DARPA Sponsors a Hunt For Malware In Microchips

Phurge links to an IEEE Spectrum story on an interesting DARPA project with some scary implications about just what it is we don't know about what chips are doing under the surface. It's a difficult problem to find invasive or otherwise malicious capabilities built into a CPU; this project's goal is to see whether vendors can find such hardware-level spyware in chips like those used in military hardware. Phurge excerpts: "Recognizing this enormous vulnerability, the DOD recently launched its most ambitious program yet to verify the integrity of the electronics that will underpin future additions to its arsenal. ... In January, the Trust program started its prequalifying rounds by sending to three contractors four identical versions of a chip that contained unspecified malicious circuitry. The teams have until the end of this month to ferret out as many of the devious insertions as they can."

All about China

[elrous0]

It cracks me up how the U.S. government is always taking ludicrous steps to "protect national security," fighting off hacker attacks with billions of dollars in specialized firewalls and security, using NSA backdoors into windows, etc. And all the while they're lecturing us on all these heavy-handed precautions, they're doing EVERYTHING, classified and not, on computers built largely of Taiwanese and Chinese manufactured chips and motherboards.

Looks like someone finally clued these geniuses of national security in on the obvious Archilles' heel in their web of protection.

I just hope our clueless protectors have at least had the common sense to slip in some spys at that new big "Fab 68" Intel plant they're building in China.

Re:All about China

[elrous0]

Not only that, but what if China ever decided to embargo us? It would (for a time at least) cripple most of our tech industry.

Re:All about China

[quanticle]

The thing with embargoes is that they work both ways. Currently, China is so dependent on the US consumer market to absorb its production that an embargo would hurt them as much as it hurts us.

The other thing is that, despite what you've been hearing, China is not the be-all-end-all for electronics. Korea still holds the crown for manufacturing memory, Taiwan is still the leader for TFT LCDs, Israel is still manufacturing networking equipment, etc. If China embargoes the US, these other countries will ramp up production and diversify their offerings to meet the redirected demand from the US market.

On the other hand, China's only large customer is the US. If they slap an embargo on the US, the US can go to other suppliers, whereas China has few other customers rich enough to buy the massive quantities of goods they are producing.

The Chinese know that, at least in the near future, an embargo will hurt them at least as much as it hurts us. This is why they've been actively growing their trade surplus vis a vis the US. Having a massive amount of dollar reserves gives them the option of manipulating our currency (and, by proxy, our economy) without resorting to something as blunt as an embargo.

Re:All about China

[megaditto]

Well, at least we had a good run for the last 50 years.

It amazes me sometimes how clueless a lot of Americans are WRT how fortunate/lucky we have been lately.

Well, the teams may as well quit now...

[imyy4u2]

I already found the hidden "porn" circuitry.

Speaking from a military perspective

[Erie+Ed]

This is going to be a huge issue in the future. Another reason why buying anything not made in the US is a bad idea. We have MIL-Spec products for almost everything, yet most of our comm equpiment is simply COTS with slight modifications to the software/hardware. I'd really like to see intel/amd move operations back to the states just for this reason, also it would be a benifit to the government and the american people. The government gets what they want secure, malware free chips, and americans get good paying jobs back.

Re:Speaking from a military perspective

[Applekid]

Although I do agree from a military perspective the less reliance on others is probably for the best, "Made in the USA" is not an alternate spelling of "exploit-free".

Re:Speaking from a military perspective

[quanticle]

It's always cheaper to build in countries that employ what amounts to Slave Labor.

You do realize that most third world factory workers want to be working in a factory, since its much better than the alternative, which is usually subsistence farming, right?

A state of the art problem

[btarval]

Well, considering that the current wave in high-tech is to outsource the hardware development, it's a very valid concern.

Here's a classic example. Startups in Silicon Valley prefer not to bring in a hardware team to develop a new box from scratch, especially when they can just buy a COTS box elsewhere for the first round. The Imaginary Property resides in the Software Apps that they can develop to run on these boxes.

Consequently, they contract out with companies that used to be known for their motherboards, but who have moved up and will sell you a complete cutting edge system, and customize it to meet your needs. No hardware development time is required, and it's a lot cheaper.

The catch is that, in order to support these boxes, the Startup or the customer MUST NEVER OPEN THEM. If you do, you void the warranty. At $10,000-$20,000 per box (in the storage biz) that's a very strong incentive to never ever peek inside.

Add to that proprietary IPMI cards.

In short, these boxes are the best backdoor into an Organizations' IT infrastructure. You'd be surprised at the big, well-known names currently deploying them.

The beauty of this approach is that most of these companies are based in Taiwan. Simply put, with little effort, Taiwan gets to own both China and the U.S. at the same time. That would be amusing if it weren't so sad.

Right out of the fiction section

[HW_Hack]

This issue is a main element in Richard Clarke's latest book - Breakpoint. Clarke is the terrorist guru from the late '90s in the Clinton administration ... and the guy the Bush administration chose to ignore. Bottom line is if you let your key silicon + hardware be exclusively built in forgien countries ( i.e. China) you're at risk of hardware level "back doors". Published in '06 - Clarke again signals a warning for the US .....

Speaking as a chip designer...

[stevew]

I find this intersting.

I deal with foreign fab houses on every project. The odd things is that most of the backend software used by these fab houses are sold by American companies (much of which is written in India).

There is a step in the process where a point tool (one not written by the fab house - but again an American company) is used to re-extract the design out from the polygons that describe the silicon to be fabbed. This is compared to the source gate level design I originally supplied using formal verification methods. This is done by me.

So I suppose someone could surreptitiously change the gates I'm getting back to hide what is being inserted in there (not an easy thing to do all by itself at this level) There are places where it could be done in the process.

At the same time - to add additional logic to a design you are not well versed in is REALLY difficult.

logically impossible

[Ralph+Spoilsport]

USgov: OK Mister smarty pants commie chip maker! PROVE TO ME that YOU"RE NOT putting malware into your chips!

ChipMaker: Sorry, I can't do that.

USgov: And WHY NOT???

ChipMaker: Because it's logically impossible you retarded oaf. You can't prove a negative.

USGov: But if you DON'T then we will have to TAKE ACTION!

ChipMaker: Oh, jeez... like what? You bumbling fuckhead!

USGov: we will STOP BUYING CHIPS from you! We will build them ourselves!

ChipMaker: Sorry, Wally, but you're not going to get that past your neoliberal internal trade agreements. I can see it now: "USGov goes into Chip Making"... Intel, AMD, and IBM would crack a loaf in their pants and sue. No, you'll have to subcontract to them, and they will have to set up a multijillion dollar fab plant in the USA that is populated by expensive american workers, and suddenly every laptop made for the USGov will be slower and more expensive than any other laptop on the market. Good move, Ace. Lemme know how that works out for ya.

USGov: buh buh buh WE NEED SECURITY!!!!

ChipMaker: look, dumbass, we make chips. We don't care what they go in, we don't care what they do, we just make chips. Test them all you want, you're not going to find anything, because we really don't give a shit. Now, if the ultraparanoid wing of your wingnut contingent can't swing with that, tought shit.

USGov: it would be SO much better if you simply PROVE THAT YOU'RE NOT putting bad things in our chips.

chipMaker: (sigh). How's this, USGov, just shut the fuck up, and get with the program.

USGov: But WE HAVE TO PROTECT OUR FREEDOMS!!!!

ChipMaker: WHEN were your FREEDOMS ever attacked? Some crazy fucking nutjobs from a loosely organised international political crime syndicate flew some planes into your buildings. They didn't attack your freedom, they just wanted you to get your jarheads out of Saudi Arabia. And then you invaded Iraq. "I'd like to know when Iraq attacked your freedoms - I'd like to know what day it was when the Iraqi Invasion Force stormed your beaches and dumped hot lead into your freedoms, because I must been on vacation that day in someplace called REALITY." Your paranoid abuse of logic is THE SAME. And we, the Rest Of The World, are getting sick and fucking tired of your penny ante tirades that end up getting thousands of people killed. So, for the jillionth time: NO, We Can't PROVE that our chips are not full of malware, because you CAN'T PROVE A NEGATIVE. You can test all you want, but you will never be 100% sure, and thusly, you're an idiot for demanding it. Heck - even if you build them yourself, you have no proof, as some employee might etch a wee corner of the chip to cause a computer to make fart noises and blit every other frame to the screen with an image of Jesus butt raping Mohammed, but only on even numbered Tuesdays.

USGov: BUT WE WANT SECURITY!!! We want to PROTECT OUR FREEDOMS!!!

ChipMaker: OK, OK, you fucking moron: "I solemnly swear, cross my heart and hope to die, that there is no bad stuff on any of the chips we make. Promise. Now, is that better?"

USGov: YOU ARE A GREAT ALLY!!! I feel so much more secure now.

RS

We have always been at war with Oceania.

Quick and simple test..

[Linker3000]

If:

10 PRINT "HELLO WORLD"

Comes out as HERRO WORD

You're pwned.

It's about the design, not the fab

[smellsofbikes]

I've written about this before. It's all about the design of the IC -- they're tightly integrated designs. The designer works with a design team, who reviews the layout, and sends it off to get fabricated. If what comes back isn't exactly the same as what went out it's going to be *completely* obvious. First off, the most important thing is how large the die is. Nobody can change that without everything downstream breaking -- your wafersort test hardware won't match up with the die (and wafersort is done by test engineers working with the designer, so is done where the designer works). So you can't make a larger die to put extra malicious circuitry in. Secondly, every bit of the die space you have is used. There's never unused silicon because that's wasted money. People will completely relayout a design from a square to a rectangle if that means they can get 10 more chips off a wafer. So you can't sneak malicious circuitry into an existing design.
And, for that matter, a designer or even an applications engineer can tell, at a glance, if the silicon that came back from the fab is the same as their design. Some of our applications engineers can tell, without a microscope, what another manufacturer's raw silicon does, just by looking at it. (Not everything, obviously, but they can say "this part is logic, this part is a big power FET, there's a bunch of ESD stuff over here...")
Bottom line: if you have to trust the design, you need to have your designer and your design review team where you can see them. The fabs don't really matter that much.

Re:It's about the design, not the fab

[MobyDisk]

I respectfully disagree.

First off, the most important thing is how large the die is. Obviously they would not change the die size. If the military orders .25mm bolts and gets .45mm bolts that don't fit, they don't need a security audit to figure that out.

Secondly, every bit of the die space you have is used. There's lots of ways to make space. De-optimize some areas: Remove the carry lookahead logic, shrink the cache. Remove some of the full-complementary logic. Replace fast structures with smaller sub-optimal things like transmission-gate XORs. If the chip has duplicate cache to compensate for manufacturing yields, that would provide TONS of space.

Some of our applications engineers can tell, without a microscope, what another manufacturer's raw silicon does, just by looking at it. Other than removing a large part of the cache, none the of the things I mentioned above would be noticable to the human eye. One could probably reduce the cache a tiny tiny bit and still have room for whatever extra logic is needed.

How many layers of metal are we up to now? If I rewired a chip and left all the transistors in place but changed the metal, would anyone be able to tell? Can you even look down to that 7th layer of metal sandwiched underneath all the transistors to even tell that it was changed? It would be tough, but the chip could be rewired without moving any of the visible surface structures.

But the biggest area of concern would be the microcode. It would be nearly impossible to see the differences and a whole lot of changes could be done without anyone noticing.

IMHO, it would be really really really hard to do any of the things I listed above. But, I think it would be completely impossible to detect.

Presumably they're doing it themselves

[currivan]

If they think this approach is valuable to an enemy, what do you suppose the chances are that they aren't doing it themselves, but by pressuring the companies rather than surreptitiously inserting circuitry at the fab?

In the microprocessor case, suppose they added a bit of logic to look for a particular data sequence, and if found, switch to system management mode or ring 0 and execute whatever follows. Then they could take over any machine simply by sending it a data packet. Presumably there would be some code signing to prevent anyone else from exploiting the backdoor.

Intel, Cisco, et al are involved in the Critical Infrastructure Protection program and undoubtedly have other high-level contacts with the national security apparatus. It seems obvious that the US is in a better position than anyone else to carry out this type of attack.

Re:Response to Minot AFB nukes incident ...

[geekboy642]

So I was reading one of your links with interest, seeing as it's been a long time since I got into a really juicy conspiracy theory. Those internet vandals keep debunking the good ones! And I came across this:

As they watched in shock and awe, randomly typed letters scrolled across a screen. The words were gibberish.

The sender "left breadcrumbs," Hank related. The deliberately attached ISP (Internet Service Provider) pointed to China.

This was bad enough. But what really freaked out the officers was the realization that none of these "stand alone" machines was online. None of them contained a modem! So, first there's an "ISP" attached, and then there's no modem. It gets better.

How did the PLA hack supposedly secure air force computers lacking network modems? Just like as select power companies can now pipe the Internet to home computers through electrical power lines, the Chinese were able to play on SAC's supposedly secure computers through the AC power cables connecting them to the national power... "grid". Okay. The PRC has invented the fantastic ability to first, hack into the U.S. national power grid from China and modulate a signal onto the power line. Then they somehow direct this signal unerringly into one of the U.S. government's most secure facilities, with filtered power, constant battery backup, and their own generators for extra backup. Then this super-powered signal hacks its way through the power supply unit (how? I haven't the slightest clue. Genius!) and gets into the CPU. And with all that fantastic power, what does China do? They type "gibberish."