Advertisement

Breakthrough Silicon Scanning Discovers Backdoor in Military Chip

  • Sergei Skorobogatov
  • Christopher Woods
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7428)

Abstract

This paper is a short summary of the first real world detection of a backdoor in a military grade FPGA. Using an innovative patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi ProASIC3 chips for accessing FPGA configuration. The backdoor was found amongst additional JTAG functionality and exists on the silicon itself, it was not present in any firmware loaded onto the chip. Using Pipeline Emission Analysis (PEA), our pioneered technique, we were able to extract the secret key to activate the backdoor, as well as other security keys such as the AES and the Passkey. This way an attacker can extract all the configuration data from the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. Clearly this means the device is wide open to intellectual property (IP) theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan. Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact they can be easily compromised or will have to be physically replaced after a redesign of the silicon itself.

Keywords

Hardware Assurance silicon scanning side-channel analysis silicon Trojans and backdoors PEA 

References

  1. 1.
    Tehranipoor, M., Koushanfar, F.: A survey of hardware Trojan taxonomy and detection. IEEE Design and Test of Computers (2010)Google Scholar
  2. 2.
    Military ProASIC3/EL FPGA Fabric User’s Guide. Microsemi (2011), http://www.actel.com/documents/Mil_PA3_EL_UG.pdf
  3. 3.
    Design Security in Nonvolatile Flash and Antifuse FPGAs, Security Backgrounder, http://www.actel.com/documents/DesignSecurity_WP.pdf
  4. 4.
    Actel ProASIC3/E Production FPGAs, Features and Advantages (2007), http://www.actel.com/documents/PA3_E_Tech_WP.pdf
  5. 5.
    The Free Dictionary. Backdoor, http://www.thefreedictionary.com/backdoor
  6. 6.
    Torrance, R., James, D.: The State-of-the-Art in IC Reverse Engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 363–381. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Jha, S., Jha, S.K.: Randomization Based Probabilistic Approach to Detect Trojan Circuits. In: Proc. 11th IEEE High Assurance System Engineering Symp., pp. 117–124 (2008)Google Scholar
  8. 8.
    Banga, M., Hsiao, M.: A Region based Approach for the Identification of Hardware Trojans. In: IEEE Int. Workshop on Hardware-Oriented Security and Trust, HOST, pp. 40–47 (2008)Google Scholar
  9. 9.
    Wolff, F., Papachristou, C., Bhunia, S., Chakraborty, R.S.: Towards Trojan-free Trusted ICs: Problem Analysis and Detection Scheme. In: Design, Automation and Test in Europe, DATE 2008, March 10-14, pp. 1362–1365 (2008)Google Scholar
  10. 10.
    Wang, X., Tehranipoor, M., Plusquellic, J.: Detecting Malicious Inclusions in Secure Hareware: Challenges and Solutions. In: IEEE Int. Hardware-Oriented Security and Trust, HOST (2008)Google Scholar
  11. 11.
    Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan Detection using IC Fingerprinting. In: IEEE Symp. on Security and Privacy, SP, pp. 296–310 (2007)Google Scholar
  12. 12.
    Jin, Y., Makris, Y.: Hardware Trojan Detection using Path Delay Fingerprint. In: IEEE Int. Workshop on Hardware-Oriented Security and Trust, HOST (2008)Google Scholar
  13. 13.
    Du, D., Narasimhan, S., Chakraborty, R.S., Bhunia, S.: Self-referencing: A Scalable Side-Channel Approach for Hardware Trojan Detection. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 173–187. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Rad, R., Tehranipoor, M., Plusquellic, J.: A Sensitivity Analysis of Power Signal Methods for Detecting Hardware Trojans under Real Process and Environmental Conditions. IEEE. Trans. in VLSI 18, 1735–1744 (2009)CrossRefGoogle Scholar
  15. 15.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Military ProASIC3/EL Low Power Flash FPGAs Datasheet. Microsemi (2012), http://www.actel.com/documents/Mil_PA3_EL_DS.pdf
  17. 17.
    Tehranipoor, M., Wang, C.: Introduction to Hardware Security and Trust. Springer (2011)Google Scholar
  18. 18.
    JTAG Boundary scan. IEEE Std 1149.1-2001Google Scholar
  19. 19.
    JTAG Programming specification. IEEE 1532-2002Google Scholar
  20. 20.
    Da Rolt, J., Di Natale, G., Flottes, M.-L., Rouzeyre, B.: New security threats against chips containing scan chain structures. In: IEEE Int. Workshop on Hardware-Oriented Security and Trust, HOST, pp. 110–115 (2011)Google Scholar
  21. 21.
    Actel, ISP and STAPL, Application Note AC171, http://www.actel.com/documents/ISP_STAPL_AN.pdf
  22. 22.
    ProASIC3 Frequently Asked Questions, Actel Corporation, Mountain View, CA 94043-4655 USA, http://www.actel.com/documents/pa3_faq.html
  23. 23.
    Skorobogatov, S.: Flash Memory ‘Bumping” Attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 158–172. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Skorobogatov, S., Woods, C.: In the blink of an eye: There goes your AES key. IACR Cryptology ePrint Archive, Report 2012/296 (2012), http://eprint.iacr.org/2012/296
  25. 25.
    Integrated Circuit Investigation Method and Apparatus. Patent number WO2012/046029 A1Google Scholar
  26. 26.
    Skorobogatov, S.: Synchronization method for SCA and fault attacks. Journal of Cryptographic Engineering (JCEN) 1(1), 71–77 (2011)CrossRefGoogle Scholar
  27. 27.
    Intrinsic ID, Quiddikey on ProASIC3 FPGAs, http://www.intrinsic-id.com/quiddikey_on_Actel_FPGA.html
  28. 28.
    Skorobogatov, S.: Data Remanence in Flash Memory Devices. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 339–353. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Sergei Skorobogatov
    • 1
  • Christopher Woods
    • 2
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK
  2. 2.Quo Vadis LabsLondonUK

Personalised recommendations