Slashdot Mirror
Hiding Backdoors In Hardware
quartertime writes "Remember Reflections on Trusting Trust, the classic paper describing how to hide a nearly undetectable backdoor inside the C compiler? Here's an interesting piece about how to hide a nearly undetectable backdoor inside hardware. The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access. Because the backdoor is actually housed in the hardware, even if the victim reinstalls the operating system from a CD, they won't clear out the backdoor. I wonder whether China, with its dominant position in the computer hardware assembly business, has already used this technique for espionage. This perhaps explains why the NSA has its own chip fabrication plant."
I'm not sure that's a good example of a sentence...
What, you can't sniff the traffic going in and out of your machine?
For justice, we must go to Don Corleone
Wikipedia, as linked in the summary: "Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment."
Spectrum IEEE: "The DOD also maintained its own chip-making plant at Fort Meade, near Washington, D.C., until the early 1980s, when costs became prohibitive."
I'm betting this statement is now bullshit.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
You don't even have to go to this great of a length; if you want to root Linux machines, release a proprietary driver in the form of a binary Linux kernel module and watch as your customers blindly install it.
This is one reason why we should insist on the source code to all firmware - or reverse engineer write new firmware ourselves.
This could be what malware could do. Take some of the newer botnet clients that have modules for everything, be it trying to climb out of a VMWare machine, try to get around sandboxie, or other items. Malware could try to find items that are flashable, and reflash them with code for hooks to malware, or even worse an active keyboard logger. It was mentioned a while back in a previous /. article about a major computer maker with keyboard HIDs that were flashable with new code. So, if one got root on the box, it wouldn't be hard to reflash the keyboard with a keylogger that could store keystrokes, or just send them as packets to the blackhat's site.
Other than cellphone makers, a lot of devices really don't put much in the way of protecting their BIOS against rogue code, so it isn't farfetched to reflash a sound card, a NIC, a Northbridge/Southbridge controller, a video card, motherboard BIOS, or any other subsystem with malicious programming.
everyone knows it's easy to slip backdoors into hardware, but hiding it is the hard part. every fabless chip maker does spot checks of their products and will find these backdoors. at the very least they will find that the shipping products aren't like the ones they designed with extra circuits.
anyone with data that's worth keeping secret will have it behind firewalls and all kinds of security appliances that will start flashing alerts if there is traffic to a high risk geographic area
Your right, this is well known... but not by everybody. Every minute new babies are born... grow up and have the told everything that everyone already knows, because they don't.
So every second, new slashdotters come on and have to learn that yes, you have to be able to trust the hardware you use for security to mean anything. See, you ALREADY left a IMPORTANT part out. You say "you have to trust your hardware", this implies that you just have no choice but to trust it. In reality, you got to ask yourself, who designed the hardware I am relying on and can they and their suppliers/contractors be trusted. Answer: rarely. Reality is that most of us just ain't intresting enough to monitor at high levels.
This always amuses me with people at say Freenet. All of them seem so pampered in our western nations they can't conceive of how a true dictarorship can work. Encrypt? Who sold you that CPU that is doing the encryption? Darknet? When all the traffic flows through a government router. This is naive as saying that when you plug your lights straight into the grid, before the meter, the electricity company (the state) won't know about the 100 watt light streaming out of your windows...
Fact: there are those who would like to spy. Fact: A good method is to get the place you want to spy on to have a device inside, you control and can use to get data out. Fact: Those who wish to spy, make PC's that are brought into the places that they want to spy on and contain the data they wish to get.
If the Chinese AIN'T doing this, they are either afraid the west (and their own people) check all their hardware, ain't all that intrested because there are methods less likely to risk their trade or they are really stupid.
The Chinese ain't stupid and the west doesn't check all the time. Leaves that China doesn't want to risk trade by making their products suspect if just one nerd with a packet sniffer finds something.
It is worth keeping in mind however that the risk is there. Can the US afford to loose more and more of its chip production? We already saw what happens with rare earth materials. This stuff is all over the globe, the US got piles of it, Russia is drowning in it BUT it all seemed so easy to have ONLY the Chinese invest in mining it. Now the rest of the world needs years to get their own production up to scratch.
Say China starts a war (against Russia for resources) today... how long can the US afford to get its war production up to speed without Chinese/Taiwanese goods? Goods that might at the flick of a switch all contain spyware?
Gosh, maybe some generals should play Civ a bit more. See how things can change on a single turn.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Ok - time for a few corrections
1) First Intel (after initially responding poorly to the bug) fully recalled the product without question. If you had a processor in question, you could ask for and recieve a replacement. Please see http://en.wikipedia.org/wiki/Pentium_FDIV_bug
2) The flaw was caused by a bad division lookup table, not the mathematical nuance of binary logic gates. What I think you are trying to describe is the fact that floating point numbers are not percise, and you never compare them directly, only compare if they are within a small delta of each other.
I have mod points and I am not afraid to use them
Sandboxie is the name of a program for Windows that can create and run programs in sandboxes.
The "trusting trust" attack is a nasty attack, but there is a counter-measure. Diverse double-compiling can detect compiler executables subverted by the "trusting trust" attack. See my paper for more, if you're curious.
- David A. Wheeler (see my Secure Programming HOWTO)