Researchers over at University of Massachusetts have come up with a new way to hacking CPUs and placing Trojans, which cannot be detected through currently available detection mechanisms – even through close examinations under high powered microscopes.
Known as Dopant Trojan, the sub-transistor level hardware Trojan is introduced through application of different dopant polarity to gates within transistors. Doping is an essential process in semiconductor manufacturing which results into specific properties of a gate. Doping when applied at very specific regions can change the behavior of transistors in a predictable way and the technique can be equated to code obfuscation mechanisms used in commercial software.
Researchers noted that they were able to change the behavior of Intel’s random number generator (RGN) – specifically one of the variables used in random number generation process. Researchers noted that their technique can be used to assign a constant value to a variable such that the chances of attacking the RGN have a 1/2^n (n is the number of constant bits chosen by the designer) chance of succeeding as against 1/2^128 (128 because the chip generates 128-bit random numbers).
This means that higher the number of ‘n’ constant bits, the easier it is for the attack to succeed. However, if the constant values as pre-selected by the Trojan designer are not known, it would be impossible to know that the RNG has actually been compromised.
“Despite these changes, the modied Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers”, the researchers claim in their paper.
The researchers have also showcased how they managed to establish a side-channel Trojan that leaks out secret keys using the said mechanism.
A little history into hardware hacking specifically foundry based hacks would be beneficial to gauge the uniqueness and the importance of the doping Trojan mechanism discussed above. Foundry based hacking of chips to insert Trojans, backdoors and other forms of malware have been theoretically possible, but such hacking would inadvertently change CPU’s data output or stability or performance characteristics. However this can be achieved nonetheless. One way to know that the chip has been modified is to inspect the chip through direct visual inspection – a process that is time consuming but full proof nonetheless.
The dopant Trojan mechanism evades detection even through direct visual inspection as there is no need to add new transistors or gates or change the layout. “Detecting this new type of Trojans is a great challenge. They set a new lower bar on how much overhead can be expected from a hardware Trojan in practice (i.e. zero!)”, concludes the paper.