In the first article in this series, we did an overview of backdoor hardware attacks, the second article covered the means and motivations, the third installment looked at the dreaded Rakshasa malware, and the last focused on backdoors inserted at gate level.
This final installment in the series will discuss prevention and detection strategies for backdoors and hardware attacks.
Hardware vulnerabilities are usually difficult to detect. Electronics devices could be preloaded with spyware or other malware that could be used to disable or extract data from host systems, or to sabotage the target hosting network.
A fundamental aspect of hardware backdoors that makes them hard to detect is that they can lie dormant during verification and can be triggered to wake up later.
In literature there are several techniques to detect the presence of hardware backdoors, even though it’s often difficult. The main problem is assembling hardware systems from components designed by untrusted designers, or procured from untrusted third-party manufacturers or subcontractors.
The military is increasingly dependent on commercial components to build its systems. In most cases, hardware is manufactured outside of US borders. The DoD is aware of the possible presence of backdoors or malicious software that could harm its systems. The principal concerns for US Defense are related to the security of the global supply chain.
“Devices are assembled from hundreds or thousands of components each coming from different parts of the world making it impossible to verify the trustworthiness of every supplier.”
To respond to the need of security, DARPA has started a program codenamed Vetting Commodity IT Software and Firmware (VET.) It’s inviting security experts to “look for innovative, large-scale approaches to verifying the security and functionality of commercial information technology devices bought by the DoD.”
The goals of the ambitious program are to define of a set of tests for component validation, and to determine how to prove an absence of malware. The following goals are described on the DARPA website:
- Defining malice: Given a sample device, how can DoD analysts produce a prioritized checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out?
- Confirming the absence of malice: Given a checklist of software and firmware components to examine and broad classes of hidden malicious functionality to rule out, how can DoD analysts demonstrate the absence of those broad classes of hidden malicious functionality?
- Examining equipment at scale: Given a means for DoD analysts to demonstrate the absence of broad classes of hidden malicious functionality in sample devices in the lab, how can this procedure scale to non-specialist technicians who must vet every individual new device used by DoD prior to deployment?
“Rigorously vetting software and firmware in each and every device is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.”
The best way to prevent the insertion of hardware backdoors is to tightly control the entire production process. Use a trusted design team, use component design that’s free of backdoors and release it to a trusted foundry. Trusted people, clean production environments and self made tools provide assurance that products are free of backdoors.
In reality, this sort of production chain is impractical for most every products due to high costs and duration of the production process.
Prevention could be implemented in different phases of production:
- The design level- the ability to create trusted circuits using untrusted EDA tools is the primary goal for detection at this stage. Principal solutions fully account for the use of all hardware resources, leaving no time frame for the execution of malicious features.
- The fabrication level- provide both hardware specifications and a list of “security-related properties.” Customers and manufactures must agree how to turn these concepts into a formal mathematical codification procedure. The IP producer writes the Hardware Description Language (HDL), they also produce evidence that the specified hardware fulfills all requirements. That can then be checked by a theorem, proven when the IP is delivered to the consumer.
- The post-fabrication level– to cut down the attacker’s window of opportunity, reconfigurable logic could be placed between the output of some ICs and the input of other ICs, disguising some of the design from an attacker who has access to the Register Transfer Level.
Detection mechanisms are used to discover the presence of a hardware backdoor. Once found, a malicious component could be removed from a design. That applies if one is discovered at the Register Transfer Level, or an IC could isolate it to avoid triggering backdoor.
Security experts have focused backdoor detection at the post-fabrication phase, due to how critical the fabrication process is. It’s considered to be the weakest link in the product development cycle.
Backdoor production is an arms race that involves attackers developing new evasion techniques, and defenders are exploring new methods for prevention and detection. Despite various detection techniques that exist, none of them is capable of identifying every kind of backdoor.
Principal detection methods could be grouped in the following categories:
- Destructive methods– A form of detection completely destroys the analyzed component. Due to this, it’s considered useful. Hardware components are completely reverse-engineered, an activity that is expensive and time consuming. Reverse-engineering processes are generally performed by Chemical Metal Polishing followed by an Scanning Electron Microscope (SEM) image reconstruction and analysis. Verification of the circuits is usually performed through visual comparison. The methods are ineffective if the backdoor has been added prior to fabrication. “In this case the IC would have to be completely reverse engineered through the reading of the logic gate layout and reconstruction of an RTL description. This makes the reverse engineering problem much more difficult.”
- Non-destructive methods – A form of detection that doesn’t destroy the component, they’re classified as being either invasive, or non-invasive depending on if the techniques leave the design unaltered. Invasive methods are used to modify the design of components to control the embed feature for backdoor detection. An example of an invasive method is the insertion of an additional I/O for each module to allow execution of self-testing circuitry specifically designed to test anomalous events. Non-invasive hardware Trojan detection is performed by comparing the “performance” of a component with a known “good copy,” used as reference model. Non-invasive hardware backdoor detection can be done either at runtime or at test-time.
Interfering with a hardware backdoor
Researchers Adam Waksman and Simha Sethumadhavan mentioned various techniques to make backdoor design undetectable to attackers in their study “Silencing Hardware Backdoors.”
The researchers proposed to hide backdoor scrambling input that that reaches hardware at runtime. That makes it difficult for malicious components to acquire the information they need to perform malicious activities.
The following are methods for disabling backdoor triggers:
- Power resets– The technique prevents untrusted units from detecting or computing how long they’ve been active, thus preventing time-based attacks.
- Data obfuscation– The technique encrypts input values to untrusted units to prevent them from receiving special codes, thus preventing them from recognizing database triggers.
Sequence breaking– The technique pseudo-randomly scrambles the order of events entering untrusted units to prevent them from recognizing sequences of events that can serve as data-based triggers.
Due to the wide diffusion of electronic components, the problem of hardware qualification is considered crucial. Microcircuits and firmware are present in every device around us, from our cars to sophisticated defense systems.
Each product requires careful verification. Also, consider sectors that aren’t considered critical, such as consumer devices. The effect of hardware backdoors hidden in their circuits could be catastrophic, due the globalization of manufacturing activities, a foreign government could intentionally compromise the production plant to insert malicious backdoors in a component destined for the global market.
Today, we’re far from the possibility of analyzing every device distributed in the market for the previously stated reasons. It’s time to start carefully considering the risks related to the lack of hardware qualification in each industry.
The cyber strategy of each government today needs to define the means and methods to guarantee satisfactory security levels in every hardware component. That’s the only viable strategy to avoid devices that are tainted with hardware backdoors.
About the Author: Pierluigi Paganini writes for Infosec Institute and is a security expert with over 20 years of experience in the field, including being a Certified Ethical Hacker. Paganini is Chief Security Information Officer for Bit4Id, a researcher, security evangelist, security analyst and freelance writer. He is the author of the books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”, and is also Editor-in-Chief at CyberDefense Magazine and Security Affairs.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Improving Microsoft Patch Error Messages
- Vulnerability Counts, Remediation and Risk
- Top Five Hacker Tools Every CISO Should Understand
- Five More Hacker Tools Every CISO Should Understand
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Download the IT Security Budget Roundup for CIOs and CISOs
Each year, numerous industry research reports provide budget forecasting on expected spending for worldwide IT. Some add a focus within specific industries as well as technologies, but very few focus strictly on IT security.
Bringing a few of the most notable reports together provides a valuable roundup of information for IT operations, including forecasts of IT security spending.
This may be a time-saver for busy CIOs and CISOs and their teams who are seeking data to compare, support and defend possibly thin IT security budgets, or a needed increase to meet business priorities.
This report is organized to review what the research shows, business priorities and trends to tap, and strategies on how to defend your numbers.
Title image courtesy of ShutterStock