Slashdot Mirror
DARPA Sponsors a Hunt For Malware In Microchips
Phurge links to an IEEE Spectrum story on an interesting DARPA project with some scary implications about just what it is we don't know about what chips are doing under the surface. It's a difficult problem to find invasive or otherwise malicious capabilities built into a CPU; this project's goal is to see whether vendors can find such hardware-level spyware in chips like those used in military hardware. Phurge excerpts: "Recognizing this enormous vulnerability, the DOD recently launched its most ambitious program yet to verify the integrity of the electronics that will underpin future additions to its arsenal. ... In January, the Trust program started its prequalifying rounds by sending to three contractors four identical versions of a chip that contained unspecified malicious circuitry. The teams have until the end of this month to ferret out as many of the devious insertions as they can."
Looks like someone finally clued these geniuses of national security in on the obvious Archilles' heel in their web of protection.
I just hope our clueless protectors have at least had the common sense to slip in some spys at that new big "Fab 68" Intel plant they're building in China.
SJW: Someone who has run out of real oppression, and has to fake it.
I already found the hidden "porn" circuitry.
This is going to be a huge issue in the future. Another reason why buying anything not made in the US is a bad idea. We have MIL-Spec products for almost everything, yet most of our comm equpiment is simply COTS with slight modifications to the software/hardware. I'd really like to see intel/amd move operations back to the states just for this reason, also it would be a benifit to the government and the american people. The government gets what they want secure, malware free chips, and americans get good paying jobs back.
Well, considering that the current wave in high-tech is to outsource the hardware development, it's a very valid concern.
Here's a classic example. Startups in Silicon Valley prefer not to bring in a hardware team to develop a new box from scratch, especially when they can just buy a COTS box elsewhere for the first round. The Imaginary Property resides in the Software Apps that they can develop to run on these boxes.
Consequently, they contract out with companies that used to be known for their motherboards, but who have moved up and will sell you a complete cutting edge system, and customize it to meet your needs. No hardware development time is required, and it's a lot cheaper.
The catch is that, in order to support these boxes, the Startup or the customer MUST NEVER OPEN THEM. If you do, you void the warranty. At $10,000-$20,000 per box (in the storage biz) that's a very strong incentive to never ever peek inside.
Add to that proprietary IPMI cards.
In short, these boxes are the best backdoor into an Organizations' IT infrastructure. You'd be surprised at the big, well-known names currently deploying them.
The beauty of this approach is that most of these companies are based in Taiwan. Simply put, with little effort, Taiwan gets to own both China and the U.S. at the same time. That would be amusing if it weren't so sad.
The best way to predict the future is to create it. - Peter Drucker.
This issue is a main element in Richard Clarke's latest book - Breakpoint. Clarke is the terrorist guru from the late '90s in the Clinton administration ... and the guy the Bush administration chose to ignore. Bottom line is if you let your key silicon + hardware be exclusively built in forgien countries ( i.e. China) you're at risk of hardware level "back doors". Published in '06 - Clarke again signals a warning for the US .....
Its not the years, its the mileage
the rest is just a matter of juggling the 'gray' area around a little more until there's no black or white.
I find this intersting.
I deal with foreign fab houses on every project. The odd things is that most of the backend software used by these fab houses are sold by American companies (much of which is written in India).
There is a step in the process where a point tool (one not written by the fab house - but again an American company) is used to re-extract the design out from the polygons that describe the silicon to be fabbed. This is compared to the source gate level design I originally supplied using formal verification methods. This is done by me.
So I suppose someone could surreptitiously change the gates I'm getting back to hide what is being inserted in there (not an easy thing to do all by itself at this level) There are places where it could be done in the process.
At the same time - to add additional logic to a design you are not well versed in is REALLY difficult.
Have you compiled your kernel today??
In the case of ICs, it might even be possible to automate to some extent. You know the I/O specs of the chip -- what voltages to feed where, for example -- so maybe you feed it into some type of machine that can cut it into very tiny wafers, examine them, and reconstruct the chip in a virtual environment.
Then I suppose it becomes a matter of proving the functions within the chip, and piecing together vulnerabilities that are composed of more than one chip working in tandem.
Things get trickier with "tamper-proof" EEPROM or similar technologies like soft-core microprocessors, I suppose. Part of testing would necessarily involve beating the tamper-proof system.
Pragmatically speaking, however, unless you test every chip you plan to use (destructively in this case) how do you know you're not getting slipped the silver thermal paste that doesn't actually have any silver in it?
I for one have always assumed that the hardware was an active vector for security failure. Why ANYONE who has not personally audited all the circuitry in all their chips would ever assume any different is beyond me. Actually I was always mostly worried about those Isreali ethernet chips. I have absolutely nothing to hide, but I still refuse to carry a GPS phone, and my private files are on an offline node with no WiFi, &c. Nothing wrong with being paranoid, as far as I'm concerned, I think we are all just temporarily out on our own recognizance.
The cost of that cleanup, of course, will be borne by taxpayers, not industry.
http://www.youtube.com/watch?v=aRVnQs0XD30
Can you trust yourself?
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Ok heres a quick summary for those who dont have the patience to read the 3 pages :
Portions of a chip design cycle are untrusted - eg. the fab stage because its not DARPA certified etc. A malicious entity could embed small, functionally irrelevant circuits that when activated could disable(kill switch)/give unauthorized access (back door)/reveal chip secrets (reveal crypto secret key). In order to prevent it, DARPA is looking for proposals that will mitigate this, while not requiring exhaustive testing.
A few important points :
1. It doesnt matter that the fabs are in China. Even non certified fabs in the US could potentially be compromised. Currently DARPA procures chips (especially crypto chips) from secure fabs in the US, but these are very expensive as the fabs are run pretty much exclusively for defense use.
2. The idea is to know, ideally via non destructive means, if the final design and the initial design are functionally and electrically identical. This is harder than it sounds, as trap doors in the chips cannot be detected without either exhaustive testing (which takes too long) or by exhaustive examination (wearing out each layer of the chip physically and comparing against a known good mask)
3. The fact that Intel and AMD have offshore fabs does not matter. Yes, MIL spec versions of their chips are used in various applications, however it is economically unfeasable for all Intel and AMD fabs to be certified. In fact, I would not be surprised if both Intel and AMD hand over their design specs for chips they want MIL certified to a small certified fab onshore. This seems like a much more logical way to do things.
4. This will, very likely, bleed over to the commercial sector. Most likely, the first customers for something like this would be the banking sector. However, a big difference in the commercial sector is that the national card doesnt come into play. A company in China (for eg) once certified, could become the largest provider of crypto chips to all banks worldwide. In fact in such a case, standardization would help. This is different from military applications, where, one country will not trust what the other says is certified.
Legally obligatory sig : My opinions are my own... etc etc
This is trivial to do with access to JTAG ports and test vectors. Another reason for open source!
"DARPA Sponsors a Hunt For Malware In Microchips" is government-speak for "we're looking for the best ways to do this ourselves." Anyone here knows hardwired is faster and more efficient than software and/or microcode execution (read: easier to hide, universally available for use anytime anywhere to spy on you). Ever wonder what that hidden cpu with ROM is doing on the same chip as as the main CPU(s)?
ChipMaker: Sorry, I can't do that.
USgov: And WHY NOT???
ChipMaker: Because it's logically impossible you retarded oaf. You can't prove a negative.
USGov: But if you DON'T then we will have to TAKE ACTION!
ChipMaker: Oh, jeez... like what? You bumbling fuckhead!
USGov: we will STOP BUYING CHIPS from you! We will build them ourselves!
ChipMaker: Sorry, Wally, but you're not going to get that past your neoliberal internal trade agreements. I can see it now: "USGov goes into Chip Making"... Intel, AMD, and IBM would crack a loaf in their pants and sue. No, you'll have to subcontract to them, and they will have to set up a multijillion dollar fab plant in the USA that is populated by expensive american workers, and suddenly every laptop made for the USGov will be slower and more expensive than any other laptop on the market. Good move, Ace. Lemme know how that works out for ya.
USGov: buh buh buh WE NEED SECURITY!!!!
ChipMaker: look, dumbass, we make chips. We don't care what they go in, we don't care what they do, we just make chips. Test them all you want, you're not going to find anything, because we really don't give a shit. Now, if the ultraparanoid wing of your wingnut contingent can't swing with that, tought shit.
USGov: it would be SO much better if you simply PROVE THAT YOU'RE NOT putting bad things in our chips.
chipMaker: (sigh). How's this, USGov, just shut the fuck up, and get with the program.
USGov: But WE HAVE TO PROTECT OUR FREEDOMS!!!!
ChipMaker: WHEN were your FREEDOMS ever attacked? Some crazy fucking nutjobs from a loosely organised international political crime syndicate flew some planes into your buildings. They didn't attack your freedom, they just wanted you to get your jarheads out of Saudi Arabia. And then you invaded Iraq. "I'd like to know when Iraq attacked your freedoms - I'd like to know what day it was when the Iraqi Invasion Force stormed your beaches and dumped hot lead into your freedoms, because I must been on vacation that day in someplace called REALITY." Your paranoid abuse of logic is THE SAME. And we, the Rest Of The World, are getting sick and fucking tired of your penny ante tirades that end up getting thousands of people killed. So, for the jillionth time: NO, We Can't PROVE that our chips are not full of malware, because you CAN'T PROVE A NEGATIVE. You can test all you want, but you will never be 100% sure, and thusly, you're an idiot for demanding it. Heck - even if you build them yourself, you have no proof, as some employee might etch a wee corner of the chip to cause a computer to make fart noises and blit every other frame to the screen with an image of Jesus butt raping Mohammed, but only on even numbered Tuesdays.
USGov: BUT WE WANT SECURITY!!! We want to PROTECT OUR FREEDOMS!!!
ChipMaker: OK, OK, you fucking moron: "I solemnly swear, cross my heart and hope to die, that there is no bad stuff on any of the chips we make. Promise. Now, is that better?"
USGov: YOU ARE A GREAT ALLY!!! I feel so much more secure now.
RS
We have always been at war with Oceania.
Shoes for Industry. Shoes for the Dead.
If:
10 PRINT "HELLO WORLD"
Comes out as HERRO WORD
You're pwned.
AT&ROFLMAO
You obviously HAVEN'T read about ACL2 for formal verification of microcode.
Thanks for nothing,
K. Trout
This project is for improving methods to backdoor telco equipment for data mining. Now, if you'll excuse me, I'm out of tinfoil.
Power corrupts. Absolute power...is even more fun.
http://www.opencores.org/
'nuff said.
The teams have until the end of this month to ferret out as many of the devious insertions as they can."
I'll give yo mama a devious insertion. That's what she calls anal sex.
what i love is that most of the US military still runs IE 6. all this money spent towards "security" when they can't even get the basics of patch management and upgrade cycles right...
Many hacks are difficult - until you figure out how to do it. Then, it becomes documented procedure for the black-hats of the world. I.e., all a malicious designer needs to do is figure out exactly how to integrate extra logic into a chip design without getting caught once and they will then be able to do it forever, or at least until the design -> production procedures are changed to close whatever hole he may have found to exploit. Granted, in this case the logic to be added will require an intimate understanding of the chip's original design, but the manufacturing plant does have all the tools needed to gain such an understanding. The design itself is furnished to them to let them make the chips to begin with, and the only limiting factor is the intelligence to reverse engineer the chip, given the litho's and design spec's.
I've written about this before. It's all about the design of the IC -- they're tightly integrated designs. The designer works with a design team, who reviews the layout, and sends it off to get fabricated. If what comes back isn't exactly the same as what went out it's going to be *completely* obvious. First off, the most important thing is how large the die is. Nobody can change that without everything downstream breaking -- your wafersort test hardware won't match up with the die (and wafersort is done by test engineers working with the designer, so is done where the designer works). So you can't make a larger die to put extra malicious circuitry in. Secondly, every bit of the die space you have is used. There's never unused silicon because that's wasted money. People will completely relayout a design from a square to a rectangle if that means they can get 10 more chips off a wafer. So you can't sneak malicious circuitry into an existing design.
And, for that matter, a designer or even an applications engineer can tell, at a glance, if the silicon that came back from the fab is the same as their design. Some of our applications engineers can tell, without a microscope, what another manufacturer's raw silicon does, just by looking at it. (Not everything, obviously, but they can say "this part is logic, this part is a big power FET, there's a bunch of ESD stuff over here...")
Bottom line: if you have to trust the design, you need to have your designer and your design review team where you can see them. The fabs don't really matter that much.
Nostalgia's not what it used to be.
The argument is that "well ... the US will keep the design and architecture for technology, and all that is being off-shored is the grunt work". Where do you think the experience for doing the design and architecture comes from?
Probably the best quote for the direction that the US is heading towards is from a STNG episode
It's broken. Can you make it go?Then, you have built-in kill switches used to fight satellite TV piracy, like the dreaded DirecTV Black Sunday killer packets that killed unauthorized access cards.
So this stuff has happened.
How many Counterfeit Cisco Routers have built in exploits or kill switches is another question...
there are 3 kinds of people:
* those who can count
* those who can't
This DARPA project will be specifically in response to the implications thrown up by the Minot/Barskdale missing nukes debacle late last year where 6 live nukes were carted across the US and one went missing. Ignore the official explanation of that - it's pure bunkum and nonsense. It was very clear something else was going on, something serious.
It was most likely a Chinese military hack, and one that was possible due to the sheer quantity of Chinese chips in US military hardware, and was a demonstrator of Chinese hacking ability.
You can learn much more here (ignore the lame sounds upon page load - the articles are worth reading): http://www.willthomasonline.net/willthomasonline/Command_Override.html
a 2nd more important one here:
http://www.willthomasonline.net/willthomasonline/Verification.html
and finally here:
http://www.willthomasonline.net/willthomasonline/Loose_Nukes.html
Chinese backdoors in chips in deployed US military hardware is currently a severe risk but it's good to see that they are doing something about it.
IANACD or from the US. I had to scroll past pages and pages of nationalistic and economic drivel before finding someone who knew what the hell they were talking about.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
I'm one of the people who was interviewed for this article. Several people in my department spent an afternoon talking to the IEEE Spectrum technical writer. Although it didn't really come out in the article, our take on the kill-switch concept was that it was possible but very unlikely.
Adding a trojan at the hardware level would be incredibly difficult and risky. In the first place, reverse-engineering a design from its GDS files, determining how and where to add hidden circuitry, and then incorporating the trojan circuitry into the design would be extremely difficult, as others have pointed out. The trojan would have to be customized for every design - not a trivial task. Second, if any foundry was caught producing a compromised chip, it would be ruined overnight. No commercial or government vendor would ever trust its products again. Ditto for any software vendor whose CAD tools were found to add hidden backdoors. Even if it were possible, no sane company would take the risk.
Attacking at the firmware level is more plausible, but still unlikely. If you're using an FPGA-based design, and you let some fly-by-night offshore company write the firmware for it, hidden functionality could be slipped in if you were sloppy about vetting the code. Even if the firmware was written in the U.S., you could bribe an engineer at the company to add the trojan, but again you're gambling no one else checks the code.
Our ultimate conclusion was that the most likely scenario for future compromised computer systems was exactly the one we're seeing today - worms and trojans attacking at the OS / applications level. It's an attack vector where plausible deniability by the originator can be easily maintained. It's worked pretty well so far, and it should continue to work as long as complex systems are placed in the hands of millions of technically illiterate and careless users. DARPA is spending a relatively tiny amount of money to check out the likelihood of a hardware trojan, but I doubt many people directly involved in commercial IC hardware design are truly worried about it.
How do you trigger a kill switch in a microprocessor running an application on top of an OS? Build in an aerial and a radio receiver?? Your tax dollars at work folks - vote for competence!
Extra stuff has been placed in chips for years:
http://smithsonianchips.si.edu/chipfun/graff.htm
On my favorite design we had nearly 100% coverage on the test vectors, someone said to "marx the uncovered nets" so we named them Groucho, Chico and Harpo in the netlist.
Intron: the portion of DNA which expresses nothing useful.
DARPA is obviously seeing if they can do it. The end goal is probably to get chips manufactured for the rest of the world that the US Govt can disable at will -- something like GPS Selective Availability.
It must have been something you assimilated. . . .
If they think this approach is valuable to an enemy, what do you suppose the chances are that they aren't doing it themselves, but by pressuring the companies rather than surreptitiously inserting circuitry at the fab?
In the microprocessor case, suppose they added a bit of logic to look for a particular data sequence, and if found, switch to system management mode or ring 0 and execute whatever follows. Then they could take over any machine simply by sending it a data packet. Presumably there would be some code signing to prevent anyone else from exploiting the backdoor.
Intel, Cisco, et al are involved in the Critical Infrastructure Protection program and undoubtedly have other high-level contacts with the national security apparatus. It seems obvious that the US is in a better position than anyone else to carry out this type of attack.
It seems to me that even if your CPUs were "pwnd" they would still have to use the network to relay information. No suspicious network traffic, no problem. Now if your Ciscos were made in China, your in a totally different world of pain.
I worked on this stuff as a graduate student. That is all.
http://illegalinstruction.blogspot.com/2007/02/ice-queen-shatters.html
Welcome aboard, Sir!
me thinks the government is worried about smelling funny. http://mobile.slashdot.org/article.pl?sid=08/05/01/129230
Having to work for a living is the root of all evil.
Those so-called "counterfeit" chips and boards you are talking about were actually unauthorized builds by contract manufacturers. If they don't work right, it is because they used seconds or substituted cheaper parts( eg lower voltage, temp rated capacitors, etc.) on the PCB. Essentially, the danger would be shipping boards that do not meet spec, the kind of stuff that can happen even without any monkey business involved.
That has nothing to do with embedding "malware" type features into working chip and having it still pass muster. When I talked about counterfeit, I meant a _fake_ chip from a third party, not somebody running off extra copies on the "4th shift".
By the way the R&D groups of manufacturers have been known to buy end products containing their chips from local retail instead of building their own copy of the reference design because the retail product is cheaper due to economies of scale. So a malware chip can easily end up back in the place that is most likely to detect it.
Your skill set, intelligence behind this, etc.
I replace a few things from time to time and I am rank beginner kit type guy (i.e. Nixie Clock kit, with WWV update). Kudos to you for finding and doing this. Most people today, 99.999%, would shrug and replace the whole board.
So how about some details. In addition to your great pictures.
1. A capacitor failure is always plainly visible like this?
2. What are the three most common failures in electronics? How to find and fix them? Perhaps this answer is on a blog somewhere (So where?).
3. Are there subtle capacitor failures? How are such subtle failures found? Lots of Fluke Multimeter poking around or oscilloscope? Do you usually have an identical working board you can get comparative values from?
4. Soldering station? What kind do you use? Something for the field? Silver Solder or something else? Flux?
5. Any problems ever with smoke alarms?
6. How often do you repair like in your post vs "buy a replacement"?
7. General background that prepared you for this. Education, experience, hobbies, etc.
I am asking this so that if someone else wants to attempt a repair of some old part, that they might learn a little here.
Thanks,
Jim Burke
Regarding Manufacturing Return.
Yes indeed! We should keep of all critical parts, components, and materials about 30% production here (USA or within the EU, etc). These companies should focus on top quality manufacturing - not "good enough". Then these companies should be subsidized a little to make up for cheaper parts offshore.
We already do this in the USA for some items. Take farming for example. Many crops are subsidized for the same reasons we need other vital manufacturing elements supported. Take the petroleum reserve and use this concept for creating stockpiles of vital minerals and like goods.
Great thoughts by everyone here - thanks,
Jim Burke
I'm so relieved that someone on slashdot has exposed everyone voicing these libelous, xenophobic, racist, anti-business whiners as the hate mongers they are.