Fabrication-time Attacks and the Manchurian Chip

Boffins released a paper describing how computer processors can be programmed to give elevated privileges to hackers and run fabrication-time attacks.

A team of researchers from the University of Michigan recently released a paper describing how computer processors can be programmed to give elevated privileges to hackers.  The paper titled, “A2: Analog Malicious Hardware,” describes how analog circuits can be compromised in the fabrication process, creating a vulnerability at the system component level that is both stealthy and extremely difficult to detect.

“While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party— often overseas—to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester.” states the paper. “In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip’s functionality).”

Using a readily available open source processor, the OR1200, the Ann Arbor based team designed a proof-of-concept that exploits the way computer processors are manufactured.  Digital processors are made up of hundreds of millions of “cells.”  The cells are arranged according to a manufacturer’s blueprint, or “mask,” and act as wires and resistors with on-or-off functions. These functions direct the flow of through the processor and tell the processor how to interact with operating – think of a circuit board in an electronic device shrunk down to fit in the palm of your hand.  What the University of Michigan team discovered was, these cells could be manipulated in such a way that the processor’s logical functions could be made to do illogical functions, allowing a hacker to take a control of the processor giving root access to the machine it resides in such as a computer, cell phone, or even industrial control system.

The attack works by adding a cell as a capacitor to the processor’s blueprint, a tiny electric charge can be stored each time a malicious program is run by a user or from a website.  The more and more the command is executed, the more energy the capacitor stores until it reaches a predetermined threshold. Once the threshold has been met, the capacitor discharges its energy, switching on a logical function deploying a malicious payload giving a hacker elevated privileges or root access to the device.  Though the attack is simple in nature, it does require access to the processor’s blueprint prior to fabrication; however, this may not be difficult in countries that have well-funded, state governed espionage programs.

These fabrication-time attacks are nothing new.  In 2013, Nektarios Georgios Tsoutsos and Michail Maniatakos, student members of the Institute of Electrical and Electronics Engineers (IEEE), released a paper outlining the feasibility of a similar attack outlined in the A2 paper but with enhanced controllability and greater potential for additional features.  In 2007, the Defense Advanced Research Projects Agency (DARPA) awarded US$25 million in contracts to six companies to discover Trojans and backdoors in foreign made computer chips and processors.  Dubbed the “Manchurian Chip,” the concern was Chinese manufacturers of these components were bypassing traditional controls.  The findings were quickly classified, sending shockwaves through the security community.

The prospect of fabrication-time exploitation underscores the increasing importance of managing and securing supply chains.  With an over-reliance on third-party vendors and an increasingly complex supply chain environment, the likelihood that a major system manufacture could suffer from a fabrication-time attack is growing significantly.  This is particularly disconcerting for technology destined for the management of critical infrastructures such as smart grid solutions and transportation systems.

In 2012, Sergei Skorobogatov, a post-doctoral student in the U.K., discovered a backdoor in the Actel/Microsemi ProASIC3 chip.  The ProASIC3 has industrial control applications and used in weapon systems, power plants, and public transportation systems.  According to Skorobogatov, the backdoor her found on the chip was “military grade” and inserted by the manufacturer.  The Chinese government has denied any involvement despite the chip being manufactured in China and Actel also denied putting the backdoor on the chip. The real culprit remains a mystery.

Proof-of-concepts such as the A2 paper are drawing both praise and criticism. There are increasing concerns that such research compromises the ability for industry to keep up with the change.  The counter argument put forth by the Ann Arbor team is that knowing these vulnerabilities do exist in the manufacturing process, a manufacturer is more likely to keep a close watch on their third-party vendors.

Written by: Rick Gamache

Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program.  Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.

LinkedIn – https://www.linkedin.com/in/rick-gamache-cissp-021ab43

Twitter – https://twitter.com/thecissp

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – fabrication-time attacks, backdoor)