HITB2010 - Hack In The Box Security Conference | Hack In...
Transcript of HITB2010 - Hack In The Box Security Conference | Hack In...
![Page 1: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/1.jpg)
Beyond the Focus Penetration Testing in Future Hardware Fuzzing the RTL
Mary Yeoh Intel Penang Design Center (iPDC)
Intel Corporation Penang, Malaysia
![Page 2: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/2.jpg)
2
Legal Disclaimer Today’s presentation may contain forward-looking statements. All statements made that are not historical facts are subject to a number of risks and uncertainties, and actual results may differ materially. Please refer to our most recent Earnings Release and our most recent Form 10-Q or 10-K filing available on our website for more information on the risk factors that could cause actual results to differ. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The Intel® Core™ Microarchitecture, Intel® Atom, Intel® Pentium, Intel® Pentium II, Intel® Pentium III, Intel® Pentium 4, Intel® Pentium Pro, Intel® Pentium D, Intel® Pentium M , Itanium®, Xeon® may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. This document contains information on products in the design phase of development. Do not finalize a design with this information. Revised information will be published when the product is available. Verify with your local sales office that you have the latest datasheet before finalizing a design. All dates specified are target dates, are provided for planning purposes only and are subject to change. All products, dates, and figures specified are preliminary based on current expectations, provided for planning purposes only, and are subject to change without notice. Intel and the Intel logo is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands are the property of their respective owners. Copyright © 2009, Intel Corporation
![Page 3: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/3.jpg)
Agenda
Introduction to Chip Design
The Problem
The Proposal
Fuzzing the RTL
![Page 4: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/4.jpg)
Agenda
Introduction to Chip Design
The Problem
The Proposal
Fuzzing the RTL
![Page 5: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/5.jpg)
Netbooks/ Nettops
NAND
Visual Computing
Embedded Health
Handhelds
Consumer Electronics
WiMAX
Intel Inside …
IA
Desktop Notebook
Server
As our future becomes increasingly connected, Intel is developing advanced technologies that are enabling an entirely new line of laptops, (MIDs) Mobile Internet Devices, and more.
![Page 6: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/6.jpg)
Sand To Silicon Video
![Page 7: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/7.jpg)
One Functional Block Level
Basic 2-Transistor Gate
Wafer
Technology in Present Day
With >100,000,000 transistors in one IC (Integrated Circuit)
One IC
![Page 8: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/8.jpg)
Chip Design Process
Architectural Design
Logic Design
Physical Design
Technology Trend
Specification
µ-Arch RTL
Gate Level Simulation
Logic Synthesis
Logic Simulation
Floor plan – P&R – Clk Tree – LVS - DRC
Logic Design process Tapeout
![Page 9: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/9.jpg)
Register Transfer Level (RTL)
if (CLK === 1'bX) begin F <= #100 {1{1'bX}}; end else begin F <= #100 S | ( ~C & F); end end
Verilog RTL Code
Q
QSET
CLR
DS F
C
CLK
High-level representation of a circuit Circuit behavior
-transfer of data between hardware register -logical operation performed on the signals
2 elements – registers and combinational logic Hardware Description Language – Verilog, VHDL
![Page 10: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/10.jpg)
Agenda
Introduction to Chip Design
The Problem
The Proposal
Fuzzing the RTL
![Page 11: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/11.jpg)
The Problem
-Complexity: many features implemented in a single chip -Hackers: creative, attack methods have no boundary
Bug, if escapes, could control million of gates
Does it mean an attack cannot be pre-planned and it just happens on the platform?
![Page 12: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/12.jpg)
Security Testing in Chip Design …
Architectural Design
Logic Design
Physical Design
Technology Trend
Specification
µ-Arch RTL
Gate Level Simulation
Logic Synthesis
Logic Simulation
Floor plan – P&R – Clk Tree – LVS - DRC
Logic Design process Tapeout
Security Testing
![Page 13: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/13.jpg)
The Evolution
Focus RTL Testing
Fuzzing the RTL
![Page 14: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/14.jpg)
Focus Penetration Testing
Focus Testing One test per specific target
Entry Point
Access Control
![Page 15: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/15.jpg)
Dynamic Security Testing-Fuzzing
Directed Random Testing (Fuzzing) A group of tests targeting sub-domain
Entry Point
Input weight
X
Multiple Access Control -independent Access Control can test at same group of tests
Access Control
Access Control
![Page 16: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/16.jpg)
Agenda
Introduction to Chip Design
The Problem
The Proposal
Fuzzing the RTL
![Page 17: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/17.jpg)
Dynamic Security Testing (DST) Benefit - Coverage comparison
DST: capable to generate much higher coverage than pure focus testing
Fuzzing Test input to hit all of Comprehensive Attack Scenarios + Specific Attack Scenarios
Focus Testing: Testing on specific scenario only
Total Security Coverage = Comprehensive Attack Scenarios +
Specific Attack Scenarios + Additional Scenarios generated from
Fuzzing
Total Security Coverage = Specific Attack Scenarios
![Page 18: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/18.jpg)
Agenda
Introduction to Chip Design
The Problem
The Proposal
Fuzzing the RTL
![Page 19: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/19.jpg)
How?
![Page 20: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/20.jpg)
Threat Model
Access Control
Asset (key)
Asset (data)
Threat Agent
![Page 21: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/21.jpg)
Testing Analysis
Asset (Key)
Asset (data)
Threat Agent
Logic Path from Threat Agent to Asset
Potential path taken by Threat Agent
Access Control
![Page 22: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/22.jpg)
Domain to Test
Asset (Key)
Asset (data)
Threat Agent
Logic Path from Threat Agent to Asset
Potential path taken by Threat Agent
Access Control
![Page 23: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/23.jpg)
Partition the Testing Environment
Asset (Key)
Asset (data)
Threat Agent
Logic Path from Threat Agent to Asset
Potential path taken by Threat Agent
Access Control
![Page 24: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/24.jpg)
AES128_FAST
CLK
RST
START
MODE
LOAD
KEY
DATA_OUT
DONE
DATA_IN
DFT1
DFT2
DFTOUT
![Page 25: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/25.jpg)
What can you do to attack a design in RTL phase?
![Page 26: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/26.jpg)
Infrastructure …
Architectural Design
Logic Design
Physical Design
Technology Trend
Specification
µ-Arch RTL
Gate Level Simulation
Logic Synthesis
Logic Simulation
Floor plan – P&R – Clk Tree – LVS - DRC
Logic Design process Tapeout
Logic Simulator
RTL code
Specification
![Page 27: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/27.jpg)
Get the Specification
Get a product specification Relationship of the Asset, Threat Agent and Access Control according to the specification
![Page 28: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/28.jpg)
Specification – an example
AES128_FAST
CLK
RST
START
MODE
LOAD
KEY
DATA_OUT
DONE
DATA_IN
DFT1
DFT2
DFTOUT
Requirement
The unencrypted/decrypted data, as well as key, are protected from the Threat Agents between the LOAD and DONE assertion.
![Page 29: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/29.jpg)
Get the RTL code
Which RTL code used by the product? - Available IPs? - Proprietary IPs?
Free open source IP
http://www.opencores.org/mailman/listinfo/cores Commercial IP Write your own code …, if you are interested,
- VHDL Tutorial: Learn by Example http://esd.cs.ucr.edu/labs/tutorial/
Note: For this presentation, the aes_crypto_core was downloaded from OpenCores (www.opencores.org), with some modification.
![Page 30: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/30.jpg)
Get the Logic Simulator
- Open source logic simulator - Verilator, VeriWell, etc.
- Commercial logic simulators - LogicSim, ModelSim, VCS, etc. - Some may have free version for students
- For more complete list, http://en.wikipedia.org/wiki/List_of_Verilog_Simulators Note: For this presentation, the logic simulator used was VCS
![Page 31: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/31.jpg)
Environment Setup for VCS
Installation path Download from VCS …
Source the setup file synopsys_sim.setup file:
- list of libraries - common setting
![Page 32: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/32.jpg)
Analyze the design
• vhdl file vhdlan <file name>
• verilog file vlogan <file name>
• system verilog file vlogan –sverilog <file name>
• Other simple switches – -f <file contains list of design file to compile> – -work <target library name>
NOTE: For this presentation, VHDL code was used.
![Page 33: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/33.jpg)
Elaboration
to run in ucli – vcs <top module / testbench>
to run in gui – vcs –debug_all <top module / testbench>
![Page 34: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/34.jpg)
Simulation run simulation and stop when $finish is called
– simv run simulation in ucli
– simv –ucli run simulation in dve
– simv -gui
![Page 35: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/35.jpg)
Summary – steps to bring up RTL Simulation
To run the simulation, at the DVE command line, dve> run 3us
![Page 36: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/36.jpg)
Fuzzing the RTL
CLK 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
START 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 LOAD 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 MODE 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DFT1 0 0 1 0 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 1 1 1 DFT2 1 0 1 1 0 0 0 1 0 0 1 0 0 0 0 1 1 0 0 1 1 1
Access Control Threat Agent Asset
START DFT1 KEY
LOAD DFT2 DATA_IN
MODE DATA_OUT
-Fuzzing at Access Control and Threat Agent (input) -monitor the Asset
An example
![Page 37: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/37.jpg)
The Results
Protected period
BUG!!
![Page 38: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/38.jpg)
What Next?
Fix the design Test the design fixes until no issue found
![Page 39: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/39.jpg)
Notes
For large design – Coverage Based Validation method is used, instead of manually examined the waveform
![Page 40: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/40.jpg)
The Benefit …
This method can be used in any design, if you have the specification and the RTL code If you are the RTL developer, this is a good method to ensure your design can withstand the attack
![Page 41: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/41.jpg)
Acknowledgement
Thanks to my colleagues from intel Penang Design Center, Jonie Lim, CP Teh and Thanh Le Nguyen for their contribution in this presentation
![Page 43: HITB2010 - Hack In The Box Security Conference | Hack In ...conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T2 - M… · All statements made that are not historical facts](https://reader035.fdocuments.us/reader035/viewer/2022063016/5fd71d4f9142e450836d7e2a/html5/thumbnails/43.jpg)