[Owasp-cape-town] Analogue IC chip backdoor proof of concept

Liam Smit liam.smit at gmail.com
Fri Jun 10 16:46:01 UTC 2016


Hi
Dealing with this problem is what I call a bad day in the (security) office:
This ‘Demonically Clever’ Backdoor Hides In a Tiny Slice of a Computer Chip
https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-chip

<snip>

Here’s how that analog hack works: After the chip is fully designed and
ready to be fabricated, a saboteur adds a single component to its “mask,”
the blueprint that governs its layout. That single component or “cell”—of
which there are hundreds of millions or even billions on a modern chip—is
made out of the same basic building blocks as the rest of the processor:
wires and transistors that act as the on-or-off switches that govern the
chip’s logical functions. But this cell is secretly designed to act as a
capacitor, a component that temporarily stores electric charge.

Every time a malicious program—say, a script on a website you visit—runs a
certain, obscure command, that capacitor cell “steals” a tiny amount of
electric charge and stores it in the cell’s wires without otherwise
affecting the chip’s functions. With every repetition of that command, the
capacitor gains a little more charge. Only after the “trigger” command is
sent many thousands of times does that charge hit a threshold where the
cell switches on a logical function in the processor to give a malicious
program the full operating system access it wasn’t intended to have. “It
takes an attacker doing these strange, infrequent events in high frequency
for a duration of time,” says Austin. “And then finally the system shifts
into a privileged state that lets the attacker do whatever they want.”

That capacitor-based trigger design means it’s nearly impossible for anyone
testing the chip’s security to stumble on the long, obscure series of
commands to “open” the backdoor. And over time, the capacitor also leaks
out its charge again, closing the backdoor so that it’s even harder for any
auditor to find the vulnerability.

<snip>


Regards,

Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cape-town/attachments/20160610/31f73d24/attachment.html>


More information about the Owasp-cape-town mailing list