Breakthrough silicon scanning discovers backdoor in military chip

This paper is a short summary of the first real world detection of a backdoor in a military grade FPGA. Using an innovative
patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi
ProASIC3 chips for accessing FPGA configuration. The backdoor was
found amongst additional JTAG functionality and exists on the silicon
itself, it was not present in any firmware loaded onto the chip. Using
Pipeline Emission Analysis (PEA), our pioneered technique, we were
able to extract the secret key to activate the backdoor, as well as other
security keys such as the AES and the Passkey. This way an attacker
can extract all the configuration data from the chip, reprogram crypto
and access keys, modify low-level silicon features, access unencrypted
configuration bitstream or permanently damage the device. Clearly this
means the device is wide open to intellectual property (IP) theft, fraud,
re-programming as well as reverse engineering of the design which allows
the introduction of a new backdoor or Trojan. Most concerning, it is
not possible to patch the backdoor in chips already deployed, meaning
those using this family of chips have to accept the fact they can be easily
compromised or will have to be physically replaced after a redesign of
the silicon itself.
http://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf

( anr | 2012. 09. 30., v – 09:44 )

One of the main selling points of these chips are that you can only write to and verify them using an AES encrpyted data stream, but read back of IP blocks programmed into the FPGA cells shouldn't be possible. All verification logic is internal to the chip and you basically get a 'good' or 'bad' result, well that's a bit of a simplification but that's the general idea.
So as a hypothetical buyer of these chips I can go "ok, I can program these chips remotely and feel safe as I am the only person with the master key. No one can steal my IP off these chips and at the same time no one can re-program these chips without my explicit approval as all that is locked off. These chips don't require external flash as part of the application, so it should be inherently secure right?"
What these guys found is that the JTAG interface for the FPGA actually has direct access to the cells rather than going through the crypto engine, but you need to invoke undocumented commands to do it. So your IP can be extracted without the key. They also found that so-called factory set registers (FROW) which define a variety of parameters for the chip can be set to read/write by another instruction, so properties of the chips can be changed but as for what particular functions FROW does they didn't go into much detail.
As for ramifications - my IP can be extracted whole. The IP can then be deployed on other chips which I didn't authorise, I now have knock-off designs using my IP competing against my own product, not good.
With FROW access it is a bit of a wild card. The report proposes a stuxnet like scenario where these chips can be re-programmed entirely out-of-factory. For example, if FROW could change the crypto engine parameters then an attacker can upload a new firmware remotely and then change the crypto engine overwriting it their key -my 'master' key will no longer work and I'd need to use the same backdoor to reverse it, that is if I knew it existed. This is speculation, for all we know the AES key might really be non-configurable but this report didn't confirm that. At the very least this report showed that there is undocumentaed functionality which contradicts the marketing material and the security model, with the sort of access you can get via backdoor JTAG who knows what can happen?
These chips also pass standard chip verification tests, they had to use a bespoke jig and a 2 week period to find this backdoor. The next stage is figuring out how to find these backdoors faster.

--
Live free, or I f'ing kill you.

( vomberg | 2012. 09. 30., v – 23:47 )

És?

Az USÁban törvény van rá, hogy minden szarba (chip, oprendszer, egyéb dolgok) bejutást kell biztosítani a kormányzat részére. Backdoor nélkül ott még tán egy villanykörtét sem lehet eladni.

Úgyhogy jó reggelt kívánok.:-)