Design - Assessing and Detecting Malicious Hardware in Integrated Circuits

The design stage is the period in a device’s production during which the device is fully mapped out to meet the required specifications. For these purposes, a complete digital representation of the final circuit is created. This is an incredibly important stage with regard to security, as there are a significant number of external influences to a circuit introduced during this stage. Few organizations can afford to completely create the design in-house, without relying on any external resources. Furthermore, the circuit at this stage can be convoluted, making it difficult to identify possible malicious modifications. This stage, in combination with the fabrication stage, represents the largest risk to the device.

With the large number of external influences on the design stage also comes a large possible variety of attacks. Furthermore, many of these external resources will often pass unchanged, or even unobserved, into the final design.

4.2.1 Third-Party Intellectual Property (IP)

The most significant vector to attacking a circuit during the design stage comes through the inclusion of third-party IP in a design. Most organizations cannot afford to build an optimized design from the ground up every time a common component is used, and therefore rely on IP vendors that supply design-blocks that perform the desired functionality. This then allows the organization to save money and time, avoiding the issue of creating the circuit from scratch. Designers will instead assemble licensed design-blocks to meet the requirements of the circuit, often treating the third-party IP as black boxes. These unknown designs can easily make their way unmodified into a final design, allowing for an effective vector for compromising a circuit.

For instance, suppose a designer was licensed a cryptographic circuit for use in a design.

The cryptographic block’s encryption could be easily undermined if it possessed an extra hidden key. While it would appear to function correctly under normal use, someone with knowledge of the hidden key could circumvent any security provided by the cryptographic block to the final circuit.

Another risk with third party IP is that there are a plethora of vendors supplying designs

for every possible function, with very little oversight. Vendors come and go, often only possessing an online presence. It would not be difficult for someone to create a fake vendor persona and supply malicious design blocks at a below-market fee. It is simply not safe to trust the vendor to have clean designs, performing exactly as advertised. Compounding the problem is the reoccuring issue of stolen IP design blocks. There are a great deal of problems with vendors having IP stolen and resold by other vendors, or even just stolen by designers wanting to use the IP for free. Unfortunately, this has led to a culture of obfuscation and suspicion, making it difficult to obtain clean, unobfuscated code in order to identify possible attacks.

4.2.1.1 IP Watermarking

Another challenge with identifying attacks in third-party IP is the concept of IP watermarking. When licensing IP from a third-party vendor, that vendor will not necessarily be straightforward with the licensee when it comes to functionality within the design. In many cases, this is to protect the interests of the vendor, and prevent IP theft. A digital watermark is performed by embedding verifiable proof of ownership into a functional block [35, 36]. This proof can then be invoked at a later point in time to show whether a design was stolen or not. Unfortunately, the method through which the watermark acts is often functionally identical to that of a hardware attack leaking sensitive data. For instance, the study by Becker et al. [37] covers a method of watermarking a design such that a uniquely identifying string is broadcast through the power drawn during certain phases of activity.

This data is transferred using a range of frequencies using spread-spectrum techniques to combat ambient noise. However, this uniquely identifying string could be replaced with sensitive information in the design such as a key or plaintext value. This change would convert this legitimate watermark into a full-blown insertion causing a data leak. Another similar study was conducted by Ziener et al. [38] which describes a method of watermarking for multiple IP cores in a single design, such as in a field programmable gate array (FPGA). This demonstrates an effective method of multiplexing these power watermarks so that each IP core can supply a different signature at the same time, without interfering with the watermarks of other cores.

4.2.2 Electronic Design Automation (EDA) Tools

Another example of an external resource used during the design phase is that of the tools used to create the design. If a backdoor is built into the tools used, then the design composed via those tools could be compromised. This is also a very difficult step to perform in-house, as developing design tools is an incredibly expensive process. If it were not, then companies such as Cadence and Synopsys would not be able to operate. However, unlike vendors for third-party IP, there are significantly fewer vendors providing tools, and there is more oversight with regards to tools used in designs.

4.2.3 Cell Library

Another external resource commonly relied upon during circuit design is that of an external cell library. While some organizations will have their own library to which they synthe- size designs, many will need to rely on externally provided libraries, which might have internal faults. Despite this reliance, the cell library is not a very dangerous attack vector during circuit production. Due to the primitive nature of these cell libraries, it would be nearly impossible to introduce any sort of malicious attack beyond a simple degradation of performance. Furthermore, cell libraries are small enough that it can be possible for an organization to investigate one manually to verify minimum functionality.

4.2.4 Device and Component Models

Similar to how many organizations rely upon an external cell library, component models are commonly implemented in a design. Since these models represent low-level components such as transistors, resistors, and capacitors, this represents an abstraction level lower in the design than the cell library. Because of this low abstraction level, specific attacks would be very difficult to implement.

4.2.5 Hardware Description Languages

While it is unlikely to represent an attack vector, circuit designs also rely on externally developed hardware description languages (HDL) such as Verilog of VHDL. This is due pri-

marily to the industry’s development of electronic design automation (EDA) tools designed to work using these languages. While Verilog and VDHL are unlikely to inherently contain possible threats to a design, reliance upon an external language that is not as publicly tested could introduce errors or risks. An example of an external language that could be relied upon in a specific circumstance is the Symbolic Model Verifier (SMV) language provided by Carnegie Mellon University [39]. If an organization was to rely upon an external tool provided by an untrusted third party, then a possible attack could be hidden in the language used by the tool, rather than the tool itself.

Dalam dokumen Assessing and Detecting Malicious Hardware in Integrated Circuits (Halaman 34-37)