area of the chip. A capacitor is an electrical component that temporarily stores electrical energy. In their approach, the capacitor is attached to a wire that serves as a charger. Every time the wire next to the capacitor toggles from "off" to "on" it also charges the capacitor by a little. If this does not happen frequently, the capacitor discharges due to natural charge leakage and the backdoor remains dormant. Thus, the stealthy part of the attack lies to the capacitor's natural properties. If the wire toggles frequently in a controlled manner, i.e. by using specially crafted software, the capacitor is eventually fully charged. As soon as the capacitor's voltage value surpasses a certain threshold, it triggers the gate and the payload is activated. The payload's output could be attached to a flip-flop, changing its value determined by the attacker. In this particular attack, the payload forces the victim flip-flop which controls the system's privilege modes (i.e. user or supervisor mode) to change value and grant the attacker supervisor mode privileges. This enables a successful privilege escalation attack in the hardware level and gives full and unrestricted access to the operating system.
Severity of the attack
There are a number of factors indicating the severity of this attack:
- It is a hardware attack. The main concern with hardware attacks is that they can compromise all layers of a system that depend on that hardware. Moreover, such attacks challenge the assumptions often made around the security of hardware indicating how a chip's functions can be exploited in a non-expected way.
- Its wide reach. This hardware attack affects processors that are usually produced in mass scale for a variety of applications. The proof of concept developed in this paper targets the OR1200 processor, which is intended for use in a variety of embedded applications, including telecommunications, portable media, home entertainment, and automotive applications. However, the attack is not limited to this specific chip; the paper provides insight on how the same attack could be implemented on different types of processors.
- The threat is imminent. Even though this attack has only been published recently, it is unknown whether it has been previously implemented in the wild or not. On the other hand if the threat has not yet been exploited, the current environment still allows for such an attack to occur, which is why the focus should be on potential prevention and detection of these classes of attacks.
- Resilience to current defences. While hardware security analysis techniques exist, e.g. visual analysis of a chip or measuring its power consumption to spot anomalies, it would be very challenging or even impossible to adapt those to this particular ingenious attack.
- Stealthiness. This attack deals with a microscopic hardware backdoor on a single component with dimensions of less than a thousandth of the width of a human hair, hidden among hundreds of millions of similar components. Moreover, this attack makes use of a sophisticated trigger, which renders the attack quite dangerous because it remains stealthy and cannot be accidentally triggered from post-fabrication tests or ordinary software rather than from the attacker who knows exactly how to replicate the exact same, long, obscure series of commands to open and expose the backdoor.
What can be done?
This hardware attack exposes weaknesses in the current hardware defences. It should therefore motivate the development of more advanced defensive techniques. The researchers suggest that the best method for detecting their attack "is some form of runtime verification that monitors a chip's behaviour in the digital domain". A promising future defence suggested by the researchers is the split manufacturing approach. Typical split manufacturing involves dividing a chip into two parts, allowing one part to be fabricated by a low cost, yet untrusted, fabrication house, while the other part is fabricated in a trusted fabrication house, which is also responsible for assembling of the entire chip. The researchers however suggested a more advanced implementation of this approach that would work against their attack, but it is challenging to enforce, both manufacturing wise and financially.
The study, together with the implemented proof of concept, reveals that this threat is imminent. The recommendations aimed at preventing or detecting such an attack could take time and money to implement. However, the attack outlines the need to rethink the design process particularly in terms of trust. This new information should also encourage dialogue between various actors such as designers and fabricators particularly in the establishment of trust. Hardware manufacturers should consider the context in which their products will be used, and need to take the appropriate security consideration when developing usage and implementation guidelines.
About "What's Behind" from ENISA
With the "What's Behind" series ENISA aims at giving the interested reader some in-depth background about NIS related topics. The background is derived from past experiences and common sense; in no way should "What's Behind" be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information on the "What's Behind" series (firstname.lastname@example.org).