Stealthy Dopant-Level Hardware Trojans

Fascinating... by CajunArson · 2013-09-13 01:00 · Score: 1, Insightful

So all the NSA needs to do is kidnap your chip, microscopically re-dope it, and shove it back in your computer without you noticing!

Phew... I'm glad there are absolutely no other simpler ways for the NSA to spy on us other than re-doping chips! I'll just superglue mine into the socket so I know I'm safe.

--
AntiFA: An abbreviation for Anti First Amendment.

Re:Fascinating... by Anonymous Coward · 2013-09-13 01:11 · Score: 1

Silicon is just politics by other means. So presume both the Chinese and the West are trying to flood supply channels with compromised/counterfit silicon in hopes of it finding its way the other side's hardware.
Re:Fascinating... by Anonymous Coward · 2013-09-13 01:18 · Score: 0

Some chips are packaged at a different location than the chip fab. This is very likely to happen for the fabless companies that use contract manufacturing. Some agencies could swap them at the packaging plant or in transit.
Re:Fascinating... by h4rr4r · 2013-09-13 01:31 · Score: 1

Why would they bother with that, when they can have someone working at the fab do it?
Re:Fascinating... by Anonymous Coward · 2013-09-13 01:36 · Score: 5, Insightful

NSA? Probably not. The Chinese chip fab that has been known to have a third shift and has full access to masks and such? Certainly.
The NSA isn't the only agency wanting to know everything a person does.
Re:Fascinating... by the_B0fh · 2013-09-13 01:40 · Score: 1

Why? So many other avenues of attack. Don't bring out the silliest arguments and expect us to debate it from the extremely silly point of view.
Re:Fascinating... by omnichad · 2013-09-13 01:42 · Score: 3, Interesting

All they need to do? It's already been done at the fab! Why else would this be coming out now? These researchers have been under a gag order for years and only now got bold enough to stand up to the NSA.
Opinions above are exaggerated for entertainment purposes only
Re:Fascinating... by Joce640k · 2013-09-13 02:28 · Score: 1

So all the NSA needs to do is kidnap your chip, microscopically re-dope it, and shove it back in your computer without you noticing!
They could have a batch of compromised chips and replace the one in your computer.
Would you ever know? I really doubt it.

--
No sig today...
Re:Fascinating... by Anonymous Coward · 2013-09-13 02:40 · Score: 0

Whoosh.
Did you not notice the 6 inch deep pool of sarcasm that you were standing in?
Re:Fascinating... by sexconker · 2013-09-13 04:11 · Score: 2

So all the NSA needs to do is kidnap your chip, microscopically re-dope it, and shove it back in your computer without you noticing!
They could have a batch of compromised chips and replace the one in your computer.
Would you ever know? I really doubt it.
The fact that Windows wants you to reactivate would be your first clue.
Re:Fascinating... by Firethorn · 2013-09-13 04:44 · Score: 1

That only works if you've replaced enough other stuff in your computer, that the compromised chips don't have a code that the compromised windows is programed to ignore, that you didn't buy a compromised chip in the first place, etc...
Also, if I'm bothering with custom compromised chips, I might just have the CPU ID be reprogrammable on them, and bring with me a device capable of reading the code from the removed CPU and burning it into the replacement.
In reality though, they'll just use an unadvertised zero day exploit to install a rootkit onto your computer and be done with it.

--
I don't read AC A human right
Re:Fascinating... by slew · 2013-09-13 07:38 · Score: 1

Silicon wafers are generally "electrically passified" before being diced and sent to packaging. This is often done by growing a reasonably thick layer of Silicon dioxide on top to insulate the planar circuits below.
FWIW, often during pre-production, a small number of wafers are made w/o the passification step so that engineers can use FIBs (focused ion beams) to modify the circuitry to assist in finding workarounds for bugs. The reason for this is that FIBs can't easily penetrate this layer w/o doing lots of collateral damage to nearby circuits. These un-passified chips generally will fail after a short life because the circuits tend to thermal "age' much faster than normal w/o this protective top layer. Also actually finding a specific transistor on a die under a passification layer is a challenge in itself (having tried to do this myself, it's not as easy as you might think) and the FIB is like digging holes in this layer with a mortar shell.
If someone were to attempt to "re-dope" a standard passivated production die (which already has this layer put on top), good luck to them...
What these folks are talking about is actually changing the masks in the fab so that all the chips are made "defective" to start with. Standard checks made by most manufactuers only check that the layout vs the schematic (e.g., an electronic device in the layout matches the same device you have in the schematic or gate netlist). Once the layout is done, the design in "fractured" to be imaged on to masks. If you then muck with the masks to change the function of a transistor at this point, generally, nobody will know since there are no current automated checks that the verify that the final mask matches the layout.
FWIW, the "trick" that these folks used to attack the Intel RNG, was to attack a part of the circuit that was only protected by BIST (built-in-self-test), so they modified the circuit in a way that compromised the entropy input in a way that was not detectable by the BIST function (which relied on a 32-bit CRC for detection), but the BIST function would still be able to detect defects in the silicon. You can bet that next-time, someone is gonna look harder at that BIST function.
Re:Fascinating... by Anonymous Coward · 2013-09-13 07:40 · Score: 0

Intel doesn't make many chips in China. US export law requires that the cutting edge stuff be made here or at least somewhere more trustworthy like Ireland and Israel. The only Intel fab in China is making 65nm stuff.
Re:Fascinating... by Anonymous Coward · 2013-09-13 11:16 · Score: 0

Yep. Shame on you /. for modding up to 5 a completely innacurate post.
Oh, sorry, for a moment I forgot we don't let the facts get in the way of China-bashing.
Re:Fascinating... by Joce640k · 2013-09-17 05:04 · Score: 1

The fact that Windows wants you to reactivate would be your first clue.
You think the NSA would go to all that trouble but not have a valid Windows activation key...?

--
No sig today...

Can an entire agency... by Overzeetop · 2013-09-13 01:01 · Score: 2, Insightful

Can an entire three-letter-agency get a corporate hard-on? 'Cause if they can, this gave our favorite one the biggest boner in the known universe.

--
Is it just my observation, or are there way too many stupid people in the world?

Re:Can an entire agency... by Anonymous Coward · 2013-09-13 01:07 · Score: 0

Why? They probably already have backdoors in the architecture.
Re:Can an entire agency... by Anonymous Coward · 2013-09-13 01:25 · Score: 0

Can an entire three-letter-agency get a corporate hard-on? 'Cause if they can, this gave our favorite one the biggest boner in the known universe.
Or, this may be old news to them.
(Gotta love how people just sit back and assume that advanced classified operations manipulating hardware somehow don't exist and haven't been going on for decades because we're not supposed to know about them...)
Re:Can an entire agency... by Anonymous Coward · 2013-09-13 01:28 · Score: 0

what about the backdoors into the place behind those backdoors? the motherfuckers have hacked out the other side of the matrix...
Re:Can an entire agency... by 93+Escort+Wagon · 2013-09-13 01:56 · Score: 2

Can an entire three-letter-agency get a corporate hard-on? 'Cause if they can, this gave our favorite one the biggest boner in the known universe.
On the contrary... more likely, either the NSA or the Chinese (or both!) will read this and say "Crap! They figured it out!"
If it's the NSA, we'll see some new laws passed soon giving them broad new secret vetoing power over publishing in scientific journals.

--
#DeleteChrome
Re:Can an entire agency... by interkin3tic · 2013-09-13 01:56 · Score: 2

How likely is it that the NSA or whoever already uses this? It seems to me that with many science fields, the agencies are more than happy to sit back and let someone else spend time and money to develop the tech, then they steal it, copy it, or as a last resort, buy it with taxpayer money. But then obviously, we wouldn't know if they ARE actually coming up with innovation, since they'd obviously keep it secret.

In general though, it seems like the best and brightest scientists have strong disincentives to work in secret government labs. Working and publishing your results openly gets you known for your accomplishments and helps advance technology, and the private sector pays more if that doesn't interest you. What can the NSA or CIA offer you besides uncertainty about whether they're going to kill you and make it look like a suicide after they're done with you?
Re:Can an entire agency... by JanneM · 2013-09-13 02:17 · Score: 1

If it's the NSA, we'll see some new laws passed soon giving them broad new secret vetoing power over publishing in scientific journals.
How would you know they don't have that already?

--
Trust the Computer. The Computer is your friend.
Re:Can an entire agency... by AmiMoJo · 2013-09-13 03:08 · Score: 2

China is developing its own x86 compatible CPUs, so perhaps they know something we don't.
If the NSA/CIA wants you I'm not sure you can say no.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:Can an entire agency... by tilante · 2013-09-13 03:34 · Score: 1

Except that we know for sure that the NSA has made breakthroughs in the past, putting them years ahead of academia in cryptanalysis. They knew about differential cryptanalysis before it was officially discovered. Bruce Schneier points out that according to documents leaked by Snowden, the NSA's "research and development" budget for cryptanalysis is more than is being spent on cryptanalysis research by all of academia combined.
So what can they offer? A larger budget for your research than you would ever get in a university setting, plus no "publish or perish" pressures, no having to spend time teaching classes, and working with other people who are also on the cutting edge of cryptologic research. The NSA is also known to have their own chip fabrication facilities, so they can create custom hardware - which isn't something you're generally going to get to work with on a university budget.
Re:Can an entire agency... by Artifakt · 2013-09-13 05:04 · Score: 1

People work for the government for job security, as it's harder to get fired just because of a personality conflict with one supervisor. Or they do it for idealism, patriotism or a more specific desire to defeat "the terroists" of the moment. Or the government pays to educate some bright young person and that person feels loyalty afterwards.
I have to disagree with one of your points though. " the private sector pays more..." . Given that the NSA and others seem to have a lot of funding, with much of it hidden in 'black box' sources, and given that Homeland Security seems to be bending a lot of rules, we (the general public), can't be at all sure but what the government, on occasion, pays hefty bonuses to selected persons.
I don't have any particular proof of this, but there are historical examples of HSA type organizations, particularly under Nazi Germany and then the post WW2 USSR and its client states, where that was very much a part of what the covert funding went to. The Russians used to joke about how the state security people that lived through the job all seemed to retire to very nice dachas on the seacoasts. The USA may be funneling 'bonuses' that more than make up for those sub-standard salaries to the 'right' people, although I would just about bet that if they are, there's a lengthy chain of systems laundering it, and the people who get it report scrupulously to the IRS.
(This post is not a Godwinning. I'm not claiming that the NSA are Nazis, just that Homeland Security type organizations have a historical record of finding numerous and spectacular ways to pay selected people more than the general government payroll says they should.)

--
Who is John Cabal?

Get Your Tinfoil Hats by stewsters · 2013-09-13 01:01 · Score: 4, Informative

I would guess that an intelligence agency figured this out a few years ago. One that can plant moles at Intel. That's why they also want to remove rdrand from Linux.
http://linux.slashdot.org/story/13/09/10/1311247/linus-responds-to-rdrand-petition-with-scorn

Re:Get Your Tinfoil Hats by Anonymous Coward · 2013-09-13 02:06 · Score: 1

Geez - are you a functional illiterate or did you not even read the thread that you linked?
Even if rdrand provides 0 entropy, it doesn't make the entropy pool any worse. Removing rdrand is dumb and it can be turned off anyway by setting a single flag.
Re:Get Your Tinfoil Hats by thoromyr · 2013-09-13 02:57 · Score: 1

This is a real problem with incomplete understanding of entropy and how it is used. The question is not "does rdrand provide X entropy" it is "does rdrand provide at least X entropy that it is being credited for".
If a process in linux asks for a random number the current pool is evaluated. Each input to the pool provides (theoretically) some X entropy and is credited with having provided some Y entropy where (presumably) X >= Y. If the *credited* entropy is enough then a number is returned, otherwise it depends on whether or not the blocking or non-blocking call was used.
So if rdrand is *credited* with providing X bits of entropy, but in fact provides 0 bits, and the "lie" causes credited entropy to cross the threshold then you will get a number generated from insufficient entropy.
Now, I haven't looked at the kernel or read up on this to see what the case is but the consideration is "does rdrand provide at least the entropy it is being credited for?"
If rdrand is used as a source of entropy but is *never* credited then it could only possibly hurt if there was some magic that allowed it to *reduce* the entropy pool by its inclusion. That seems more than a little far fetched.
If rdrand is used as a source of entropy and is credited for at least 1 bit then the inclusion is harmful if it has been compromised to the extent that it is credited.
Re:Get Your Tinfoil Hats by Anonymous Coward · 2013-09-13 06:55 · Score: 0

It is not credited for anything. It is not even added to the entropy pool - it is only used on output.
Re:Get Your Tinfoil Hats by Anonymous Coward · 2013-09-13 08:45 · Score: 0

It goes { Get bits from entropy pool -> pass it through SHA transform -> XOR with native random if available }, so it's basically max(entropy(kernel random), entropy(rdrand)).
There are also other functions for kernel's internal usage that use it directly marked as "not cryptographically secure" for ASLR and whatnot.
You can also disable it completely with nordrand at boot time or !CONFIG_ARCH_RANDOM at compile time.

Multipple Entropy? by Anonymous Coward · 2013-09-13 01:01 · Score: 0

Several different methods of entropy should be employed? Heck what about random generator devices?

Re:Multipple Entropy? by fuzzyfuzzyfungus · 2013-09-13 01:15 · Score: 2

"Heck what about random generator devices?"

The whole point of TFA is about a technique for (mostly undetectably) modifying a good hardware RNG and turning it into a really lousy one.

Getting your entropy from multiple places probably helps (if they don't know what 6 RNGs you chose it's harder to dope them all, and even if they do, they still have to slog through the entropy from multiple crippled sources rather than only a single one (and, while it is possible to cripple the RNG entirely, that will show up on tests, so plausible real-world implementations would still provide some entropy, just less than advertised).
Re:Multipple Entropy? by Anonymous Coward · 2013-09-13 03:57 · Score: 0

Why use an RNG? There's enough noise in the world around us to generate "noise" without an RNG. Point a directional (but not parabolic) microphone at an interstate (or similarly sized road in your country) at a distance of 1 mile (or a few km if you're not from the US). Inspect the output signal. You'll never run out of what are essentially random audio samples. To increase the randomness, use an omnidirectional mic, so it picks up nearby noises as well. You can generate fixed tones near the mic to reduce the randomness a bit, but that's mostly ineffective because, hey, what happens if a bird flies past? What if a squirrel starts digging at the mic to see if its edible? You need to ruggedize the hardware a bit, but it will provide more than enough randomness that can't be messed with easily, and certainly not remotely.
tl;dr: You only need quantized noise, and there's plenty in that sunny place called "outside".
Re:Multipple Entropy? by fuzzyfuzzyfungus · 2013-09-13 04:05 · Score: 1

Oh, noting requires that the RNG be on-die (and, as you say, there are all kinds of options that aren't, the universe is a very noisy place). However, unless your computer is actually configured to use whatever access to the noise of the universe it has (nasty little webcams are another good source), and dump that entropy in whatever pool(s) your software environment specifies, it doesn't help you much.

The on-die ones are valued mostly because they are really, really, fast and a whole lot cheaper than the earlier generations of purpose-built crypto coprocessors, which were very much priced for a niche market.

If you can't trust them, though, you have options.
Re:Multipple Entropy? by HiThere · 2013-09-13 08:25 · Score: 1

Well, I prefer an over-driven triode, but those are harder to get than they used to be. Nothing wrong with a mic as a source. In fact, many computers come with them built-in. Chop and hash that source a few times, compress it lightly, and fold with an xor and you've got a pretty random signal. The problem comes if you want your random numbers to follow some standardized distribution. And you usually do. Uniform random distribution and Normal random distribution are the ones usually needed, but sometimes Gaussian.
OTOH, if we're talking about something built into the system (like /dev/random) then the fancy manipulation can be handled by someone else. But that someone probably won't be able to depend on a user supplied external source of randomness.

--

I think we've pushed this "anyone can grow up to be president" thing too far.

Dopant? by Anonymous Coward · 2013-09-13 01:02 · Score: 0

Then you'd better count up your sins!

I don't get it, sorry. by Joining+Yet+Again · 2013-09-13 01:08 · Score: 0

If you modify a chip, you can make it behave differently?

What's the news here please?

Re:I don't get it, sorry. by Anonymous Coward · 2013-09-13 01:12 · Score: 0

Did you read the part about it being undetectable by normal inspection?
Re:I don't get it, sorry. by Anonymous Coward · 2013-09-13 01:15 · Score: 0

They're modifying the chip to influence the random number generator, but more specifically it is modified in a way that cannot be detected very easily if at all. The important part is the not being detected. It's easy to modify a chip and make it behave differently, it's another thing to modify a chip and have it go unnoticed even under close scrutiny.
Re:I don't get it, sorry. by Anonymous Coward · 2013-09-13 01:17 · Score: 0

Wow, I know most tech geeks like to pretend that the achievements of others are tiny insignificant things, and that they could have got the same result in 5 seconds if you'd only asked them, but this is taking it to a whole new level.
Re:I don't get it, sorry. by Joining+Yet+Again · 2013-09-13 01:23 · Score: 2

1. Changing the dopant in a transistor is undetectable by visual inspection - clearly;
2. Randomness isn't the same as predictability.
I skimmed through the paper thinking that the innovation was that they'd actually been able to modify an Intel chip. But they appear to be saying little more than that you can manufacture a chip "wrongly" (after a LOT of waffle - you'd never get away with this writing math papers!).
Re:I don't get it, sorry. by Joining+Yet+Again · 2013-09-13 01:25 · Score: 1

The "discoveries" in this paper are:
1) A chemical change is undetectable by visual inspection;
2) Reducing the number of bits used for randomisation may be undetectable.
That's not worth a multi-page paper, is it?
Re:I don't get it, sorry. by Anonymous Coward · 2013-09-13 01:46 · Score: 0

Don't you have TPS reports to write today, sonny?
Re:I don't get it, sorry. by Hizonner · 2013-09-13 01:51 · Score: 3, Insightful

Yes, yes it is.
In security, you're trying to change the behavior of corporate drones, idiots, and people who are invested in the status quo. People use these papers as ammunition for that.
The drones will call your attack "theoretical" and "impractical" unless you spell out exactly how to do it, step by step. If they hadn't detailed exactly how to do it, the attitude would basically have been that nobody could possibly figure out the impossible complexity of weakening a REAL RNG. I mean, look at the self tests! Nobody could get around that! In fact, even people who weren't complete idiots might have guessed, at first glance, that the self tests would be hard to defeat, or that you couldn't do this hack without screwing up the chip.
Even with a detailed paper, they will probably be ignored until somebody actually does it in the field. If you wrote a one-pager that said "Warning! Somebody could alter the behavior of gates by tweaking the dopants", they would 1000 percent ignore it.
As for the verbose background information, it's standard in the field (although they went a bit heavy on it). It has zero cost, and readers in the field who don't need it simply skip it. So I don't know why you're getting so upset about it.
Please don't trash people's work in fields you don't even slightly understand.
Re:I don't get it, sorry. by kermidge · 2013-09-13 02:46 · Score: 2

This is not my field by a long stretch. After reading the pdf this morning, what I got from the paper was a method to undetectably make relatively easily-done changes to various transistors such that those changes offer an entry point for external reading and possibly manipulation to potentially useful effect within real-world manufacturing methods. Do this, pwn chips. Profit.
What these guys have done strikes me as impressive - and wonderfully, elegantly sneaky. I know there are some design and fab people here - what say you?
Re:I don't get it, sorry. by Joining+Yet+Again · 2013-09-13 09:51 · Score: 1

Why do you think I don't even understand the field? Everything I've said is accurate, everything they've said is accurate, and all I'm saying is that I don't get what the deal is with writing a big paper about it. You've suggested that it's about socially engineering the PHBs rather than informing academia, which is fair enough... but that's not a "paper" in the way I think of it, then.

Re:I wonder by Anonymous Coward · 2013-09-13 01:08 · Score: 2, Informative

Yes. A device that contains something concealed and malevolent? That's a hardware trojan right there.

Re:I wonder by __aaltlg1547 · 2013-09-13 01:09 · Score: 1

You brought it inside the walls on the advertisement that it was a big wooden horse, but it has the enemy inside. Yep.

Re:I wonder by Anonymous Coward · 2013-09-13 01:10 · Score: 2

What else would you call physical access to your dopant masks? /sarcasm

Repeat after me: physical access to <insert item here> allows for a much greater security risk.

optical inspection? by nten · 2013-09-13 01:11 · Score: 0

There are easy numeric methods for determining how random data is. Optical inspection would be unnecessary to discover this modification. You might even get away with generating a few megabytes of data, zipping it, and then comparing the resulting compression ratio to a known good chip.

--
refactor the law, its bloated, confusing and unmaintainable.

Re:optical inspection? by Anonymous Coward · 2013-09-13 01:24 · Score: 4, Insightful

There are easy numeric methods for determining how random data is.
Actually, no. Technically speaking, there is no such thing as random data, only a random process. You can certainly test how random a data stream seems, but if the data source is a black box, you never really know.
From TFS:

Since the Trojan RNG has an entropy of n bits and [the original circuitry] uses a very good digital post-processing, namely AES, the Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker. We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests.
What if your black box is just feeding you encrypted bits of pi? You would never know, but the black box's maker could trivially reproduce your "random" numbers.
Re:optical inspection? by Anonymous Coward · 2013-09-13 01:26 · Score: 1

We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests.
While your assessment is true, the scope needed to identify the difference between 32 bits of entropy and 128 bits is inconvenient. Also, each bit of entropy added doubles the time to confirm (just as each bit doubles the time to break) so my main take from this article is that RNG testers do not do enough tests to confirm half the level of chaos that people are attempting to use.
Re:optical inspection? by the_B0fh · 2013-09-13 01:43 · Score: 1

Oh, you mean like RSA tokens and the seed files? :P
Re:optical inspection? by moteyalpha · 2013-09-13 02:58 · Score: 2

As a person who has worked in semiconductors since the first SSI 7400 , I can say for certain that many things have been done and there are some really talented people who can do things that -almost- defy reason. I know that engineers put their own little signatures in ASICs and that some engineers are far more competent than can be understood by most. I have seen many circuits that were situationally controlled or externally controlled by means that would not be obvious without an understanding of the physics, electromagnetic conditions, and software. It can even be done at the layout level. Early CMOS was notoriously susceptible to EM induction. I have seen a board that used an unconnected trace to an input pin used as an RC circuit.
The greatest problem that I see in this type of behavior is that it assumes perfect security and there is no such thing. If you put a means to invade or disable systems in all products, you are hurting every individual and business. If you also create a system where people cannot verify your identity as a secret police without committing a crime, you have created a back door in the social engineering realm. If I am party to a security request, I then know what documents, methods and verifications are being used and thus it can be used as a spoof attack on anybody else with little chance of discovery.
I would not be the least bit surprised if it was discovered that IBM, INTEL, Motorola, and others were subjected to this same security theater. The problem with hardware is that once the flaw becomes exposed and if it is bad enough, the entire system must be replaced. It is rational to have different circuitry for military applications, but when it creeps into consumer and business products it is wrong in many ways and though the intent may be for the military to do what it thinks will solve -their- problem, without oversight it becomes paradoxical and if they destroy the means to do business and make profit through their tampering, then it is full circle and the funds and efforts that support the government and military are damaged.
The problem is in oversight, defence must be limited in its scope of action. Isn't this what all the fuss is about with Syria and Iraq? The convential military action is assumed to have overstepped the boundaries into what is consired socially acceptable and this NSA condition is no different. It is a failure in leadership and oversight that offends the sensibilities. Nazi Germany had a very effective military and it would have been a non-issue if they had been guided by people with empathy and reason.
Say what!? Optical inspection at 14 nanometers? Did I miss a memo or something?
Re:optical inspection? by Anonymous Coward · 2013-09-13 02:59 · Score: 2, Interesting

You can still generate an arbitrary amount of entropy with a compromised RNG if you know it's compromised. Let's say you have a ridiculously compromised RNG with only 1-bit of entropy and 32-bit output, such an RNG could trivially fail statistical tests, if it used simple combinatorials to mix the nth output with the n-1th output, or it could be almost undetectable, if it uses complex combinatorials, such as the AES method used in the Intel RDRAND. In either case, each word will contain some entropy, even if it is much less than stated "on the box".
Let's say it outputs a 32-bit word (the RDRAND32 instruction does), and each word is supposed to contain 32-bits of entropy (I dunno), but only contains 8-bits of entropy. If I mix 4 words of output to produce an output of 32-bits, I have reliably produced 32-bits of entropy.
The danger here is that a software implementation takes the manufacturers word on the entropy content of the output, since we can't distinguish between genuine entropy and the output of a strong cipher with a hidden state (as is the case in RDRAND), rather than mixing the RNG output down to a smaller number of bits (for example by chain-ciphering N consecutive words of RNG output together to form one word of output).
One potential mitigation to most of these compromised RNG scares is to have the user initialise an S-box or cipher key manually (flip coins, roll dice), and feed all RNG output through a strong cipher in feedback mode. The predictability of the RNG is no longer usable for cryptanalysis as the output of the cipher is not predictable without breaking the cipher and discovering the key. The key can't be discovered by cryptanalysis, because it's only ever used to cipher "random" (though partially compromised) input, and cryptanalysis of users of the RNG is thwarted because there is no longer identifiable correspondence between the RNG output and the random values used. Even if the key for the random post-processing is known, the correspondence between random-system output and RNG output is non-trivial, and there is no way to know the internal state of the ciphers feedback register, as it is constantly accumulating partial entropy from the RNG, which is never revealed.
Most of this doesn't apply to fake RNGs (PRNGs) which have been compromised to generate no entropy after initialisation, as eventually sufficient state will percolate through the cipher to regenerate the seed value and a sliding window attack will recover the offset. Unfortunately a PRNG can be designed to be statistically indistinguishable from an RNG for computationally impractical long runs of output 2**96 bits or longer if the internal state of the PRNG can't be obtained (many existing block ciphers fulfill this requirement).
The descibed attack seems to describe weakening the entropy of the RNG rather than reducing it's entropy to an initial constant, and so while less than ideal, would not compromise a prudently designed random number system.
Re:optical inspection? by jhol13 · 2013-09-13 04:29 · Score: 1

Actually, no. Technically speaking, there is no such thing as random data, only a random process.
Actually, there is random data. That is, data generated by a random process.
Unsurprisingly, there are quite a few different tests which can determine, or perhaps "preditct the chance" if some data is produced by a random process i.e. is random, or not. The easiest for a layman is to try to compress it. Random data of sufficient size won't compress with unbelievably huge probability.
Re:optical inspection? by jhol13 · 2013-09-13 04:31 · Score: 1

(Sorry for screwing the quote ... not the first time ... apparently my brain is a random process)
Re:optical inspection? by vux984 · 2013-09-13 05:11 · Score: 1

Actually, there is random data. That is, data generated by a random process.
I build 2 boxes
The first produces its data stream by a random process.
The 2nd box, as its process, copies the data from the first box.
Any test that would grade the first data stream as random would grade the 2nd data stream as random.
The 2nd data stream is not random, as the owner of the first box can tell you, in advance, what every output of the 2nd box will be.
Re:optical inspection? by Anonymous Coward · 2013-09-13 07:44 · Score: 0

A properly encrypted ciphertext is completely indistinguishable from random data by any means. That is the entire point of software like TrueCrypt.
Re:optical inspection? by jhol13 · 2013-09-13 15:53 · Score: 1

Are you really claiming, that exactly same data can be mathematically speaking both random and non-random?
Re:optical inspection? by vux984 · 2013-09-13 16:59 · Score: 1

I am claiming that the same data can be produced by a random process or a non-random process.
Therefore one cannot merely examine the data to determine if its truly random. One MUST examine the process.
Re:optical inspection? by jhol13 · 2013-09-13 18:00 · Score: 1

In that case we get to the philosophical question: is there anything "truly" random. No process describable by mathematics certainly is not.
Re:optical inspection? by vux984 · 2013-09-13 18:21 · Score: 1

We could but we don't have to.
Box 1 is random to the best of our ability. Sure we can discuss the philisophical question of free will vs determinism and absolute cause and effect, and whether or not something can be truly random.
But we can agree that rigth now, nobody has the faintest idea what's going to come out of box 1 next.
Box 2 isn't random at all. It runs in lock step to box 1. Anyone with access to box 1 knows what's going to come out of box 2.
Re:optical inspection? by return+42 · 2013-09-15 10:32 · Score: 1

Yes, I just realized this. A properly written OS can periodically test the hardware RNG for reduced entropy. Let us suppose we can detect if the entropy has fallen below 32 bits. Then, whenever we are using the hardware RNG, we pessimistically assume that there are only 16 bits of entropy available per sample. Grab a bunch, run it through a good hash function, repeat, concatenate. You end up with as many bits of good random data as you need, and you XOR it with the random bits you got from other sources.

Still detectable by gr8_phk · 2013-09-13 01:16 · Score: 1

This should still be detectable. It just requires more time. One could also reduce the time by looking at the combined output of an entire batch of chips. If they all have the same mask, they will all produce the same reduced set of random numbers. So one additional meta-test of data from a lot could show they have been compromised.

Re:Still detectable by VortexCortex · 2013-09-13 01:52 · Score: 1

Tell me, what hardware will you test the chips via?
You are now aware that the infamous Ken Thompson Compiler / Microcode Hack was well known to the government before he pontificated on it during his ACM acceptance speech / paper.

Acknowledgment
I first read of the possibility of such a Trojan horse in an Air Force critique (4) of the security of an early implementation of Multics.
Which was published in the very apt. year of 1984, I might add...
Tell me, indeed, how exactly would you select the chips that did not already have such modification for comparison? Oh it should take more time indeed, but far much more than you realize. Get out your Oscilloscope and Soldering Iron, you're going to be creating a reference implementation on a bread board the size of Texas.
Re:Still detectable by Anonymous Coward · 2013-09-13 03:10 · Score: 0

This should still be detectable. It just requires more time.
Since the output of the RNG feeds an AES cipher in feedback mode, you would just need a lot more time, AES has a 128-bit block size, so you have an average collision every 2**64 blocks of output, if the RNG is gimped to output only 32-bits of entropy with each word, you need 2**32 collisons.
So yea, you ONLY have to collect 2**96 output words to detect the lack of entropy. Oh and you don't get the full word of output, only 32-bits of it, so add 2**96 to your complexity, you have to collect 2**192 output words.
Got RAM?

Re:I wonder by GameboyRMH · 2013-09-13 01:17 · Score: 3, Interesting

I wonder if they also considered that the NIST random number test suite might also be compromised by the NSA...

--
"When information is power, privacy is freedom" - Jah-Wren Ryel

It's a small risk by john.burton1765 · 2013-09-13 01:17 · Score: 1

Well yeah it's worth being aware of the possibility. But frankly there are very much bigger risks to worry about first

BTW... by CajunArson · 2013-09-13 01:19 · Score: 1

Since the Ivy-bridge random number generator is supposedly "unauditable" how are these researchers able to prove anything about re-doping a black box design? Shouldn't they just look at it and spot the massive array of transistors that spells out "NSA BACKDOOR UNIT" instead of having to worry about all this subterfuge?

--
AntiFA: An abbreviation for Anti First Amendment.

Re:BTW... by h4rr4r · 2013-09-13 01:36 · Score: 1

What do you mean unauditable?
Do you mean inconvenient to audit? It might take a long time but there are methods to check how good the random number generator is.
Re:BTW... by Anonymous Coward · 2013-09-13 01:48 · Score: 0

Your sig is naïve, ignorant, and logically flawed.

But your irrational bias is quite effectively displayed. Good job.
Re:BTW... by ssam · 2013-09-13 02:31 · Score: 2

no there aren't. The digits of pi have no patten other than being the digits of pi, so they will pass a random number tests. A good pseudo random number generator will pass randomness tests, but can be easily reproduced if you know the starting seed. Also putting a simple sequence (1,2,3,4...) through an encryption algorithm will give you an output that passes randomness tests.
Re:BTW... by mattpalmer1086 · 2013-09-13 02:34 · Score: 1

I thought we already covered this in the linux rdrand story. It's called unauditable because it whitens the raw entropy output using encryption on chip, making even quite non-random source data appear to be random. It is not called unauditable because it's a black box design. The paper states that the design is very well known.
The attack described in this paper is to modify both the entropy source output "c" and the post-processing encryption key "K", undetectably setting a fraction of them to constant bit values. This weakens the effective random number generation to some chosen n bits of entropy, instead of 128 bits. But because the AES encryption post-processing stage does a very good job of making its output appear random, it will still pass random number tests.
If we had access to the raw entropy source, we could see that it was not providing nearly enough entropy to the encryption post-processing stage.
Re:BTW... by mixed_signal · 2013-09-13 02:34 · Score: 1

This shouldn't be a question of auditing the quality of the number generator; the research shows you might be fooled. Whatever the actual end design is, production tests are constructed to verify the chip is manufactured to match the design. There are some posts further down discussing production test.
Re:BTW... by CajunArson · 2013-09-13 02:39 · Score: 0

No, my sig is basically saying that the Patron Saint of Global Warming's actions belie his public propaganda.
You see, it's not that *I* don't believe in global warming, it's that Al Gore really doesn't believe in it either*.
* Oh, he believes in it as a profit-opportunity, but despite his rhetoric he doesn't think the apocalypse is upon us.

--
AntiFA: An abbreviation for Anti First Amendment.
Re:BTW... by IamTheRealMike · 2013-09-13 03:20 · Score: 2

I looked at the paper from CRI, they apparently did do testing on the raw (pre-whitening) entropy source on test chips that give direct access to it. Unfortunately the goal of that audit was to build confidence in the general design, the NSA wasn't an issue when that was done.
What I take away from this is - the good news is, the RDRAND circuitry has an open, well documented design which is apparently robust. Thus, if we can obtain confidence that it's not backdoored by the NSA, it's a great feature to have. Note to people talking about China, etc, Intel run all their own fabs. The chance of a technique as complicated as crypto backdoors using dopant trojans being inserted into the manufacturing process inside Intel-controlled fabs is close to zero. If it's done, it's done with the knowledge and co-operation of management.
The question is how can the world build such confidence? The standard way would be to decap some randomly chosen chips and analyze with an SEM, but I have no idea if that's feasible for something as complicated as a modern Intel core. Presumably Intel themselves can do it for debugging purposes, but whether it can be done in the absence of lots of proprietary information is unclear. Also, the output of RDRAND could presumably be patched using microcode updates, so just because the chips ship without a backdoor doesn't mean one couldn't be introduced later through a firmware/BIOS update.
Re:BTW... by Anonymous Coward · 2013-09-13 03:25 · Score: 0

Do you mean inconvenient to audit? It might take a long time but there are methods to check how good the random number generator is.
Sure, if you can break AES (in KFB, so there is no key to discover).
Or if you have a few million bucks, you can cut the silicon and wirebond around the AES-KFB filter stuck between the RNG and the output to see if your one (now destroyed) device was functioning correctly.
The point of the article is that, unlike compromised metalisation, this type of modification can't be identified through non-destructive testing. Somestate concerned with security could at reasonable cost audit a golden-sample CPU, then send their CPUs for Xray imaging, check they match the golden-sample and stick them back into their machines. Such a test would be ineffectual as an xray micrograph will not reveal the modification, as it would if a similar modification was made in the more traditional way by modifying a metal layer of the chip.
Re:BTW... by mattpalmer1086 · 2013-09-13 03:53 · Score: 1

A belief in GW is entirely compatible with having a beach front house. The problem is that it is slow moving but inexorable.
Personally, I'm with the vast, vast majority of scientists who claim it's real and extremely dangerous. From what I've seen of the human race, we won't do anything until we get badly burned.
I guess everyone will know for sure one way or the other in a few decades. I just hope we can live with it.

It's not the NSA you should worry about... by Anonymous Coward · 2013-09-13 01:26 · Score: 0

It's the Chinese Government. Obviously this has been happening for some time...

Re:It's not the NSA you should worry about... by the_B0fh · 2013-09-13 01:50 · Score: 1

Why? Is one necessarily better or worse than the other? Because the Bible said so? Or something else said so?
Re: It's not the NSA you should worry about... by Anonymous Coward · 2013-09-13 03:59 · Score: 0

The Chinese government has large labor camps that they regularly put dissidents in. Make enough noise about this within China and you'll find yourself a new resident
The US government has Gitmo, which has a handful of prisoners, and loud active group openly protesting about it's existence.
Don't be dumb and ramble on about equivalence.
Re: It's not the NSA you should worry about... by the_B0fh · 2013-09-13 04:46 · Score: 1

I'm talking about government surveillance.
Is it better to have open, known surveillance, or secret, unknown, surveillance?
Re:It's not the NSA you should worry about... by Anonymous Coward · 2013-09-13 07:56 · Score: 0

Intel has one chip fab in China. US export laws do not allow them to make anything even reasonably modern there, so it's a 65nm fab. They have a half dozen fabs in the US with the cutting edge tech, as well as fabs in Ireland and Israel. China is not a factor.
Re:It's not the NSA you should worry about... by Anonymous Coward · 2013-09-13 14:55 · Score: 0

Anyone with access can, however...
The NSA already do much more than this through other means, don't you know that or haven't you grasped what has happened publicly these past months? Which has been revealed to have been going on for several years.
Why the fuck should anyone worry all that much about a hypothetical China (unless you have some actual proof) when one has the known proven facts about the USA-NSA?
How dumb are you? Or how dumb do you assume the rest of us are? Do you know where you are? Do you think the NSA is impressed by your spittle in their ass?
This very conversation between two AC's is known to be stored, as is the metadata (IP, ISP, time, etc.), all in the US and possibly forever. It is more than enough to pin you down even if you try to hide behind several proxies and VPNs because the NSA does network analysis. You do not have any rights because you have had contact with a suspicious foreigner —me. Doesn't matter who you are. Doesn't matter if you're "innocent" (and let's face it you're obviously not). Doesn't matter if I'm a loonie. It might matter more than you like that China is a very important trading partner of the USA-NSA.
If anything can be used against you or anyone connected with you it will, today, tomorrow, in ten years, or against any children, friends, or relatives before or after you're dead.

Proxy whistleblowing? (Re:Get Your Tinfoil Hats) by Anonymous Coward · 2013-09-13 01:43 · Score: 4, Interesting

If I were a disgruntled member of the intelligence industrial complex and knew that this was actually being done by a government agency, and I did not relish the thought of a Russian sabbatical, couldn't I surface the news by telling researcher friends of mine how to do it?

Software only by return+42 · 2013-09-13 01:45 · Score: 1

I wonder if it's possible for an attacker to mess with microcode in such a way as to trojan things like random number generation, without having any other effects that would be more easily noticed. It doesn't seem likely.

Of course, true RNG depends on things like timing keystrokes, mouse clicks, network packets, etc. The LSBs of such times probably aren't used for anything else, and could thus be tampered with more easily.

It's pretty hard to get reliable crypto when your adversaries are the SIGINT arms of some of the most powerful nations in history; they're not constrained by law, ethics, or budget; and the one in your own nation can coerce cooperation and silence. Bad deal, all around.

Edward Snowden should be canonized.

Not a problem for linux by Okian+Warrior · 2013-09-13 01:47 · Score: 1

Linux uses the Ivy Bridge random number generator in the kernel, along with other sources of randomness.

That makes it OK, because as everyone knows, mixing the other sources with a predictable string makes the output even more random!

Didn't Linus completely settle this issue?

Re:Not a problem for linux by gweihir · 2013-09-13 03:35 · Score: 1

Also notice that this attack does not make RdRand unusable. It still gives you some bits of entropy per output value, just a lot less than expected. However if you expect nothing or very little, the output is good even in the compromised version. And for various reasons, RdRand has a lot less entropy than 1bit/1bit anyways (theoretically as low as 1bit/512bit), so hashing it together large-scale is necessary in any case (I bet many people overlooked that little gem...).

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Not a problem for linux by camperdave · 2013-09-13 05:29 · Score: 1

No. What this story means is that if you want to write trustworthy code, you have to make your own IC chips.

--
When our name is on the back of your car, we're behind you all the way!
Re:Not a problem for linux by Anonymous Coward · 2013-09-14 07:23 · Score: 0

The seed should have close to 1 bit/bit entroply, but you may get 512 samples out before you re-seed.

Will not past verification - Scan. by RichMan · 2013-09-13 01:51 · Score: 2, Informative

These parts would not pass the standard verification process and would be rejected from being assembled into devices.
Standard testing of ICs for functional faults includes a scan process. Per the design specification that the part was supposed to buildt a number of scan vectors are passed through the devices. These scan vectors check as much of the device as possible. The goal is to check every flop and every logic path between flops. The tests are to detect manufacturing errors. And can find single faults in devices.
Typical errors are stuck at 1 or stuck at 0, also shorts and would easily expose modifications of this sort, especially of such a scale as to radically change things.

Re:Will not past verification - Scan. by return+42 · 2013-09-13 02:29 · Score: 3, Insightful

Sigh.
"Hello, Intel. Under the terms of this national security letter, you must change your verification software to ignore certain errors. The engineers who carry out this order must not reveal anything about this. Anyone who does will be subject to a term of incarceration not exceeding..."
Tell me why this would not happen.
Re:Will not past verification - Scan. by ssam · 2013-09-13 02:34 · Score: 1

So intel runs a scan to check that the random number generator gives the correct output?
well that settles it.
Re:Will not past verification - Scan. by RichMan · 2013-09-13 03:22 · Score: 1

1) computer generated" random numbers" of the type this covers are fully state to state defined they are not random in any way. To make them random you need to seed the initial state and then reduce the output.
2) the automated scan check is bit by bit on the logic it does not care that 64 bits make a random number it looks at the logic cone input for every single bit independently and verifies the functionality. This is done to make sure all the logic works.
Re:Will not past verification - Scan. by ssam · 2013-09-13 04:03 · Score: 1

We are talking about RdRand, which claims to produce genuine non-deterministic random numbers.
Re:Will not past verification - Scan. by RichMan · 2013-09-13 04:36 · Score: 1

I have read - http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
There is no untestable magic there:
1) entropic source
2) digial state algorithm
3) async sampling
"The ES runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz. The ES needs no dedicated external power supply to run, instead using the same power supply as other core logic. The ES is designed to function properly over a wide range of operating conditions, exceeding the normal operating range of the processor."
The digtal part behind the entropic source is what the article discusses. Digital clouds are fully verifiable with scan, even async ones with proper test logic insertion which breaks loops. Fully analog entropic circuits like the thermal noise source are also verifiable.
What makes it "random" is that it a) has an entropic source and b) runs async to the rest of the design. Both of those are testable with proper test circuits. The pertebations described in the article are commonly tested for faults. If they were nto detected 5-10% of processors would not work at all.
The article talks about it being undetectable because they are only looking at the reduced space random sequence and that is effectively still random. Scan test is able to look at the value of every logic state and how it come about (ok there is not usually 100% coverage, but large portions of the design do get 100% coverage and LFSR type logic is easily covered in scan).
Re:Will not past verification - Scan. by Anonymous Coward · 2013-09-13 10:53 · Score: 0

Section 3.3 of the paper discusses how the DRNG trojan can be designed to pass the BIST (which tests with a known pseudo-random seed), and quotes an Intel document that says "This BIST logic avoids the need for conventional on-chip test mechanisms (e.g., scan and JTAG) that could undermine the security of the DRNG," so there is supposed to be no external mechanism for testing this part of the chip.
Re:Will not past verification - Scan. by the+eric+conspiracy · 2013-09-13 15:14 · Score: 1

Because national security letters can only be used to request information.
Re:Will not past verification - Scan. by Anonymous Coward · 2013-09-13 22:49 · Score: 0

Not sure if serious.
Re:Will not past verification - Scan. by Anonymous Coward · 2013-09-13 23:41 · Score: 0

New silicon fails scan every time. Part of the development process is to figure out which are manufacturing failures, simulation errors, design errors, or test implementation failures. Typically small failure sets are ignored, written off as simulation errors (simulation isn't perfect).
If the chip appears to function as expected, it might be years before the trojan is discovered.
Re:Will not past verification - Scan. by Anonymous Coward · 2013-09-14 16:28 · Score: 0

Intel states that they only use a BIST and no scan chains (scan chains are a nightmare from a physical security perspective) to test the RNG. And the Trojan is build in a way that the BIST does not detect the Trojan...
Re:Will not past verification - Scan. by the+eric+conspiracy · 2013-09-15 04:49 · Score: 1

Here's the citation:
USA PATRIOT Improvement and Reauthorization Act of 2005: A Legal Analysis Congresional Research Service's report for Congress, Brian T. Yeh, Charles Doyle, December 21, 2006.

I doubt it is undetectable by cold+fjord · 2013-09-13 01:56 · Score: 1

I doubt that an altered chip would pass BIST testing.

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell

Re:I doubt it is undetectable by Anonymous Coward · 2013-09-13 02:38 · Score: 0

Not if you alter the transistor(s) for BIST result to always pass.
Re:I doubt it is undetectable by cold+fjord · 2013-09-13 02:53 · Score: 1

That wouldn't work out so well.

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Re:I doubt it is undetectable by Anonymous Coward · 2013-09-13 03:15 · Score: 1

Dumbass.
BIST only tests functional blocks, it doesn't test every gate.
How can you test the functionality of a part designed to be non-deterministic?
The exact problem with Intel's RDRAND implementation is that the internal state is a black-box and can't be interrogated, so there is no way to verify that the input to the feedback cipher is not deterministic or constant.
Re:I doubt it is undetectable by cold+fjord · 2013-09-13 04:02 · Score: 1

So you're thinking Intel has no way to test a major functional part of their chip to know if it's good? I doubt it.

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Re:I doubt it is undetectable by Anonymous Coward · 2013-09-13 05:23 · Score: 0

The same Intel that had floating bugs in their original Pentium?
They run a finite set of test vectors for the chips as test time for chips are expensive. If the tests were written without this in mind, it might have a hard time finding it.
It is the same as testing for software bugs. How many are still there in a released version even though you have good QA?
Re:I doubt it is undetectable by Anonymous Coward · 2013-09-13 11:00 · Score: 0

Section 3.3 of the paper discusses how they defeat the BIST, the 32-bit checksum on the rate limiter's outputs for the pseudo-random test entropy is susceptible to collision.
Re:I doubt it is undetectable by cold+fjord · 2013-09-13 15:20 · Score: 1

Great comment, and interesting reading. Thanks.

--
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell

production test would catch this by mixed_signal · 2013-09-13 01:58 · Score: 1

Digital ICs are treated production with scan tests guaranteed to cover around 95 to 99% of possible faults.

Re: production test would catch this by mixed_signal · 2013-09-13 02:02 · Score: 1

Should have said 'tested' not treated... Using swipe on a tablet...
Re:production test would catch this by gl4ss · 2013-09-13 02:17 · Score: 1

well obviously the production test would be skipped if the manufacturer did this...

--
world was created 5 seconds before this post as it is.
Re:production test would catch this by mixed_signal · 2013-09-13 02:31 · Score: 1

They probably wouldn't just skip scan testing altogether. Too many bad chips would go through and the customer would see a high(er) failure rate of bad chips being received.
The manufacturer could alter the test to match their circuit level change, though. This is easy enough to do.
This attack will succeed if the end customer is relying on the manufacturer to verify the chip electrically and if the customer only performs an optical inspection. The end customer has to run the full electrical tests, as well. Optical measurements can verify the masks are correct and electrical (scan and otherwise) verify the design behavior. This why there are 'trusted foundries' in the U.S. ...
Optical verification at chip level is quite difficult, and often destructive. There would have to be a sampling scheme in place to hope to catch every die site on the reticle... (A reticle is an array of IC die that is stepped across the wafer for lithographic exposure of resist layers for patterning the material on the wafer.)
Re:production test would catch this by Anonymous Coward · 2013-09-13 11:07 · Score: 0

This is discussed in section 3.3 of the paper. This portion of the chip is supposed to not be accessible by such tests ("scan and JTAG") to avoid compromising the security of the entropy source. There is an internal BIST, but it relies on a 32-bit CRC, their attack on the rate limiter has enough flexibility (breaking some subset of 128 flip-flops) that they anticipate being able to generate a collision.

On the topic of Trojens by Anonymous Coward · 2013-09-13 02:05 · Score: 0

OT, I know... but...
I always wondered why people use condoms named after them...?

Re: On the topic of Trojens by Anonymous Coward · 2013-09-13 04:03 · Score: 0

I always find it amusing when schools use Trojan for their sports mascot. They should name their cheerleaders the Astroglides. Or at least, the KY squad.

accidental misdoping even more troubling by hormiga · 2013-09-13 02:08 · Score: 3, Interesting

Given Hanlon's razor, an accidental, rather than malicious, error in doping would be even more likely. If the chip were inadvertently doped incorrectly, it would pass visual inspections and even software tests without awareness of the defect. How many defective dice, not merely with RNGs but also with other circuits, are already in service due to inspection failures?

Although this paper shows how insidious a threat from a well-funded adversary might be, even more it shows the need for more comprehensive inspection mechanisms to discover misdoping which might go undetected by existing standard procedures.

BTW, the paper includes a well written and readable introduction to the context of the problem. Good job.

Re:accidental misdoping even more troubling by BoRegardless · 2013-09-13 02:44 · Score: 1

For us uninformed, please define doping.
Re:accidental misdoping even more troubling by floodo1 · 2013-09-13 02:48 · Score: 1

hard and fast rules are always wrong.

--
I KUT J00 M4NG!!!
Re:accidental misdoping even more troubling by CaptBubba · 2013-09-13 03:15 · Score: 1

A misdoping would light up the equipment alarms, in-line electrical tests, end-of-line electrical tests (both on the chips themselves and special test regions in the lines between the chips). Doping is performed relatively early in the manufacturing process and Intel et al know just how big a risk a misdoping is and test for it extensively in-line. This is because if you only catch it at the end of the line you potentially have hundreds of millions of dollars worth of product to scrap because from the 20 days or so it took for the first wafers to hit test and fail you have equipment churning out 150-400+ wafers per hour of faulty product 24/7.
Re:accidental misdoping even more troubling by hormiga · 2013-09-13 03:26 · Score: 3, Informative

In semiconductor manufacturing, doping is the introduction of slight amounts of impurities into a semiconducting material, to create a condition of surplus or deficit electrons. Donors such as arsenic and phosphorus add electrons, creating n-type semiconductors, while acceptors such as boron and aluminum cause a deficit of electrons, making a p-type semiconductor. The terms surplus and deficit are relative to a state where all of the atomic orbitals are filled and the semiconductor has almost no conductivity. Thus, doping makes semiconductors into conductors.
Doping is commonly done by exposing the wafer of semiconducting material at high temperatures to a gas containing the dopant. The dopant diffuses into the surface of the wafer. A mask covers the wafer so that the diffusion only takes place where the wafer is uncovered. Note that the mask has microscopic detail, the quantities of dopants employed are low, and the chemicals used are nasty.
The circuit is created by the arrangement of the doped materials. For example, a p-type region adjacent to an n-type region makes a diode, while three adjacent regions in series make a bipolar transistor. The circuit is wired together using layers of metal (such as aluminum) deposited onto the surface and etched away in a pattern, done similarly to the way printed circuit boards are made.
Re:accidental misdoping even more troubling by hormiga · 2013-09-13 03:54 · Score: 2

I would agree almost all the time. An error in doping, not being selective, would likely be obvious, because it would affect the other components on the same layer.
However, there is a small amount of boutique production which is done almost by hand, and more subject to errors. The chips are usually less complex, and given the right kind of circuit (such as the RNG from the paper) errors are more likely to slip through, especially if the circuit were to be confined, by itself, to layers not used in the interface electronics.This kind of specialty chip is sometimes used in obscure military and security devices. These are not chips you will find in mass-produced electronics.
The term, by hand, may be misleading. In fact, custom chip making is so well automated that a foundry can spit out dissimilar batches one after another, given instructions in electronic form. I've seen students design and make small batches of their own chips using commercial services. Here's the rub: all of the testing for a boutique chip must be defined for that chip, and if the designer/customer fails to specify the design or test correctly, a bad batch might emerge.
I've seen so many mistakes in my career, almost nothing surprises me now, although I'm sometimes amazed how long it takes to find them.
Re:accidental misdoping even more troubling by Anonymous Coward · 2013-09-13 05:14 · Score: 0

Including this one!
Re:accidental misdoping even more troubling by TechyImmigrant · 2013-09-13 09:25 · Score: 1

This is wrong in so many ways.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.

FUDscinating... by __aaltlg1547 · 2013-09-13 02:27 · Score: 1

Are tinfoil hats on special this week? It's not very likely to happen to anybody who isn't a very big target because to make such a modification have to completely understand your chip design, know how you're going to use it and judge that compromising YOUR chip design is sufficiently valuable to reap rewards.

If you consider very widely used device, there's greater likelihood of being compromised, and it would more likely be done with the cooperation of the chip designers than otherwise, in which case it is probably visible in the regular metal masks, etc. because the only people who have access to the design are complicit. When is the last time you took equipment you bought apart decapped the chips, imaged them with high resolution 3D x-rays or lapped them down layer by layer to examine whether it they had hidden features? Hell, most users never see their BOARDS.

Re:FUDscinating... by Anonymous Coward · 2013-09-13 04:18 · Score: 0

There are currently hundreds of thousands of processors flying around in the air right now controlling flight and navigation systems. This was only demo'd on a common CPU. This can be done to any chip or processor in a system. All it takes is for a country to secretly require X chip gets it and wait for everyone to start using that chip. I more see this as an easy way of infiltration the cell phone market since people refresh those devices once every few years.

Comment removed by account_deleted · 2013-09-13 02:34 · Score: 2

Comment removed based on user account deletion

We need open source RNGs by Burz · 2013-09-13 02:37 · Score: 1

Then we can buy them from fabs that we trust, and they will have to more explicitly compete on the issue of trust.

There is also some possibility that buyers could inspect the manufacturing processes.

Anomalies in other computational functions are less of a concern, IMHO, because any environment with a mix of CPUs and chipsets should reveal tainted chips at least occassionally. Random number generation is an exception here.

Re:We need open source RNGs by Anonymous Coward · 2013-09-13 03:46 · Score: 0

If you want a cheaply trustable RNG, you don't want one from a fab, because you don't want a complex IC device. You simply need to amplify the output of a resistor to saturation, then bias it so it's probability for a positive output is close to 0.5 and it has a fairly flat spectrum, plug it into your soundcard and feed the output into a cipher for conditioning.
You can make it even simpler, take a microphone, jam it inside your case, and do something like:
arecord | openssl aes-256-cbc -k myrandomkey
But not exactly that, because that prepends 'Salted_' and a salt, so you need to look up how to get it to remove this wrapping.
Random generation is not hard. You can flip coins, get a couple of 16 sided dice, disembowel chickens over a number board. Even if you fuck it up a bit, using a strong cipher to filter your randomness will absolve your sins.

seems random by nten · 2013-09-13 02:42 · Score: 2

The NIST 800-22 test has bit length parameters. The article doesn't indicate if it passed the 128 bit NIST test after they reduced the entropy to 32 bits, only that it passed *some* NIST test. From another poster it seems the standard NIST parameters used for the NIST test may not be sufficient to test that the prng exhibits the level of entropy that people are relying on it to exhibit. The lavarnd folks pass a billion bit NIST test, so it is possible to run longer versions of the test. If the reduced entropy source is still passing a higher entropy test, we have a problem with our testing method.

Your other (very valid) point is that just because data is random, doesn't mean you are secure. The data stream has to be both random and unknown to your attacker, which PI would not be. In this case they do not have a way to set the seed, or all inputs to the prng, only to limit the prng's bit length, so the attacker will not know the random sequence or even its statistics. It simply makes a brute force attack much less time consuming.

It still concerns me that a 32 bit prng might have passed a 128 bit 800-22 test. Does anyone know more about that aspect of it?

--
refactor the law, its bloated, confusing and unmaintainable.

Re:seems random by thoromyr · 2013-09-13 03:10 · Score: 1

It would have to be based on a statistical analysis which means it isn't a proof, it is demonstrated to a confidence level. How confident do you need to be?
Secondly, to properly evaluate to greater number of bits of entropy is going to require a larger sampling and I expect this increases exponentially. How much time do you have to reach your confidence?
The testing would be balancing those two questions, but in no case could an absolute answer be found.
But, from the horses mouth:

The subject of statistical testing and its relation to cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this paper.
Random Number Generation
In other words, NIST says their recommended tests are statistics based and insufficient.

Re:I wonder by Beardo+the+Bearded · 2013-09-13 02:51 · Score: 4, Funny

Sure, it's obscure, except all our chips are being made in a country that is actively in an electroni

THE PEOPLE'S GLORIOUS REPUBLIC DENIES THESE CLAIMS.

--

---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.

Re:I wonder by trigeek · 2013-09-13 03:28 · Score: 1

I've considered this as well (I will be using the NIST random number test suite in the near future). However, what can they accomplish with this? I see two approaches they could have taken: 1. Flag a non-random generator as "random". However, just because I use the NIST test suite does not mean that I don't use any other test suites, that would presumably catch this. This seems high-risk from the NSA's point of view - just one publicly available test that proves NIST is gamed shows their hand. 2. Flag something that is random as "non-random". This gets truly random generators disqualified. However, if my TRNG was disqualified, I would look into why, and that would likely reveal the NSA's hand as well. Are there scenarios that I am missing?

--
Sometimes I doubt your committment to SparkleMotion!

CRC32 To the Rescue!! by Anonymous Coward · 2013-09-13 03:28 · Score: 0

Who had the bright idea to protect this with CRC 32 - for those who didn't RFA the BIST (built-in self test) verifies the output by checking a CRC 32 result for a predefined input. This allows them a feasible attack of 2^31 in order to find appropriate constants to set. Considering they've got the AES hardware right there - they should have used AES and compared to 256 bits of output. Attacking hardware should not be this easy.

Re:CRC32 To the Rescue!! by TechyImmigrant · 2013-09-13 08:24 · Score: 1

It is not a defense against an attacker. It is a defense against manufacturing defects.
It is not news that if you re-wire a circuit, it changes.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.

Limited scope by gweihir · 2013-09-13 03:31 · Score: 2

This can only be used for attacks on things that can be compromised in a way such that they do not need to perform their original function perfectly anymore. A CPRNG is an ideal target, as it does not need to produce good _and_ bad number after the attack, it is sufficient if it produced bad numbers that look good. The AES whitener in the CPRNGs this was demonstrated on make this very easy and while it looks convenient, it may have been inserted in there exactly to make compromised versions of this CPRNG hard to detect. On the other hand, if you attacked, say, a hash function or a block cipher in this way, it would start producing wrong outputs, potentially for a large number of cases and not only would it fail at its original function, this would also be pretty obvious.

Still, this is a significant attack and underlines why a single source of entropy should never be fully trusted and that CPRNGs should always be open software and use multiple entropy sources that get mixed.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.

Re:I wonder by daem0n1x · 2013-09-13 03:36 · Score: 3, Insightful

Sabotage would be to make something stop working. The mentioned chips will work just fine, but their RNGs will be predictable. Only the ones who caused it know and will take advantage of it. Looks like a trojan to me.

Re:I wonder by Anonymous Coward · 2013-09-13 03:37 · Score: 0

Yes you are missing a big piece. Given suitably secure block cipher, its output shouldn't be able to be distinguished from random data. In fact the Intel RDRAND instruction uses AES to distill the entropy sources. An AES encrypted block stream encrypting a simple counter would pass most random number test suites.

Re:I wonder by trigeek · 2013-09-13 04:01 · Score: 1

Yes, I know this. However, this would not require them to compromise the NIST Random number test suite - No reasonalbe test suite would be able to detect this sort of scenario anyway.
So, back to the original question: Is the NIST Random number test suite compromised? What could they gain by doing this?

--
Sometimes I doubt your committment to SparkleMotion!

Re:I wonder by sexconker · 2013-09-13 04:07 · Score: 1

Sabotage would be to make something stop working. The mentioned chips will work just fine, but their RNGs will be predictable. Only the ones who caused it know and will take advantage of it. Looks like a trojan to me.

If the RNGs aren't producing numbers as "random" as claimed, then it's not working. It's sabotage.

A trojan horse requires stuffing something malevolent into something you want so you're enticed to bring it in the gates.

Re:I wonder by daem0n1x · 2013-09-13 04:17 · Score: 1

If the RNGs aren't producing numbers as "random" as claimed, then it's not working. It's sabotage.

No, it's not. Saboteurs break machines and bring them to a halt. Check the etymology.

Re:I wonder by Anonymous Coward · 2013-09-13 04:45 · Score: 0

Intel's fabs aren't mostly in China. Indeed, most semiconductor fabrication happens in Taiwan (distinctly not the People's Republic) or the US. Wikipedia has a list. It's easy to think that everything is made in China, but to be honest, a lot of companies with expensive IP (read: semiconductor firms) avoid the country because of rampant knock-offs and corporate espionage.

Re:I wonder by sexconker · 2013-09-13 05:08 · Score: 2

If the RNGs aren't producing numbers as "random" as claimed, then it's not working. It's sabotage.

No, it's not. Saboteurs break machines and bring them to a halt. Check the etymology.

Actually, you should check the etymology. There's no evidence for the old story about people throwing their shoes into the machines.
Even if it was, there's no requirement for there to be a stoppage of production, there's just the requirement of the actors maliciously disrupting the process.
An RNG that doesn't output "random" numbers to spec is BROKEN. Anyone intentionally causing that is engaging in SABOTAGE.

Re:I wonder by Anonymous Coward · 2013-09-13 06:04 · Score: 1

This is most stupid semantics argument ive ever read.

Would DFT / scan catch this? by Anonymous Coward · 2013-09-13 06:06 · Score: 0

I come from a hardware verification background, but I'm not a Design For Test (DFT) expert.

That said, I would have thought this would get caught by the test patterns that exercise the scan chains built into the device. If a given flop is fixed to a certain value (a "stuck-at" fault), then I would imagine that shows up as a fabrication failure.

As far as I know, every device gets checked before and after they are cut from the silicon wafer, so this seems like a technically very interesting attack, but one that ought to get caught by the fabrication process.

I haven't read TFA, so maybe this is covered in there?

Re:Would DFT / scan catch this? by EmagGeek · 2013-09-13 07:18 · Score: 1

I doubt they have diagnostic coverage of every single flop in the entire processor.
Re:Would DFT / scan catch this? by Anonymous Coward · 2013-09-13 11:13 · Score: 0

Yeah, section 3.3 in the paper. There is a BIST that tests components they break, but they discuss how to defeat it (32-bit CRC collision).
It is argued (by Intel) that "This BIST logic avoids the need for conventional on-chip test mechanisms (e.g., scan and JTAG) that could undermine the security of the DRNG.", so this part of the chip is supposed to be invisible to those tests.

Re:I wonder by Penguinisto · 2013-09-13 07:00 · Score: 3, Informative

Well, there goes the mod I plopped in, but...

1) Intel's high-end chip fabs are in Oregon, Arizona, California... not exactly close to Beijing. (They're still building some rather massive additions to their Ronler Acres fab up here in Oregon).

2) ARM chips, on the other hand (e.g. tablets and smartphone bits)? In that case I hereby petition Slashdot to introduce the "scary as fuck" mod.

--
Quo usque tandem abutere, Nimbus, patientia nostra?

Re:I wonder by Alef · 2013-09-13 07:28 · Score: 1

If the RNGs aren't producing numbers as "random" as claimed, then it's not working.

Unless you have access to the AES key in the RNG chip, the numbers are effectively random. Even if an attacker knows that the numbers only jump around in for example a 32-bit subspace of the N-bit key space, they don't know which subspace, unless they break AES. On the other hand, if you do have the key, as you probably would if you are the one who tampered with the chip, then you're in a whole new position.

I guess that's the "nice" thing about the attack -- only the one who planted it can exploit it. Useful if you for instance want to spy on your countrymen, without at the same time exposing them to a foreign adversary.

Back to the stone age by fustakrakich · 2013-09-13 08:02 · Score: 1

Without the ability to verify anything, all trust is destroyed.. Only the mystics will prevail

--
“He’s not deformed, he’s just drunk!”

Does that mean chinese made crap has soldiers by ralphaostrander · 2013-09-13 08:24 · Score: 1

doomed?

The authors didn't do what the paper implies. by TechyImmigrant · 2013-09-13 08:49 · Score: 1

I don't believe the authors attacked the Ivy Bridge RNG in the way described. They described a way, they didn't do it.

Why?
1) They show a plot of a DFFR_X1. This is a normal D type flip flop you would find in synopsis libraries and many other libraries you would use in an SoC process. These are not the flops used in the Ivy Bridge DRNG. Also the plot was from a layout program, not a micrograph.

2) The proposed attack required an average of 2.1 billion attacks (fixing k and v until you hit the right CRC). I don't think we sold 2 billion Ivy Bridges to these guys. The alternative they propose is to try it in simulation first. Running 2 billion simulations of full BIST would take a while and they don't have the code. If they had the RTL code they would be proposing other attacks.

3) They don't identify the site of the attack on the chip. They don't know where the site is.

4) They don't show RdRand output of a compromised chip. This would be trivial.

The main message of the article is sound. There are physical attacks that are hard to see optically. But the attack they describe against Ivy Bridge is hypothetical, based on the information in the CRI audit paper here: http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.

In Soviet Russia by Roachie · 2013-09-13 09:03 · Score: 1

Trojan dopes YOU!!!

--
This sig is not paradoxical or ironic.

Time for USB hardware random number generators? by cecst · 2013-09-13 09:07 · Score: 1

Some physical processes are random, and hardware random number generators based on them can be constructed. Does this report create a larger market opportunity for manufacturers of this type of device? And, competing such devices can be compared, assayed, validated, and combined, all apart from and much more cheaply than CPUs.

Re:I wonder by AC-x · 2013-09-13 09:08 · Score: 1

No, it's not. Saboteurs break machines and bring them to a halt. Check the etymology.

How about using the modern definition instead? Sabotage: "the act of destroying or damaging something deliberately so that it does not work correctly"

I mean, the NSA sabotaged an encryption standard, so it seems like this would be similarly sabotaging a batch of CPUs.

Sabotage of security by phorm · 2013-09-13 09:58 · Score: 1

Sounds to me like they're sabotaging the security by breaking the underlying mechanism (with a trojan).

Similar to if you were to cut sensors for somebody's alarm without tripping any sensors or backups, etc.

I guess you will need and FPGA by CBravo · 2013-09-13 10:02 · Score: 1

to create a verifiable fast RNG. There may be other parts of the kernel that can be optimized with some HW acceleration.

--
nosig today

Re:I wonder by fractoid · 2013-09-13 15:19 · Score: 1

If that cool horse the Greeks gave you destroys your town instead of just sitting there looking pretty then it's not working, it's sabotage. Definitely not a Trojan horse.

--
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.

Re:I wonder by Anonymous Coward · 2013-09-13 16:32 · Score: 0

This might be the death-knell of PRNGs (note: PseudoRNGs only) for serious uses and the rise of real entropy sources. That would probably be for the better if it happens. More likely nothing does.

Because what exactly are "we" going to do if you use it on all chips? If you do it by design? If you "automate" it to use different subspaces through whatever index you choose? Will "we" buy more new device than otherwise? And those would not be similarly weakened because...? Governments decide which chips are legal (FCC compliance if nothing else in the US), they choose what we can choose.

99.99% wouldn't even do anything because 99.99% are not doing anything right now against other known issues. Maybe that will change, maybe it won't. As long as it remains the case the benefits are enormous.

There's an additional bonus: you can weaken it only so much so that only a very powerful "adversary" (yourself) can take advantage even if the flaw becomes known. Or only so much that only the most powerful "adversary" (yourself) will be able to break the results using X time with future Y capability. This means it can be even more subtle and thus even harder to discover/prove.

In fixed units supercomputers improve faster than other computers, thus this "subtlety gap" becomes harder to detect at increasing relative speed. I'll repeat myself: this might be the death-knell of PRNGs (note: PseudoRNGs only) and the rise of real entropy sources (that would be good).

I.e. this or anything which amounts to the same can be tailored quite nicely to subvert a vast amount of "computers" into low-hanging fruit, and scale is the name of the game with the approaches the NSA is now known to utilize.

C64 users vulnerable? by Anonymous Coward · 2013-09-13 19:09 · Score: 0

What can they do against a C64 user?

Can using older tech mitigate these attacks?

Re:I wonder by Optali · 2013-09-14 10:18 · Score: 1

But we are not talking about history here but about computer engineering and in our world a trojan is not something meant to destroy anything but a means of easing access to a system so that a malevolent user can take control of it without the knowledge of the legitimate user. The etymology is irrelevant and only anecdotal in this case.

The mentioned artefact is called "hardware trojan" by analogy to a software trojan an not because it has anything to do with wooden horses or warriors of the bronze age.

--
-- 29A the number of the Beast

How to detect the dopant change trojan by Anonymous Coward · 2013-09-15 04:29 · Score: 0

If you know where + or - doped regions *should* be on the substrate, you can build test diodes by pointing two needles on the substrate. One of the needles has a tip made of a semiconductor doped the opposite way as expected from the substrate. The other needle has no special properties (besides having a really small tip like the other).
The doped needle and the substrate would form a diode only if the substrate is doped the right way. A test current would therefore be able to pass only one way. If it passes both ways, the tested region is not properly doped.
For added security, also check for expected resistance of the ad-hoc diode.

This test could be automated using a 3-axis CNC router of the needed positioning accuracy (something, chip designers most likely could afford).
Most chips are designed in a way, that its doped areas are aligned in a very non-random pattern (like the examples in the paper). Therefore it may be even possible to test a lot of chips you have not the source code for...

Slashdot Mirror

Stealthy Dopant-Level Hardware Trojans

166 comments