1260–1180 BC Bronze Age

After a fruitless 10-year siege, the Greeks constructed a huge wooden horse, and hid a select force of men inside. The Greeks pretended to sail away and that night the Greek force crept out of the horse and opened the gates for the rest of the Greek army and destroyed the city of Troy

HARDWARETROJANS

The views expressed in this presentation are Mere Apne. Reference to any specific products, process, or service do not necessarily constitute or imply endorsement, recommendation, or favoring by any Government or the Department of Defense

ALL FIGURES IN THE PPT ARE ONLY FOR DEPICTION PURPOSE.

Not here to

A Hardware Trojan is a Malicious Modification of the

circuitry of an integrated circuit.

“Outsourcing the fabrication and design to third parties imputed to the huge scales of requirements and economies involved”

Bogus packaging could disguise a

questionable chip as legitimate one &

baking a chip for 24 hours after

fabrication could shorten its life span

from 15 years to a scant 6 months

Adding 1000 extra transistors during

either the design or the fabrication

process could create a kill switch or a

trapdoor or could enable access for a

hidden code that shuts off all.

NICK THE WIREA notch in few interconnects would be almost impossible to detect but would cause eventual mechanical failure as the wire become overloaded.

ADD OR RECONNECT WIRINGDuring the layout process, new circuit traces and wiring can be added to the circuit. A skilled engineer familiar with the chips blueprint could reconnect the wires to undesired output.

DESIGN• Untrusted Third

party IP cores• Untrusted CAD

tools• Untrusted

automation scripts

• Untrusted Libraries

FABRICATION• Untrusted

Foundries

TEST & VALIDATIONS• Untrusted if not

done in-house• Trusted if done in

house

LEADING SEMICONDUCTOR IP CORE

COMPANIES

The IP core can be described as being for chip design what a library is for computer programming .

Electronic Design Automation (EDA) is a category of software tools for designing Electronic systems such as Printed circuit boards and Integrated Circuits.

The tools work together in a design flow that chip designers use to design

and analyze entire semiconductor chips.

****Focused ion beam is a technique used particularly in the semiconductor industry, materials science for deposition, and ablation of materials.

Hardware Trojans

Physical

Distribution

Structure

Size

Type

ActivationExternally

Antenna

Sensor

Internally

Always on

ConditionalLogicSensor

Action

Transmit

Modify Specs

Modify Function

Hardware TrojansDesign PhaseSpecs

Fabrication

Test

Assembly and

Package

Abstraction Level

System Level

Development

RT Level

Gate Level

Physical Level

EffectsChange

Function

Change Specs

Leak Info

Denial of Service

LocationPart/

Identity

Processor

Memory

I/O

Power Supply

Clock

ActivationAlways on

Triggere

dInternallyExternally

Internet of Things

• 10 billion Devices and Counting

• Everything right from your computer to your phone to your microwave can be compromised without you ever knowing about it.

Logistics Systems and Support domain: Transport Infrastructure, Traffic Control, Metro/Rail Monitoring & Control

Civil Critical Applications: Banking, Stock market IT Infrastructure

Military Systems: Weapon Control systems, Satellite controls, Radar

systems, Surveillance Systems, Decision support Systems.

Aviation and Aeronautics industry : Flight control systems, Space Shuttles, Satellites etc.

Miscellaneous Data centers IT Infrastructure, Personal Info stored in Clouds, Government Systems in Critical Setups etc

Attribute Hardware Trojans Software Trojans

Agency involved to infect

Pre fabrication embedding in the hardware IC during manufacturing or retrofitted later.

Resides in code of the OS or in the running applications and gets activated whilst execution.

Mode

Third party untrusted agencies involved to manufacture ICs in various stages of fabrication.

Downloading malicious files from internet or via social engineering methods executing malicious files or commonly sources USB etc.

Current Remedial Measure available

Currently none since one embedded there is no way to remove the same other then destroying.

Signatures released by antivirus companies and software patches based on behavioral pattern observed.

Behavioral Attribute

Once activated the behavioral action of the Hardware Trojan cannot be changed.

A Trojan behavior can change by further update or patch application etc

Anatomy of a

Events which enable the Trojan Payload

Stealth depends on Triggers

The Ammo / firepower

Size is not proportional to destruction

Prior to triggering, a hardware trojan lies dormant without interfering with the operation of any electronics.

“September 2007, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of Syrian radar, supposedly state of the art, to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident ofelectronic warfare and not just any kind. Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar”Source : IEEE spectrum, 2007

Syrian RADAR Case

Computer Chip in a Commercial Jet Compromised

• The method involves accessing and sending instructions to the chip housed on smart batteries

• Completely disables the batteries on laptops, making them permanently unusable,

• Perform a number of other unintended actions like false reporting of battery levels, temperature etc.

• Could also be used for more malicious purposes down the road.

Laptop Batteries Can Be Bricked

A advantageously contrived and implanted backdoor at an untrusted fabrication facility involved in manufacturing the typical pc processor can be victimized by a software antagonist at a later scheduled time line.

This kind of a backdoor in a processor will never be

divulged by the run of the mill or state of the art antivirus

versions predominately available COTS.

• Sabotage on the Cryptographic Capability of Intel Processor

• Reduces the entropy of the random number generator from 128 bits to 32 bits.

• Accomplished by changing the doping polarity of a few transistors.

• Undetectable by built in self tests and physical inspection.

Intel Ivy Bridge Can’t Keep Your Secret

**entropy is the randomness collected by an application for use in cryptography

A hardware Trojan to operate, needs ground and power supply which can be low or high depending on the design it is based on.

A Trojan that requires a low end power supply will have low chances of being detected

whereas a Trojan requiring higher power supply would be at a larger

chance of detection.

GOLDEN MODEL FABRICATION

A Golden Chip is a chip which is known to not include malicious

modifications

The HINT (Holistic Approaches for Integrity of ICT-Systems)

project addresses these challenges by proposing the

development of novel technologies to provide a means of

approval that a system is genuine and unmodified and helps

to ensure the authenticity and integrity of the hardware

components used in a given system.

Countermeasures For Hardware Trojans

Trojan Detection

ApproachesDesign For

Security

Prevent

Insertion

Facilitate Detection

Run Time Monitoring

Hardware is the Root of Trust; Even a small malicious modification can be devastating to system security

Key Takeaway #1

Key Takeaway #2

Virtually any and every Electronic

System around uscan be potentially

Compromised.

Key Takeaway #3

Most semiconductor companies OUTSOURCE their manufacturing due to the high capital and operational costs

Key Takeaway #4

The trust in the chip Design process

is Broken

A Hardware Trojan is near Impossible to detect in tests because its designed to trigger in mission mode

Key Takeaway #5

Long term research can bring built in

security and tamper resistance in IC

designs. However, for short term, the

threat can be mitigated by making

the supply chaintrusted.

Key Takeaway #6

http://www.eetimes.com/electronics-news/4373667/Report-reveals-fake-chips-in-military-hardware• http://www.theatlanticwire.com/technology/2011/06/us-military-fake-microchips-china/39359/• https://citp.princeton.edu/research/memory/media/• Cyber security in federal government, Booz Allen Hamilton• The hunt for the kill switch, IEEE Spectrum, May 2008• Report of the Defense Science Board Task Force on High Performance Microchip Supply,’’ Defense ScienceBoard, US DoD, Feb. 2005; http://www.acq.osd.mil/dsb/ reports/2005-02-HPMS_Report_Final.pdf.• ‘‘Innovation at Risk Intellectual Property Challenges and Opportunities,’’ Semiconductor Equipmentand Materials International, June 2008.• www.darpa.mil/mto/solicitations/baa07-24/index.html• The hunt for the kill switch, IEEE Spectrum, May 2008• Towards a comprehensive and systematic classification of hardware Trojans, J Rajendran et.al.• http://larc.ee.nthu.edu.tw/~cww/n/625/6251/05DFT0603.pdf• X. Wang, M. Tehranipoor, and J. Plusquellic, ‘‘Detecting Malicious Inclusions in Secure Hardware: Challenges and• Hardware Trojan: Threats and Emerging Solutions, Rajat Subhra Chakraborty et al.

I am at :

anupam605@gmail.com

http://about.me/anupam.tiwari