I did a lot of work for the UK Ministry of Defence and the US Department of Defence over the years on custom silicon and FPGA work and the paranoia factor is scary. We had the layouts of everything bought in - even 74-series logic which can pretty much be assumed to be inert. Samples were regularly decapped and scanned using an SEM to verify to make sure the vendors weren't screwing us or integrating backdoors.
Every part was asset managed to hell as well. Every part was traceable to the point that every finger that poked it was known (I moved from engineering to writing the asset management systems before leaving).
Crazy.
The chain is only as strong as its weakest link.
A manufacturer outsourcing stuff has a hell of a lot of documentation to forge. Each screw, each washer, each resistor, has a batch number that it can be traced to.
Bottom line is to make any sort of computer at a remotely competitive price, you're probably going to use some Asian parts. At least some parts. Then it's a matter of where you draw the line and the price vs. risk. How about a Chinese power supply? It all depends on where and how the device is being used. Then it also depends on the system not "promoting" that device to another purpose.
You can manage it all and make it from only 100% trusted sources, but you know what? It's insanely expensive and by the time you get a computer, there are ones on the market 6x better.
http://www.reuters.com/article/2012/05/21/us-usa-treasuries-...
There's a relationship here.
This isn't particularly surprising - several large "real money" investors (pensions and the like) have had this sort of relationship with the Treasury. It enabled them to directly place bids on Treasury issuance without going through Primary broker-dealers (Wall Street). They were called "Directs" and would bid through the "TreasuryDirect" system.
Basically enabled the largest investors in USG securities to bypass the "commissions" other investors would pay to Wall Street firms.
I'm guessing that for some reason foreign accounts such as governments and sovereign funds had not been given access to this system for some reason, and after a point, the Chinese government investment funds (which are some of the largest in the world both in terms of funds managed and funds committed to the US) laid bare the inconsistency that they'd been disallowed this, simply on the grounds of being foreign.
Otherwise unremarkable.
This is especially important now as China has widened the Yuan trading band. You wouldn't want excessive FX volatility to manifest itself as a result of your foreign-reserve management decisions being (mis)-interpreted by investment banks.
Does Wall St. check for backdoors in hardware?
http://en.wikipedia.org/wiki/List_of_semiconductor_fabricati...
Where else are they going to get the chips in the quantities required since the US outsourced most of its commercial silicon foundries? Of the few remaining in the US, the largest is wholly owned by the Taiwanese company TSMC. Post-industrial economics is idiotic, and this is one of the major examples of why.
We (government contractor) pay a bunch extra to buy tools made in the US - even if they aren't normally manufactured here - just to satisfy the buy US provisions.
Typically what happens is that a subcontractor says it is US made, and then outsources to a foreign country and pockets the difference. Obviously there is money to be made there.
However, that is defrauding the government and those subcontractors can/will/do go to federal prison.
You say that like the US Military (among other US and non-US government victims) doesn't have the ability to dictate sourcing of parts to the point of driving the growth of domestic foundries.
This looks more like poor decision making, not a fact of "post-industrial economics".
Have a look at this video from ChipWorks http://www.youtube.com/watch?v=Il5sTZKBLO0
See the schematics? They've created those from scratch by deconstructing the chip. (I can say with certainty that this is the case because I'm familiar with the original schematics for this part. The ChipWorks ones are much neater!)
Doing this for a larger, all-digital chip is substantially the same. In that case you can probably step up from identifying individual transistors and identify the standard cells directly, since they tend to have distinctive-looking gate structures.
I'm less curious about whether overseas silicon is backdoored than I am in how exposed the attack/activation surface for those backdoors are.
"Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip" - er, what? So either they have some approach for turning silicon into a machine readable form, in which case "code breaking" makes no sense, or they're attacking the chip via its interfaces. Why mention both? Because "advanced code breaking" sounds cool.
"In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems" - advanced Stuxnet weapon? This is blatant namedropping, Stuxnet is irrelevant here being a piece of software.
"The scale and range of possible attacks has huge implications for National Security and public infrastructure." - "this is a general purpose chip that happens to be used in military applications".
"adaptable - scale up to include many types of chip" - implies there are complexity limits, so likely they've applied their process to some relatively simple piece of silicon, again suggesting some boring chip.
"found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract." - hardly uncommon, in fact the Intel CPU I'm typing this on has such a feature - for encrypted microcode updates.
Until there are more details, this vague news article is just dressing.
Having said that, I take issue with almost every point you made:
* Both Chris Tarnovsky and Karsten Nohl have, supported so far as I know by none of the resources of a major university, given security conference talks on processes for "Turning silicon into machine-readable form". Nohl actually has an open source package to help do it. There's nothing incredible about that claim.
* I'm not sure I follow how the most famous act of computer-aided industrial espionage isn't germane to hardware backdoors. Researchers put their work into context so people outside the field will take it seriously.
* The military uses Microsoft Windows and Red Hat Linux, too, both of which are general-purpose packages. You think a universally distributed backdoor in either that had escaped detection until 2012 wouldn't be relevant to national security?
* Go read Tarnovsky's blog, where he has blogged about extracting keys from silicon.
The only point you've made here that I agree with is that the attack/activation surface of these illicit features is likely to be more important than anything else.
That claim about 99% of chips being manufactured in China is very easy to verify as being utterly false. I have to wonder about the trustworthiness of the rest.
- kryptiskt, http://news.ycombinator.com/item?id=4030818
It has actually not been "very easy" for me to verify this, but I did find something saying that in 2009, China had 9% of the world's production capacity, which makes me strongly doubt that they are now 99% of the actual manufacturing amount: http://www.manufacturingnews.com/news/10/0212/semiconductors...
@tptacek: Care to provide references for why Cambridge Security Lab is as big a deal as you're making them out to be, and why we should overlook this blatantly exaggerated fact they cited?
http://en.wikipedia.org/wiki/Ross_J._Anderson http://en.wikipedia.org/wiki/Markus_Kuhn http://en.wikipedia.org/wiki/Steven_Murdoch
...and http://www.lightbluetouchpaper.org/ ; I am unaffiliated with Cambridge other than knowing a few of the people there.
"These are good guys. This paper is the real deal."
I appreciate what you bring to HN, but that this is the top comment worries me, particularly when it comes to security of all things. There's valuable comments that are contrary to your opinion surrounding you, and I wish you'd explain your side a bit more clearly in cases like this.
There are diagnostics in our network switches that allow for traffic to be replicated and sent to other ports with a different destination mac (this isn't port mirroring is more like port re-directing). Clearly in the hands of a bad guy they might set up a machine on the LAN to get a copy of all the traffic. Is it a cyberwar beach head? Probably not. Could it be exploited in an attack? Probably. Of course if someone tried to route all that traffic outside the network into the transit network it would be pretty obvious. So not a good scenario.
Like the controller back door article on Ars last month I suspect most of these things are diagnostic aids. You ask an engineer to test something and that something is buried inside a bunch of silicon and the only way to do that is to build some stuff in there that lets you look at things.
Of course you can do this in a 'smart' way, and in a 'stupid' way. When I started at Intel there were extra pads on the silicon that got to these extra functions, you ordered a 'bond-out' chip where bonding wires (between the chip pins and the silicon) would be attached. All of the in circuit emulators up to the 386 had a 'bond out' version in the emulator pod that gave you access to internal state of the chip. Others have pointed out the key for loading replacement microcode, another 'feature' to fix bugs in the field and do diagnostics.
So things which require either 'special' chips or attaching a JTAG probe directly to the part, are generally ok in my book. Once you have physical access nearly all bets are off.
Its an expensive way to compromise the enemy. Simpler to just build a piece of gear that looks and operates exactly like the original but is your own design. There was some counterfeit Cisco boxes like this in the channel for a bit. Of course they 'fail' when you update IOS and it fails. Still the cost to exploit is lower and more assured than back dooring silicon in a fab.
Its also pretty hard to add features to a chip without the designer of the chip in on the game. Every transistor is accounted for by long verification and analysis so 'extra' ones would show up. That limits the risk to a chip manufacturer being the 'bad guy' (and they are very traceable so unlikely to do that)
None of this though should take away from the excellent work Cambridge is doing. The silicon analysis is really cutting edge stuff, and I think it would be useful for chip designers in verifying their masks are accurate too. If you could effectively 'decompile' the resulting silicon and verify it against your netlist, that would catch mask errors. And that would save anywhere from $100,000 to $2,000,000 depending on size of the mask.
http://blogs.cisco.com/news/cisco_and_apple_agreement_on_ios...
iOS == Apple's mobile OS
IOS == Internetwork OS (Cisco gear)
Further:
Mac == Macintosh
MAC == Media Access Control (Address), common in configuration of Cisco equipment...
with no evidence either way, I am guessing that US intelligence (and others?) are loudly saying this is happening not because they can prove it in silicon but convincing human intelligence has told them
I happen to think that the techniques developed to analysis silicon are going to be useful all round, and that a backdoor in a chip does not make a successful cyber attack in the wild, but if these are real in-the-fab additions then the implications are so large we should be prepared to not label this "it's just a test component" and look at ideas like validating silicon (noted somewherre else below)
My instincts would be that in the absence of real evidence they are 'loudly saying this is happening' to beat the war drums, declare it as proof a 'cyberwar' is happening, are using it to get more funding and preparing for new draconian measures to control it both domestically and internationally.
Given what I know of silicon chip manufacturing, and the verification that goes on during, after, and while, manufacturing. I assert it would be extraordinarily difficult for a fab operator (like TSMC) to insert a back door without the designer/manufacturer knowing it.
I also brought up that in my experience adding back doors was certainly done to aid in testability. Sometimes those aids are done in a way that they cannot be used by third parties (bond-out chips) and sometimes they could be (JTAG access) but are obscured in some way.
Backdoor access in the firmware however, is a much easier threat to actualize as it doesn't involve silicon hacking per se. So that is a more credible threat. And I mentioned that we've seen counterfeit versions of 'name brand' products already which would be a fairly straight forward threat.
From this, I'd say that anyone who used the backdoor would basically be able to take over the chip completely. Which is somewhat scary, considering the author says it's used in weapons systems—hopefully the author's informed an intelligence agency with the specifics.
The configuration is commonly stored in a small serial eeprom (tiny 8-pin chip) and automatically read when the FPGA powers up. The content of this chip is often called "bitstream", this configuration eeprom/flash is sometimes also internal to the FPGA.
The key this configuration is encrypted with is supposed to be stored securely inside the FPGA, but they managed to extract it using undocumented commands on the "debug port" (JTAG) that the vendor explicitly claimed did not exist.
Note: This is an interface that normally is not easily accessible from the outside, but sometimes connected to a microcontroller to update the FPGA configuration.
Theoretically someone who gets access ("normal" computer backdoor over the network) to such a device might be able to re-program the chip thereby causing malfunction or add a flaw deliberately. The second scenario would be to decrypt the configuration information, "decompile" it and learn about secret algorithms or functions.
From the description I'm guessing an interface device that does something in the order of I2C/CAN/M on one end and external comms to the outside world on the other (why else would require "sophisticated encryption standard").
First, we must understand what these are used in: embedded systems. Typically, at the heart of most embedded systems you have two possibilities: a microcontroller or microprocessor, or an FPGA. The microcomputers run some kind of firmware (instruction set fed to a processor architecture) which is completely different then an FPGA which are actually re-configurable transistor arrays to implement fixed digital logic. This transistor configuration is typically loaded from EEPROM on power up - so it is stored/uploaded by a user somewhere after they've done some work in their CAD tool.
In either case, whether it be firmware written for a microprocessor based system, or the "firmware" for an FPGA (I forget what that logic routing configuration format is called - technically not firmware since it's not instructions) it is likely that whoever wrote it would want to protect it from being read or protect their device from having another firmware loaded on. There are many schemes to do so, it is possible that this is what has been compromised.
[1] http://www.actel.com/products/pa3/ [2] http://www.actel.com/documents/pa3_faq.html
(I guess there is no real advantage in keeping this obscured)
Who's to say that manufacturing in China means the backdoor was injected by China? I would have thought the US is just as likely a source, given that the design came from there. Surely the US government would love having access to FPGAs in foreign systems?
The cynic in me says that Cambridge needs to keep poking, as they might find two backdoors: one inserted by the US, the other by China.
Power glitch detection, mechanisms to detect decapping/stripping, wire mesh shielding, protection against ultra-violet laser stimulation of transistors, ... are all important.
For those interested in further reading, Security Engineering[1] by Ross Anderson contains a section on chip security. Another paper[2] by Ross Anderson and Markus Kuhn (1996) provides additional background.
I can envision a scenario where this "backdoor" is actually part of the designed-in security features of the chip designed to prevent an unauthorized party from reading out the FPGA "programming" as it were. As such, it's conceivable that there might be multiple keys or even a series of "transport" or "default" keys that are similar to those found on ISO smartcards. What we might be looking at is a "feature" as opposed to a "backdoor."
In any case, this sort of thing only becomes a critical security breach if the application you're using the chip in depends on periodic (or boot-time) reprogramming of the FPGA. In either case, either the physical security or the trust chain of your firmware loads is broken. As we all know, key management and side channel attacks are the hardest part of implementing a secure crypto system, so is this really news?
[pdf] http://www.armed-services.senate.gov/Publications/Counterfei...
That claim about 99% of chips being manufactured in China is very easy to verify as being utterly false. I have to wonder about the trustworthiness of the rest.
Sure, this stuff gets harder with modern technology, but it would be ridiculous to assume that manufacturers blindly click together chips and hope for the best because they can't inspect their work.
Maybe 99% of volume, but not type, is produced in China.
Or 99% of types are made in China, but with volume elsewhere.
Maybe 99% of this particular IC family are made in China, with the rest being made elsewhere is something that works.
The 99% does strike me as something that was thumbsucked.
Edit: they seem to have submitted a patent application for the process of sending test signals to a chip and monitoring it with an oscilloscope: http://www.sumobrain.com/patents/wipo/Integrated-circuit-inv...
Are there backdoors in silicon? Of course there are backdoors in silicon. Just like in software, most of them will be deniably accidental. It's unlikely we'll be able to trace most of them to deliberate sabotage, but the net effect will be the same.
Having set the stage, consider: the competency required to manually evaluate silicon packages is extraordinarily rare. Even if you wanted to shell out 6 figures for a competent superficial evaluation, you'd have a lot of trouble finding available Chris Tarnovskys to do the work.
If you have 50% of the competence of Tarnovsky and the ability to automate any significant portion of that work, you can probably write your own ticket.
So: what's the likelihood that any such person, with an actual affiliation to a respected EE/CS security program, would just be making stuff up?
"Look, the people you are after are the people you depend on. We boot your servers, we back up your drives, we write your applications, we maintain your kernels. We guard your data. Do not... fuck with us. "
Having set the stage, consider: the competency required to manually evaluate silicon packages is extraordinarily rare. Even if you wanted to shell out 6 figures for a competent superficial evaluation, you'd have a lot of trouble finding available Chris Tarnovskys to do the work.
Could secure hardware be bootstrapped? Could we use the embarrassment of riches we have in terms of number of transistors available to implement arrays of small and fast processors which can emulate security hardware and be programmed using formal verification? This way, we could concentrate all of our scrutiny on one unit, and change much of the hardware problem into a software one. It wouldn't be as fast or as cheap, but it might be fast enough and workably secure.
www.cl.cam.ac.uk/~sps32/SG_talk_BA.pdf
Helion Technology Limited -- Helion Technology.
found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key...
It's hard to understand what this guy is talking about. Is he claiming that the manufacturer added additional hardware that the designers were unaware of? Or they made modifications to existing circuitry so it doesn't match the design? It would be very hard to do either without cooperation from the designers, especially given the paranoia of hardware engineers (and of defense hardware engineers, an entirely different level of paranoia). The question "are we manufacturing what we designed?" is one that is constantly asked throughout the lifetime of a part. In fact the answer, for individual parts, is often "no", because they can be defective. Still, the question is constantly asked with a variety of automated tools at all points of the manufacturing process.
Here's what I think he might have found: an additional fixed key introduced by the designers themselves into the chip, and having nothing special to do with the manufacturer. In other words, a deliberate backdoor.
- Assumes the Chinese put the backdoor in. There are plenty of others interested in backdoors. - Assumes the designing company doesn't do any detailed production product checks. Not likely since this is a many, many billion dollar business. - Claims a systemic problem but only notes one chip. That one FPGA could just have a design flaw. Need more details on the others. - At the end it claims an investigation over ten years but the fab world has greatly changed over ten years. Many micro controller companies actually own their Chinese fabs now.
As a side note, if you discover something like this, don't assume you found something you weren't meant to find. You're discovery may just have made you found.
Whether any of those backdoors are deliberate is much less relevant than whether they're known to your adversaries. In the case of Chinese electronics engineering, your adversaries have the blueprints.
Do you really think it's likely that designers of bespoke silicon reliably decap, image, and analyze the finished products? I think you're attributing Intel/AMD-level wherewithal when, just like in software, a huge chunk of the market has nothing resembling the resources of the leading vendors.
The author would probably like to stay involved with this tech, or at least to be able to hand it off to CESG.[1]
[1] I assume CESG. Perhaps QinetiQ[2] would do it?
[2] I have no idea what they do. All those Qs? You've seen 007? They're the real Q department. I doubt they do laser beam watches.
http://www.armed-services.senate.gov/Publications/Counterfei...
Show me some source, a schematic, or a technique that you're using, and then I might believe you, otherwise this is just FUD. They didn't even name the bloody chip.
How could the authors know the backdoor design is not the intent of American military?
1) Say what you will about the military-industrial complex, but they do buy a load of physical products. When those are sourced domestically it has a lot of good spillover effects on the rest of the industry (see Steve Blank's Secret History of Silicon Valley).
2) I'd be far more worried about Intel, AMD, nVidia, Texas Instruments, et al, especially if I was a foreign procurement officer. The logic in those chips is incredibly complex and almost impossible to verify in any detail by a third party. Coincidentally, they're all US companies.
It's interesting to note that in the DPA/SPA world the standard model of operation is to develop a new attack and then patent the countermeasures ;)
It should be noted that this is "probably" not a backdoor in the traditional sense (intentionally planted by some nefarious government organisation), rather just bad, leaky design that has been identified by an improved attack methodology...
But, this Frienemy war is not about taking advantage of these backdoors. That is the nuclear option. The war is about who has the potential to pwn the other.
BTW- I'm typing this on a Chinese netbook.
