a2: analog malicious hardware
TRANSCRIPT
1
A2: Analog Malicious HardwareAuthored by: 1. Kaiyuan Yang2. Matthew Hicks3. Qing Dong4. Todd Austin5. Dennis Sylvester
Department of Electrical Engineering and Computer ScienceUniversity of MichiganAnn Arbor, MI, USAPaper: http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf
Papers We Love #22 (29 Aug 2016) By: Yeo Kheng Meng ([email protected])
2
Remember “Reflections on Trusting Trust”?
1984 Turing award lecture by Ken Thompson• Hack compilers to inject malicious code into output binaries
• Conclusion• “You can’t trust code that you did not totally create yourself”• “We can go lower to avoid detection like assembler, loader or
hardware microcode”
3
Threat Model/Paper Abstract• “we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is
small and stealthy
1. “we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. “
2. “When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value.”
3. “We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor.”
4. We implement this attack in an OR1200 processor and fabricate a chip
Privilege escalation with maliciously-modified hardware
4
First some concepts
5
Analog vs Digital Circuits• Analog• Continuous Signal• Signal is a fraction of logic level voltage
• Digital• Discrete• Usually binary 0 or 1
• 1: High logic voltage• 0: Low logic voltage
Image from:https://www.renesas.com/en-us/support/technical-resources/engineer-school/digital-circuits-01-and-circuit-or-circuit-not-circuit.html
6
What is a Capacitor?
https://en.wikipedia.org/wiki/Capacitor
• A capacitor is a passive two-terminal electrical component used to store electrical energy temporarily in an electrostatic field.
• AKA temporary small-capacity battery• Capacitor “leaks”
7
Charge Pump Design
• A charge pump is a kind of DC to DC converter that uses capacitors as energy-storage elements to create either a higher- or lower-voltage power source.
• Clock/Pulse at regular intervals build up a charge in capacitor
8
What is a flip-flop/latch?• Circuit that has two stable states and can
be used to store state information.• Example Set-Reset (SR) latch• 2 Interconnected NOR Gates
An animated SR latch. Black = 1, White = 0Value is stored in Q, Q’ is the compliment.
https://en.wikipedia.org/wiki/Flip-flop_(electronics)#SR_NOR_latchhttps://en.wikipedia.org/wiki/NOR_gate
SR Latch Truth table
S R Q Action Qnext
0 0 Q Hold Q
0 1 0 Reset 0
0 1 1 Reset 0
1 0 0 Set 1
1 0 1 Set 1
1 1 X NA NA
NOR Gate Operation
Input Output
A B A NOR B
0 0 1
0 1 0
1 0 0
1 1 0
9
Integrated Circuit (IC)Design Process• Similar to Printed Circuit Board Design
1. Digital Design Phase• Logic Simulation with HDL: VHDL/Verilog• Circuit schematic design
2. Backend Design• Routing, layout• Design Rule Check (DRC)• Graphic Database System II (GDSII) file is generated
• GDSII to ICs, Gerbels to PCBs
3. Fabrication4. Verification
10
Chip Fabrication Process\layers• Front End Of Line (FEOL) contains• Transistors, Capacitors, Resistors, Flip-Flops• PCB Analogy: Board Components
• Back End Of Line (BEOL) contains• Layers of tiny Copper Wiring• PCB Analogy: Trace layers
• Solder-Bump• Attachment to host PCB or motherboard
https://upload.wikimedia.org/wikipedia/commons/e/ee/Cmos-chip_structure_in_2000s_%28en%29.svg
11
Attack Components• Trigger• Monitors wires and states till the moment to activate payload
• Payload• Malicious action accomplished when triggered
12
Target Platform
• OpenRISC 1200 processor• Open source CPU• Uses 32-bit OR1K instruction set• 128KB instruction cache
• Implemented as FPGA using VHDL
13
OR1200 Supervision Register• SM bit
• Determines if current process is user or supervisor• 0 for usermode, 1 for supervisor mode
• OV bit• If overflow occurred during last arithmetic operation• 0 for no overflow, 1 for overflow
Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
14
Attack model1. Show Analog Circuits with a capacitor can create attacks2. Pick victim wires that will trigger attacks3. When the capacitors fully charge, they deploy an attack that
changes the flip-flop that holds the privilege bit4. Stealthily implement this attack in an OR1200 processor5. Run malicious code to activate the attack
15
1. Single-stage Analog trigger circuit behaviour model• Based on charge-pump design• When Cap Voltage > Threshold, trigger output
• Trigger Input: Victim Wire
• Trigger Time: Time taken to activate trigger at certain trigger frequency
• Retention Time: Time taken to reset trigger after input stops
16
1. Multi-stage Analog trigger circuit behaviour model• Lower probability of false trigger activation• Normal operations/benchmarks can “accidentally” trigger a wire
• Software flexibility • Multiple attack vectors
17
2. Single-stage trigger victim wire selection
• We use the overflow flag wire as trigger
Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
18
2. Two-stage trigger victim wire selection
• Trigger 1: Signed Division wire• Trigger 2: Unsigned Division wire
Page 29-30 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
19
3. The Attack Payload• Overwrite register value containing “privilege/supervisor bit”• Usermode process now given superuser privileges
Reset Latch (Active-Low) Set Latch (Active-High)
20
4. Attack insertion vector?• Can be done anywhere along the chain
• Adding in Digital Design Phase?• Easiest to implement on schematic level• Easily detected during verification checks• Tight security of designer’s machines
• Backend?• Moderate difficulty but still able to find insertion location • Can be discovered by SPICE simulation• Tight security of designer’s machines
• Final choice: Fabrication• Relatively lower security at foundry level• Requires insider access to GDSII between backend and fabrication• Tough to detect
21
4. Stealth implementation on OR1200
• CPU die size is 2.1mm2
• A2 Analog attack• 1 gate, 13.4um2
• Digital counter-based equivalent of A2• 91 cells or gates, 382um2
22
5. Pseudocode for single-stage trigger attack
Page 54 of OpenRISC 1000 Architecture Manual, Architecture Version 1.1, Document Revision 0https://github.com/openrisc/doc/blob/master/openrisc-arch-1.1-rev0.pdf
Divide by 0
23
5. Pseudocode for two-stage trigger attack
Page 9 of the Paper
24
Test Results
• It works!
• Voltage range: 0.8V to 1.2V• Temperature range: -25°C to 100°C
• Result Trends• ↑ temperature -> ↑ capacitor leakage -> ↑ trigger cycles• ↑ voltage -> ↑ rate of capacitor accumulation -> ↓ trigger cycles
25
Possible Defences?• Side Channel?• Power difference of extra gate in 100000 gates is negligible
• Visual inspection?• Detecting anomalous 13.4um2 circuitry in 2.1mm2 die size is impractical
• Split Manufacturing?• Trusted and expensive• Untrusted and cheaper
26
Intuitive Split Manufacturing strategy• Goal: Obfuscate design from untrusted fabricator by
withholding some wires on upper layers
• BUT possible to reverse engineer 96% of “some wires” using knowledge of layout tools• J. Rajendran, O. Sinanoglu, and R. Karri, “Is split manufacturing secure?” in
Design, Automation and Test in Europe, ser. DATE, 2013, pp. 1259–1264.
Trusted FabricatorAnd
Assembler
Untrusted/Cheaper Fabricator
Design House
GDSII of gates and other wiresGDSII of some wires
Assembled chip
Unfinished bottom portion
27
Proposed Split Manufacturing strategy• Split at Level 1• Untrusted Manufacturer does not make any gates
• However…• Expensive $$$ to join two copper layers at low layers• No such process exists
Trusted FabricatorAnd
Assembler
Untrusted/Cheaper Fabricator
Design House
Assembled chip
FEOL + Metal Level 1BEOL – Metal Level 1
Unfinished top portion
28
Potential for x86 attacks?• Much harder to detect and easier to implement than on OR1200
• x86 has more registers, A2 only needs one• x86 has more victim wires
• “The only aspect of scaling to an x86-class processor that we anticipate as a challenge is maintaining controllability as there are many redundant functional units inside an x86, so a trigger would either need to tap equivalent wires in all functional units or be open to some probabilistic effects.”