Abstract | ||
---|---|---|
While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party -- often overseas -- to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester. In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip's functionality). In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value. We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor. We implement this attack in an OR1200 processor and fabricate a chip. Experimental results show that our attacks work, show that our attacks elude activation by a diverse set of benchmarks, and suggest that our attacks evade known defenses. |
Year | DOI | Venue |
---|---|---|
2016 | 10.1109/SP.2016.10 | 2016 IEEE Symposium on Security and Privacy (SP) |
Keywords | Field | DocType |
analog,attack,malicious hardware,security,Trojan | Capacitor,Analogue electronics,Computer security,Privilege escalation,Computer science,Chip,Integrated circuit design,Guard (information security),Trojan,Transistor,Computer hardware,Embedded system | Conference |
ISSN | ISBN | Citations |
1081-6011 | 978-1-5090-0825-4 | 31 |
PageRank | References | Authors |
1.56 | 25 | 5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Kuiyuan Yang | 1 | 148 | 20.89 |
Matthew Hicks | 2 | 176 | 8.77 |
Qing Dong | 3 | 95 | 12.29 |
Todd M. Austin | 4 | 38 | 4.71 |
Dennis Sylvester | 5 | 5295 | 535.53 |