{"id":14727,"date":"2016-06-03T10:49:14","date_gmt":"2016-06-03T14:49:14","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=14727"},"modified":"2016-06-03T10:49:14","modified_gmt":"2016-06-03T14:49:14","slug":"a2-analog-malicious-hardware","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2016\/06\/03\/a2-analog-malicious-hardware\/","title":{"rendered":"A2: Analog Malicious Hardware"},"content":{"rendered":"<p><a href=\"http:\/\/ieee-security.org\/TC\/SP2016\/papers\/0824a018.pdf\">Kaiyuan Yang et al.<\/a> (PDF) (via <a href=\"https:\/\/twitter.com\/USSJoin\/status\/735254756159954944\">Brendan O&rsquo;Connor<\/a>):<\/p>\n<blockquote cite=\"http:\/\/ieee-security.org\/TC\/SP2016\/papers\/0824a018.pdf\"><p>While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party&mdash; often overseas&mdash;to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester.<\/p>\n<p>In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip&rsquo;s functionality).<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/www.wired.com\/2016\/06\/demonically-clever-backdoor-hides-inside-computer-chip\/\">Andy Greenberg<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.wired.com\/2016\/06\/demonically-clever-backdoor-hides-inside-computer-chip\/\"><p>In fact, researchers at the University of Michigan haven&rsquo;t just imagined that computer security nightmare; they&rsquo;ve built and proved it works. In a study that won the &ldquo;best paper&rdquo; award at last week&rsquo;s IEEE Symposium on Privacy and Security, they detailed the creation of an insidious, microscopic hardware backdoor proof-of-concept. And they showed that by running a series of seemingly innocuous commands on their minutely sabotaged processor, a hacker could reliably trigger a feature of the chip that gives them full access to the operating system. Most disturbingly, they write, that microscopic hardware backdoor wouldn&rsquo;t be caught by practically any modern method of hardware security analysis, and could be planted by a single employee of a chip factory.<\/p>\n<p>[&#8230;]<\/p>\n<p>The &ldquo;demonically clever&rdquo; feature of the Michigan researchers&rsquo; backdoor isn&rsquo;t just its size, or that it&rsquo;s hidden in hardware rather than software. It&rsquo;s that it violates the security industry&rsquo;s most basic assumptions about a chip&rsquo;s digital functions and how they might be sabotaged. Instead of a mere change to the &ldquo;digital&rdquo; properties of a chip&mdash;a tweak to the chip&rsquo;s logical computing functions&mdash;the researchers describe their backdoor as an &ldquo;analog&rdquo; one: a <em>physical<\/em> hack that takes advantage of how the actual electricity flowing through the chip&rsquo;s transistors can be hijacked to trigger an unexpected outcome.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Kaiyuan Yang et al. (PDF) (via Brendan O&rsquo;Connor): While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party&mdash; often overseas&mdash;to fabricate their design. To guard against [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[452,260,48],"class_list":["post-14727","post","type-post","status-publish","format-standard","hentry","category-technology","tag-hardware","tag-processors","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14727","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=14727"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14727\/revisions"}],"predecessor-version":[{"id":14728,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14727\/revisions\/14728"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=14727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=14727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=14727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}