Dropsafe

by Alec Muffett

“Chinese Cyberwarriors in your Chips?” (http://goo.gl/XK2WI at Computerworld) #FPGAbackdoor

Chinese Cyberwarriors in your Chips?

Perhaps, but the Cambridge ones are more interesting

The security interwebs this morning are alive with reference to Sergei Skorobogatov’s webpage at Cambridge, the key quote from which is:

We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon `chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

I recommend against panic.

Instead there are a bunch of questions to ask:

What’s the threat?

…read more, or comment at Unscrewing Security

Comments

2 responses to ““Chinese Cyberwarriors in your Chips?” (http://goo.gl/XK2WI at Computerworld) #FPGAbackdoor”

  1. Dave Walker

    Ah, the “Manchurian silicon” chestnut. It’s pretty inevitable it would surface in reality eventually, and having kept an eye on their work for a while, I’m pleased and unsurprised it was Skorobogatov et al who found it.

    The threat model for this kind of embedded malware is interesting; the mal-ness has to be disabled by default so that product will pass standard-harness testing (and complicated enough to enable that it has a chance of surviving fuzzing), but not only does there then need to be a means of turning the mal-ness on, but a way of getting instructions to the chip to do so.

    Finally, it’s a chip. It hasn’t necessarily been built into something, much less sold to someone, by the time it leaves the country – so it’s very much a scattergun approach that it might find its way into something that has an interesting context.

    I mentioned to someone from ARM, a couple of months back, that one of the less-appreciated properties of ARM cores is that, as they are meticulous in keeping the transistor count and power consumption down, it’ll be easier to spot if something has been sneaked onto an ARM-based SoC than if a different architecture was used…

    Reply
  2. Dave Walker

    Dunno if this has been mentioned elsewhere yet, but I thought of something a while back when I first heard of this class of threat. Typically, a design house will ship a chip design to a manufacturer in the form of a pile of VHDL, Verilog or some other silicon design language (wonder if anyone does Handel C yet?). For a manufacturer, it would be “a matter of programming” to take this code, add a maliciously-inclined macrocell to it, and send it on for the final elements of layout and all the subsequent processes associated with manufacture.

    Now, I know this sounds very much like consumer DRM (which I have logical reasons to hate, on the grounds that it can’t work), but how worthwhile might it be to raise the tampering difficulty for the manufacturer, by shipping them already laid-out maps of the masks, or similar?

    (Disclaimer: I may have academic qualifications in this, but fabrication has changed so much in the 20 years since I did them, that some of my concepts around masks and photo-etching will be out of date; people were just starting to use particle beams to drill electron sinks instead, and the required bias on a modern transistor element is less than what the back EMF was in my day. Still, the idea’s there – “ship the manufacturer something considerably more difficult to tamper with”…)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts