Skip to main content

Breakthrough Silicon Scanning Discovers Backdoor in Military Chip

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7428)

Abstract

This paper is a short summary of the first real world detection of a backdoor in a military grade FPGA. Using an innovative patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi ProASIC3 chips for accessing FPGA configuration. The backdoor was found amongst additional JTAG functionality and exists on the silicon itself, it was not present in any firmware loaded onto the chip. Using Pipeline Emission Analysis (PEA), our pioneered technique, we were able to extract the secret key to activate the backdoor, as well as other security keys such as the AES and the Passkey. This way an attacker can extract all the configuration data from the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. Clearly this means the device is wide open to intellectual property (IP) theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan. Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact they can be easily compromised or will have to be physically replaced after a redesign of the silicon itself.

Keywords

  • Hardware Assurance
  • silicon scanning
  • side-channel analysis
  • silicon Trojans and backdoors
  • PEA

References

  1. Tehranipoor, M., Koushanfar, F.: A survey of hardware Trojan taxonomy and detection. IEEE Design and Test of Computers (2010)

    Google Scholar 

  2. Military ProASIC3/EL FPGA Fabric User’s Guide. Microsemi (2011), http://www.actel.com/documents/Mil_PA3_EL_UG.pdf

  3. Design Security in Nonvolatile Flash and Antifuse FPGAs, Security Backgrounder, http://www.actel.com/documents/DesignSecurity_WP.pdf

  4. Actel ProASIC3/E Production FPGAs, Features and Advantages (2007), http://www.actel.com/documents/PA3_E_Tech_WP.pdf

  5. The Free Dictionary. Backdoor, http://www.thefreedictionary.com/backdoor

  6. Torrance, R., James, D.: The State-of-the-Art in IC Reverse Engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 363–381. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  7. Jha, S., Jha, S.K.: Randomization Based Probabilistic Approach to Detect Trojan Circuits. In: Proc. 11th IEEE High Assurance System Engineering Symp., pp. 117–124 (2008)

    Google Scholar 

  8. Banga, M., Hsiao, M.: A Region based Approach for the Identification of Hardware Trojans. In: IEEE Int. Workshop on Hardware-Oriented Security and Trust, HOST, pp. 40–47 (2008)

    Google Scholar 

  9. Wolff, F., Papachristou, C., Bhunia, S., Chakraborty, R.S.: Towards Trojan-free Trusted ICs: Problem Analysis and Detection Scheme. In: Design, Automation and Test in Europe, DATE 2008, March 10-14, pp. 1362–1365 (2008)

    Google Scholar 

  10. Wang, X., Tehranipoor, M., Plusquellic, J.: Detecting Malicious Inclusions in Secure Hareware: Challenges and Solutions. In: IEEE Int. Hardware-Oriented Security and Trust, HOST (2008)

    Google Scholar 

  11. Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan Detection using IC Fingerprinting. In: IEEE Symp. on Security and Privacy, SP, pp. 296–310 (2007)

    Google Scholar 

  12. Jin, Y., Makris, Y.: Hardware Trojan Detection using Path Delay Fingerprint. In: IEEE Int. Workshop on Hardware-Oriented Security and Trust, HOST (2008)

    Google Scholar 

  13. Du, D., Narasimhan, S., Chakraborty, R.S., Bhunia, S.: Self-referencing: A Scalable Side-Channel Approach for Hardware Trojan Detection. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 173–187. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  14. Rad, R., Tehranipoor, M., Plusquellic, J.: A Sensitivity Analysis of Power Signal Methods for Detecting Hardware Trojans under Real Process and Environmental Conditions. IEEE. Trans. in VLSI 18, 1735–1744 (2009)

    CrossRef  Google Scholar 

  15. Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Google Scholar 

  16. Military ProASIC3/EL Low Power Flash FPGAs Datasheet. Microsemi (2012), http://www.actel.com/documents/Mil_PA3_EL_DS.pdf

  17. Tehranipoor, M., Wang, C.: Introduction to Hardware Security and Trust. Springer (2011)

    Google Scholar 

  18. JTAG Boundary scan. IEEE Std 1149.1-2001

    Google Scholar 

  19. JTAG Programming specification. IEEE 1532-2002

    Google Scholar 

  20. Da Rolt, J., Di Natale, G., Flottes, M.-L., Rouzeyre, B.: New security threats against chips containing scan chain structures. In: IEEE Int. Workshop on Hardware-Oriented Security and Trust, HOST, pp. 110–115 (2011)

    Google Scholar 

  21. Actel, ISP and STAPL, Application Note AC171, http://www.actel.com/documents/ISP_STAPL_AN.pdf

  22. ProASIC3 Frequently Asked Questions, Actel Corporation, Mountain View, CA 94043-4655 USA, http://www.actel.com/documents/pa3_faq.html

  23. Skorobogatov, S.: Flash Memory ‘Bumping” Attacks. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 158–172. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  24. Skorobogatov, S., Woods, C.: In the blink of an eye: There goes your AES key. IACR Cryptology ePrint Archive, Report 2012/296 (2012), http://eprint.iacr.org/2012/296

  25. Integrated Circuit Investigation Method and Apparatus. Patent number WO2012/046029 A1

    Google Scholar 

  26. Skorobogatov, S.: Synchronization method for SCA and fault attacks. Journal of Cryptographic Engineering (JCEN) 1(1), 71–77 (2011)

    CrossRef  Google Scholar 

  27. Intrinsic ID, Quiddikey on ProASIC3 FPGAs, http://www.intrinsic-id.com/quiddikey_on_Actel_FPGA.html

  28. Skorobogatov, S.: Data Remanence in Flash Memory Devices. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 339–353. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 International Association for Cryptologic Research

About this paper

Cite this paper

Skorobogatov, S., Woods, C. (2012). Breakthrough Silicon Scanning Discovers Backdoor in Military Chip. In: Prouff, E., Schaumont, P. (eds) Cryptographic Hardware and Embedded Systems – CHES 2012. CHES 2012. Lecture Notes in Computer Science, vol 7428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33027-8_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33027-8_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33026-1

  • Online ISBN: 978-3-642-33027-8

  • eBook Packages: Computer ScienceComputer Science (R0)