Stealthy Dopant-Level Hardware Trojans [govt funded research to defeat encryption]

Slashdot ^ | 9/13/2013

[markomalley]

"A team of researchers funded in part by the NSF has just published a paper in which they demonstrate a way to introduce hardware Trojans into a chip by altering only the dopant masks of a few of the chip's transistors. From the paper: 'Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips."' In a test of their technique against Intel's Ivy Bridge Random Number Generator (RNG) the researchers found that by setting selected flip-flop outputs to zero or one, 'Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen.' They conclude that 'Since the Trojan RNG has an entropy of n bits and [the original circuitry] uses a very good digital post-processing, namely AES, the Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker. We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests. The higher the value n that the attacker chooses, the harder it will be for an evaluator to detect that the random numbers have been compromised.'"

[markomalley]

URL for the paper.

Abstract. In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientifi c community. One of the main concerns is that integrated circuits, e.g., for military or critical infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how dicult it would be in practice to implement one.

In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modifi ed circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fi ne-grain optical inspection and checking against \golden chips". We demonstrate the effectiveness of our approach by inserting Trojans into two designs | a digital post-processing derived from Intel's cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation | and by exploring their detectability and their effects on security.

[CGASMIA68]

And I thought learning about NPN,PNP at NAS Jax in the 70’s was big time.

[DManA]

They published this? In a public paper? They’d better see Vladamir about getting an apartment in Moscow.

[mountn man]

With all the different forms of Trojans, now they have a Hardware Trojan?

[quimby]

From theregister:

This was the week when Linus Torvalds, chief Penguin of LinuxLand, unleashed not one, but two mighty rants on the interwebs. First, Torvalds said he resented recent attacks on the integrity of the kernel's security.

This is after a call was made for the use of Intel processor instruction RdRand for generating random numbers to be pulled from the kernel, purportedly by a lad from Yorkshire who reckoned it could be influenced by US spooks to produce cryptographically weak values.

He branded a petition asking for it to be pulled "ignorant". In a comparatively restrained rant, he said:

Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong.

Short answer: we actually know what we are doing. You don't.

http://www.theregister.co.uk/2013/09/13/quotw_ending_november_13/

I don't profess to know the answer to all the questions, but there sure are a lot of questions.

[Rebelbase]

The hardware line was created at my special request.

[rarestia]

I can’t understate this enough: this is bad. Manipulation of hardware at the gate level is a literal Trojan horse. There’s little anyone could do to fix the problem short of reconstructing the processor from the gate layer up (Read: Impossible).

[1raider1]

They had to. Software trojans kept falling off.

[rarestia]

His second rant was more important:

I still really despise the absolute incredible sh*t that is non-discoverable buses, and I hope that ARM SoC hardware designers all die in some incredibly painful accident.

The ARM hardware is part of the new problem. These chips are in everything "mobile" these days, and they're the primary carrier of new snooping problems. The "big" producers (Intel and AMD) are still holding fast, but I don't give us very long before they are integrating non-discoverable buses into their chipsets.

[Dr.Deth]

I still really despise the absolute incredible sh*t that is non-discoverable buses, and I hope that ARM SoC hardware designers all die in some incredibly painful accident.

Like having their car accelerate to 70mph at 4am on a deserted road, run itself into a tree, and explode?

[rarestia]

Seems legit

[steelhead_trout]

Noticed the packs that say “armor.” Do they have a shaped charge at the tip? :)

[mountn man]

Noticed the packs that say “armor.” Do they have a shaped charge at the tip? :)

"I don't think so Tim" (Al Borland-tool time)

Armor is for extra protection for "special" occasions.

"Special" Occasions

.

.

The "Armor" serves as protection in two ways.
First, it protects the wearer (just not enough)
Second, it protects humanity from the spawn of "Special" Ocassions.

[zeugma]

Isn’t it nice how the criminals that operate our government have no respect at all for us, our privacy, or our security.

[zeugma]

you are absolutely evil. That was totally unnecessary dude. I had to go to this thread for eyewash.

[steelhead_trout]

Yikes. That thing better be made of kevlar—and cover your entire body. Like a hazmat suit!

[mountn man]

Yeah, I've been over at that thread a few times.

She is one of the most stunningly beautiful women I have seen (but alas, not in real life).

Now if she would have a personality as beautiful as her looks...
Add to that her Irish brogue...

Then she might, if she was fortunate, have a chance to date me.

Aoife Walsh-youtube