|
| On July 22, 2010 in the magazine «NewScientist» was published Note , which reported that, according to published on the Dell Forum Trojan Worm.Win32.Spybot was found in a flash memory of a motherboard. This board is included in PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 Dell servers. The worm payload was in spreading through peer-to-peer networks and instant messaging clients. Given the fact that the worm is run under Windows, it can be neutralized by anti-virus software, but removing the worm's code from the flash memory of the motherboard is unlikely to force by a normal virus scanner. The company has already announced that it will urgently replaces all infected boards of servers.
Photo: Alexander Adamov, 2010
Thus, the computer industry has been faced with another threat of computers' infection with malicious software but at the level of firmware. The theme of malicious inclusions in «hardware» is getting more important due to the fact that most of our computer hardware is made in Southeast Asia, although under the brand of major U.S. companies. This is due to lower production costs and increasing of market competitiveness. However, a trust of the manufactured components has been falling. Especially when it comes to development for military purposes, which may result in disabling of flight control systems and cause havoc on the enemy's defensive systems, such as in September 2007, Israeli fighter jets bombed a suspected nuclear facility in Syria. At the moment of the attack modern Syrian radars that had to signal the attack were out of order. After the incident in blogs specialists appeared that the cause was laid during the production of microprocessors, the backdoor with remote control. ("Cyber-Combat's First Shot," Aviation Week & Space Technology, 26 November 2007 by David A. Fulghum, Robert Wall, and Amy Butler.)
The case baffled the Pentagon, given that on board systems of the new generation fighter F-35 Joint Strike Fighter has more than a thousand chips. Therefore, in December 2007, a research wing of the Pentagon's DARPA (Defense Advanced Research Projects Agency) issued a 3-year program initiatives "Trust in Integrated Circuits", whereby there is a need to develop a method that would allow to identify malicious inclusion in the chips used in military control systems.
Photo: Microsoft Office Clipart
The problem is that it is impossible to test the chip on the presence of all possible undocumented functions. Since even in the process of verification of the specified functional of complex digital system on a chip is practically impossible to achieve 100% test coverage.
One of the methods used for determining the inclusion of Trojan is a «destructive testing». The essence of this method is a sequential removal of a thin layer of the chip, after which the crystal is placed under the electron microscope and the picture is taken in order to analyze millions or even billions of transistors. This method has several drawbacks: it is a very laborious task, tested chip is destroyed, making it impossible to test the entire set of chips. Alternatively, a method has been developed for scanning the chip with X-rays that can achieve the same effect without destroying the physical crystal (Xradia company in Concord, California, US).
Thus, this program is chasing an impossible goal. A solution can be achieved only by large companies that develop design and verification tools of digital systems, but the project has a high risk, and no one can guarantee that it is possible to create a method that would clearly detect the presence of spyware on a chip.Therefore, the only thing that can offer industry is more verification. "My advice to Tony Turner (Director of DARPA) - «Trust, but verify. That's all you can do." - said Victoria Coleman from Samsung.
There are 2 main types of hardware Trojans: «kill switch», backdoor. A more detailed classification is shown in the picture:
Figure: Classification of hardware trojans
The first type of Trojan circuit is quite simple. The basic idea is to disable it upon the occurrence of certain conditions. The size of this "kill switch" is tiny - up to 1000 transistors in comparing with hundreds of millions of transistors on a chip that is 0,001% of the total functional scheme! In fact, this figure gives an idea about the probability of detecting a similar "switch" in the system. In fact, the probability is in several orders of magnitude smaller and tells us about the impossibility of detection using conventional methods of verification.
At what stages unwanted "spyware" can be included in a chip? Almost everywhere: when the code is written, when the system is verified when the project has already been synthesized and is ready for the firmware in the crystal, during the "burning" of the crystal, and even after the production stage. There is special FIB (focused ion-beam) machine, which costs about $2 million, allowing by means of a focused ion beam to modify the structure of finished crystal by editing the connection between logic cells. The peculiar "silicon microsurgery", which is not so strong as to destroy the entire crystal, but can destroy individual connections between elements within a crystal. This technique is often used by manufacturers to debug the prototype. (IEEE Spectrum Magazine)
Let's go back to the project "Trust in IC" from DARPA which is in developing a universal method for testing chips for malicious inclusions. The main idea of the project was to create several groups: one group creates a chip prototype, the second - Trojan inclusion, three others - develop methods for detecting malicious inclusions in a test set of chips. The project aims to achieve 90% detection rate of undocumented inclusions. Time to analyze each sample - 1 month, upon completion of each stage the participants who were unable to detect malicious inclusion, drop out, while the rest continue to work on improving their detection methods. By the end of 2010 the agency will get the results that would be interested for the army, especially the air force. Information about the program can be found here.
We look forward to new detection methods will be developed in the near future and whether they can really resist a Trojan inclusions in chips in critical areas: on-board systems, advanced weapons and space aircraft, as well as in hardware cryptographic systems, which may become useless devices, if in implementation of cryptographic algorithm will be allowed even the slightest inaccuracy.
Adapted from:
1. «PC giant warns of hardware trojan», NewScientist Journal, 22 July 2010
2. «The Hunt for the Kill Switch», IEEE Spectrum Journal, May 2008
3. «Cyber-Combat's First Shot», Aviation Week & Space Technology, November 26, 2007
4. «Defense Science Board Task Force On HIGH PERFORMANCE MICROCHIP SUPPLY», Solicitation by Department of Defense, US, February 2005.
5. PhD Thesis of the author.
Alexander Adamov
"Design and Test Lab", Ltd. 2010
/specially for www.av-school.com/
| |
Rating: +1
1 |
| |
 | |  |
|
|
| Total number of registered users: |
4809 |
| Online: |
14 |
| Newbe: sheashpek |
Who's online: |
|
| Guests online: |
13 |
| Maximum online (10 May 2011) |
80 |
|
|
|
) 
