Hardware Trojans By - Anupam Tiwari

83
1260–1180 BC Bronze Age

Transcript of Hardware Trojans By - Anupam Tiwari

Page 1: Hardware Trojans By - Anupam Tiwari

1260–1180 BC Bronze Age

Page 2: Hardware Trojans By - Anupam Tiwari
Page 3: Hardware Trojans By - Anupam Tiwari

After a fruitless 10-year siege, the Greeks constructed a huge wooden horse, and hid a select force of men inside. The Greeks pretended to sail away and that night the Greek force crept out of the horse and opened the gates for the rest of the Greek army and destroyed the city of Troy

Page 4: Hardware Trojans By - Anupam Tiwari
Page 5: Hardware Trojans By - Anupam Tiwari
Page 6: Hardware Trojans By - Anupam Tiwari

HARDWARETROJANS

Page 7: Hardware Trojans By - Anupam Tiwari

The views expressed in this presentation are Mere Apne. Reference to any specific products, process, or service do not necessarily constitute or imply endorsement, recommendation, or favoring by any Government or the Department of Defense

ALL FIGURES IN THE PPT ARE ONLY FOR DEPICTION PURPOSE.

Page 8: Hardware Trojans By - Anupam Tiwari

Not here to

Page 9: Hardware Trojans By - Anupam Tiwari
Page 10: Hardware Trojans By - Anupam Tiwari

A Hardware Trojan is a Malicious Modification of the

circuitry of an integrated circuit.

Page 11: Hardware Trojans By - Anupam Tiwari
Page 12: Hardware Trojans By - Anupam Tiwari

“Outsourcing the fabrication and design to third parties imputed to the huge scales of requirements and economies involved”

Page 13: Hardware Trojans By - Anupam Tiwari

Bogus packaging could disguise a

questionable chip as legitimate one &

baking a chip for 24 hours after

fabrication could shorten its life span

from 15 years to a scant 6 months

Adding 1000 extra transistors during

either the design or the fabrication

process could create a kill switch or a

trapdoor or could enable access for a

hidden code that shuts off all.

NICK THE WIREA notch in few interconnects would be almost impossible to detect but would cause eventual mechanical failure as the wire become overloaded.

ADD OR RECONNECT WIRINGDuring the layout process, new circuit traces and wiring can be added to the circuit. A skilled engineer familiar with the chips blueprint could reconnect the wires to undesired output.

Page 14: Hardware Trojans By - Anupam Tiwari

DESIGN• Untrusted Third

party IP cores• Untrusted CAD

tools• Untrusted

automation scripts

• Untrusted Libraries

FABRICATION• Untrusted

Foundries

TEST & VALIDATIONS• Untrusted if not

done in-house• Trusted if done in

house

Page 15: Hardware Trojans By - Anupam Tiwari

LEADING SEMICONDUCTOR IP CORE

COMPANIES

The IP core can be described as being for chip design what a library is for computer programming .

Page 16: Hardware Trojans By - Anupam Tiwari
Page 17: Hardware Trojans By - Anupam Tiwari
Page 18: Hardware Trojans By - Anupam Tiwari
Page 19: Hardware Trojans By - Anupam Tiwari
Page 20: Hardware Trojans By - Anupam Tiwari
Page 21: Hardware Trojans By - Anupam Tiwari

Electronic Design Automation (EDA) is a category of software tools for designing Electronic systems such as Printed circuit boards and Integrated Circuits.

The tools work together in a design flow that chip designers use to design

and analyze entire semiconductor chips.

Page 22: Hardware Trojans By - Anupam Tiwari
Page 23: Hardware Trojans By - Anupam Tiwari
Page 24: Hardware Trojans By - Anupam Tiwari

****Focused ion beam is a technique used particularly in the semiconductor industry, materials science for deposition, and ablation of materials.

Page 25: Hardware Trojans By - Anupam Tiwari
Page 26: Hardware Trojans By - Anupam Tiwari
Page 27: Hardware Trojans By - Anupam Tiwari

Hardware Trojans

Physical

Distribution

Structure

Size

Type

ActivationExternally

Antenna

Sensor

Internally

Always on

ConditionalLogicSensor

Action

Transmit

Modify Specs

Modify Function

Page 28: Hardware Trojans By - Anupam Tiwari

Hardware TrojansDesign PhaseSpecs

Fabrication

Test

Assembly and

Package

Abstraction Level

System Level

Development

RT Level

Gate Level

Physical Level

EffectsChange

Function

Change Specs

Leak Info

Denial of Service

LocationPart/

Identity

Processor

Memory

I/O

Power Supply

Clock

ActivationAlways on

Triggere

dInternallyExternally

Page 29: Hardware Trojans By - Anupam Tiwari
Page 30: Hardware Trojans By - Anupam Tiwari

Internet of Things

• 10 billion Devices and Counting

• Everything right from your computer to your phone to your microwave can be compromised without you ever knowing about it.

Page 31: Hardware Trojans By - Anupam Tiwari

Logistics Systems and Support domain: Transport Infrastructure, Traffic Control, Metro/Rail Monitoring & Control

Page 32: Hardware Trojans By - Anupam Tiwari

Civil Critical Applications: Banking, Stock market IT Infrastructure

Page 33: Hardware Trojans By - Anupam Tiwari

Military Systems: Weapon Control systems, Satellite controls, Radar

systems, Surveillance Systems, Decision support Systems.

Page 34: Hardware Trojans By - Anupam Tiwari

Aviation and Aeronautics industry : Flight control systems, Space Shuttles, Satellites etc.

Page 35: Hardware Trojans By - Anupam Tiwari

Miscellaneous Data centers IT Infrastructure, Personal Info stored in Clouds, Government Systems in Critical Setups etc

Page 36: Hardware Trojans By - Anupam Tiwari
Page 37: Hardware Trojans By - Anupam Tiwari

Attribute Hardware Trojans Software Trojans

Agency involved to infect

Pre fabrication embedding in the hardware IC during manufacturing or retrofitted later.

Resides in code of the OS or in the running applications and gets activated whilst execution.

Mode

Third party untrusted agencies involved to manufacture ICs in various stages of fabrication.

Downloading malicious files from internet or via social engineering methods executing malicious files or commonly sources USB etc.

Current Remedial Measure available

Currently none since one embedded there is no way to remove the same other then destroying.

Signatures released by antivirus companies and software patches based on behavioral pattern observed.

Behavioral Attribute

Once activated the behavioral action of the Hardware Trojan cannot be changed.

A Trojan behavior can change by further update or patch application etc

Page 38: Hardware Trojans By - Anupam Tiwari

Anatomy of a

Events which enable the Trojan Payload

Stealth depends on Triggers

The Ammo / firepower

Size is not proportional to destruction

Prior to triggering, a hardware trojan lies dormant without interfering with the operation of any electronics.

Page 39: Hardware Trojans By - Anupam Tiwari
Page 40: Hardware Trojans By - Anupam Tiwari
Page 41: Hardware Trojans By - Anupam Tiwari

“September 2007, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of Syrian radar, supposedly state of the art, to warn the Syrian military of the incoming assault. It wasn’t long before military and technology bloggers concluded that this was an incident ofelectronic warfare and not just any kind. Post after post speculated that the commercial off-the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar”Source : IEEE spectrum, 2007

Syrian RADAR Case

Page 42: Hardware Trojans By - Anupam Tiwari
Page 43: Hardware Trojans By - Anupam Tiwari
Page 44: Hardware Trojans By - Anupam Tiwari
Page 45: Hardware Trojans By - Anupam Tiwari
Page 46: Hardware Trojans By - Anupam Tiwari
Page 47: Hardware Trojans By - Anupam Tiwari

Computer Chip in a Commercial Jet Compromised

Page 48: Hardware Trojans By - Anupam Tiwari
Page 49: Hardware Trojans By - Anupam Tiwari

• The method involves accessing and sending instructions to the chip housed on smart batteries

• Completely disables the batteries on laptops, making them permanently unusable,

• Perform a number of other unintended actions like false reporting of battery levels, temperature etc.

• Could also be used for more malicious purposes down the road.

Laptop Batteries Can Be Bricked

Page 50: Hardware Trojans By - Anupam Tiwari
Page 51: Hardware Trojans By - Anupam Tiwari
Page 52: Hardware Trojans By - Anupam Tiwari

A advantageously contrived and implanted backdoor at an untrusted fabrication facility involved in manufacturing the typical pc processor can be victimized by a software antagonist at a later scheduled time line.

This kind of a backdoor in a processor will never be

divulged by the run of the mill or state of the art antivirus

versions predominately available COTS.

Page 53: Hardware Trojans By - Anupam Tiwari

• Sabotage on the Cryptographic Capability of Intel Processor

• Reduces the entropy of the random number generator from 128 bits to 32 bits.

• Accomplished by changing the doping polarity of a few transistors.

• Undetectable by built in self tests and physical inspection.

Intel Ivy Bridge Can’t Keep Your Secret

**entropy is the randomness collected by an application for use in cryptography

Page 54: Hardware Trojans By - Anupam Tiwari
Page 55: Hardware Trojans By - Anupam Tiwari
Page 56: Hardware Trojans By - Anupam Tiwari
Page 57: Hardware Trojans By - Anupam Tiwari
Page 58: Hardware Trojans By - Anupam Tiwari
Page 59: Hardware Trojans By - Anupam Tiwari

A hardware Trojan to operate, needs ground and power supply which can be low or high depending on the design it is based on.

A Trojan that requires a low end power supply will have low chances of being detected

whereas a Trojan requiring higher power supply would be at a larger

chance of detection.

Page 60: Hardware Trojans By - Anupam Tiwari
Page 61: Hardware Trojans By - Anupam Tiwari
Page 62: Hardware Trojans By - Anupam Tiwari
Page 63: Hardware Trojans By - Anupam Tiwari
Page 64: Hardware Trojans By - Anupam Tiwari
Page 65: Hardware Trojans By - Anupam Tiwari

GOLDEN MODEL FABRICATION

A Golden Chip is a chip which is known to not include malicious

modifications

Page 66: Hardware Trojans By - Anupam Tiwari

The HINT (Holistic Approaches for Integrity of ICT-Systems)

project addresses these challenges by proposing the

development of novel technologies to provide a means of

approval that a system is genuine and unmodified and helps

to ensure the authenticity and integrity of the hardware

components used in a given system.

Page 67: Hardware Trojans By - Anupam Tiwari
Page 68: Hardware Trojans By - Anupam Tiwari
Page 69: Hardware Trojans By - Anupam Tiwari
Page 70: Hardware Trojans By - Anupam Tiwari
Page 71: Hardware Trojans By - Anupam Tiwari
Page 72: Hardware Trojans By - Anupam Tiwari
Page 73: Hardware Trojans By - Anupam Tiwari

Countermeasures For Hardware Trojans

Trojan Detection

ApproachesDesign For

Security

Prevent

Insertion

Facilitate Detection

Run Time Monitoring

Page 74: Hardware Trojans By - Anupam Tiwari
Page 75: Hardware Trojans By - Anupam Tiwari

Hardware is the Root of Trust; Even a small malicious modification can be devastating to system security

Key Takeaway #1

Page 76: Hardware Trojans By - Anupam Tiwari

Key Takeaway #2

Virtually any and every Electronic

System around uscan be potentially

Compromised.

Page 77: Hardware Trojans By - Anupam Tiwari

Key Takeaway #3

Most semiconductor companies OUTSOURCE their manufacturing due to the high capital and operational costs

Page 78: Hardware Trojans By - Anupam Tiwari

Key Takeaway #4

The trust in the chip Design process

is Broken

Page 79: Hardware Trojans By - Anupam Tiwari

A Hardware Trojan is near Impossible to detect in tests because its designed to trigger in mission mode

Key Takeaway #5

Page 80: Hardware Trojans By - Anupam Tiwari

Long term research can bring built in

security and tamper resistance in IC

designs. However, for short term, the

threat can be mitigated by making

the supply chaintrusted.

Key Takeaway #6

Page 81: Hardware Trojans By - Anupam Tiwari
Page 82: Hardware Trojans By - Anupam Tiwari

http://www.eetimes.com/electronics-news/4373667/Report-reveals-fake-chips-in-military-hardware• http://www.theatlanticwire.com/technology/2011/06/us-military-fake-microchips-china/39359/• https://citp.princeton.edu/research/memory/media/• Cyber security in federal government, Booz Allen Hamilton• The hunt for the kill switch, IEEE Spectrum, May 2008• Report of the Defense Science Board Task Force on High Performance Microchip Supply,’’ Defense ScienceBoard, US DoD, Feb. 2005; http://www.acq.osd.mil/dsb/ reports/2005-02-HPMS_Report_Final.pdf.• ‘‘Innovation at Risk Intellectual Property Challenges and Opportunities,’’ Semiconductor Equipmentand Materials International, June 2008.• www.darpa.mil/mto/solicitations/baa07-24/index.html• The hunt for the kill switch, IEEE Spectrum, May 2008• Towards a comprehensive and systematic classification of hardware Trojans, J Rajendran et.al.• http://larc.ee.nthu.edu.tw/~cww/n/625/6251/05DFT0603.pdf• X. Wang, M. Tehranipoor, and J. Plusquellic, ‘‘Detecting Malicious Inclusions in Secure Hardware: Challenges and• Hardware Trojan: Threats and Emerging Solutions, Rajat Subhra Chakraborty et al.