They have shown that what was thought impossible or unlikely turned out to be a reality for a well-funded privileged organisation with huge brainpower resources.
However recent ground-breaking research published by an international team of scientists from the US, Switzerland and Germany (Stealthy Dopant-Level Hardware Trojans) shows that there are techniques that can strike at the heart of all IT and information processing that are even more far-reaching and perhaps more importantly, almost impossible to detect. While most of the attention drawn in the media around computer security revolves around the trivia of stolen credit card numbers and defaced websites, this ground-breaking research seems to have gone relatively unnoticed despite its potential consequences. The purpose of this article is to briefly introduce this research and reflect on its potential implications.
To appreciate the far-reaching consequences of this research it is necessary to state an obvious but critical fact: security and trustworthiness of all our computer systems - our smartphones, PCs, air traffic control, nuclear power stations, ballistic missiles, and everything in between - depends on the security of computer software that drives them, which in turn depends on the security and trustworthiness of hardware that the software runs on. It is impossible to over-emphasise the fundamental fact that software is ‘at the mercy’ of hardware, and more specifically, the CPUs, GPUs, MMUs and other chips and chipsets that make our information age possible.
Correct and trustworthy operation of these chips is an absolute pre-condition for operation of every electronic device that includes them - and with the coming of the so-called internet of things that could include pretty much everything. Effectively subvert, sabotage or circumvent these chips on a sufficiently wide scale and you have control over systems that use them.
Design and manufacturing of modern chips requires huge amounts of effort and resources not to mention industry’s constant challenge to reduce the size and energy consumption of chips whilst increasing their processing power. This requires extensive collaboration and dependencies between research institutions, chip designers, chip manufacturers, intellectual property owners and computer makers that spans countries and continents.
The risk of clandestine inclusion of unauthorised functionality - hardware Trojans - is known in the industry and some measures exist to try and reduce that risk. These measures try to prevent such unauthorised additions to chips as well as to detect whether such additions or modifications have taken place. The question of how effective these measures are is an open one and their effectiveness cannot be taken for granted.
Detection of chip-level hardware Trojans in particular depends on microscopic inspection and comparison with so-called ‘golden chips’, chips known or assumed to be trustworthy and free of unauthorised additions or modifications. If one could evade or avoid detection by optical inspection of unauthorised changes in the chip while sabotaging or altering the operation of the chip, any system using those chips could not be trusted and could be controlled by the authors of unauthorised changes.
It is important to note that functional testing intended to detect manufacturing defects is not intended to, and often cannot, detect malicious modifications. The question we have to ask therefore is this: is it possible to maliciously change or influence the operation of a chip without such modification being detectable by currently known detection methods? Is it possible to optically inspect the Trojaned chip’s layers under electron microscope and yet be unable to see what and how has been altered in its logic? The disconcerting answer is yes, it is possible and it has been done.
Georg Becker, Francesco Regazzoni, Christof Paar and Wayne Burleson have demonstrated that by carefully altering chemical and physical properties of certain parts of microscopic transistors that make up the modern chips it is possible to make invisible changes in the logic of these transistors leading to desired and potentially malicious outcomes, such as reduction in strength of cryptographic algorithms and leaking of sensitive information. They have successfully implemented their attack against two chip designs, one of them being a widely-used, independently verified and government-certified hardware random number generator.
Random numbers are required by many encryption algorithms used for everything from access control to internet banking, and hardware random number generators are believed to be best due to their performance and security. However what the authors of this research have demonstrated is not only that it is possible to make invisible changes in a high-security chip that lead to intended outcome (i.e. predictability of numbers expected to be random) but also in such a way that even a government-approved test intended to identify non-random numbers is unable to detect the modification.
Despite the chip’s built-in self-test function, as well as a built-in randomness test, the authors have been able to completely and undetectably compromise the chip’s function, reducing the randomness of numbers generated by it to a desired level. Since many encryption algorithms heavily depend on random numbers for their security this compromise could further be used to compromise encryption believed to be secure.
What does this all mean and what are the short-term and long-term implications of this research? We can make some informed guesses. The fact that effective and as yet undetectable modifications can be made at sub-transistor level even in chips believed to be secure should surely raise the awareness of our ever-increasing dependence on electronics and - perhaps more worryingly for governments and businesses around the world - the awareness of our dependence on electronics manufactured in countries that do not necessarily share our values and do not have our interests as their priority. In a 2005 report the US Defense Science Board has concluded that
‘The Department of Defence and its suppliers face a major integrated circuit supply dilemma that threatens the security and integrity of classified and sensitive circuit design information, the superiority and correct functioning of electronic systems, system reliability, continued supply of long system-life and special technology components.’
Needless to say it is not only the US Department of Defence that faces these - now demonstrated to be real - risks but due to increasing globalisation and our increased dependence on technology every state and every individual depends on the trustworthiness of chips that underpin our digital lives - for better or worse. What can be done to address these risks is a question that scientists, governments and vendors will have to ponder for the foreseeable future.
Edgar Danielyan FBCS CITP is a CREST Registered Technical Security Architect and CREST Registered Penetration Tester. He is the director and owner of Danielyan Consulting, an IT security and penetration testing consultancy offering penetration testing and technical security design & consultancy services.