Designing and implementing malicious hardware

A group of researchers from the University of Illinois (USA), led by Samuel KING, disclosed a new breed of stealth attacks at the Usenix Workshop on Large-Scale Exploits and Emergent Threats. They have implemented in a SPARC CPU two stealth functions. A first function allows bypassing the privilege protection of memory access. A second function, more complex, puts the processor in a shadow mode that may execute some tiny shadow program while being invisible to the external hardware. The added complexity was less than 0.1% of logical gates.

Obviously, these functions break all the security assumptions on which most (if not all) systems are based. It is then rather “easy” to generate exploits. They demonstrated a privilege escalation (through the memory access), and how to steal passwords by hooking write function (through the shadow mode). Interestingly, these attacks operate beneath system and OS. thus they are deeper than rootkits and may be stealthier. If well designed the modifications of the chip are extremely difficult to detect from outside. The only efficient method is reverse engineering that is costly.

How dangerous is this attack?

  1. This is an extremely complex attack. It requires knowledge in IC design and CPU architecture. Not for script kiddies or even garage hackers
  2. It requires access to the design of a chip. The researchers used a Field Programmable Gate Array (FPGA) with the open source Leon processor. Thus, the attack is feasible in case of an FPGA with access to the initial design. If the IC is a full custom, like normal CPUs, then it is more complex. Attacker needs access to full custom design system, masking facilities and silicon foundry.
  3. It requires physical access to the device to be hacked to ensure that it will use a circumvented IC rather than a genuine one.
  4. Thus, clearly it is an attack that could only be mounted by organized and well funded teams such a s government agencies or mafia.

It is also interesting the note the use of an idea disclosed in a recent patent to load bootstrap the shadow mode code. Searching information and ideas everywhere is the hacker true mindset.

Leave a Reply

Your email address will not be published. Required fields are marked *