17 September 2012
I presented our paper "Breakthrough silicon scanning discovers backdoor in military chip" (slides) at Cryptographic Hardware and Embedded Systems Workshop (CHES-2012) on 10 September 2012 in Leuven, Belgium.
5 September 2012
We are presenting our paper "Breakthrough silicon scanning discovers backdoor in military chip" at CHES workshop in Louvan on 10th September. An early draft was accidently made public on 28th May and it caused a lot of rumour on the Internet and in various blogs claiming that we found that 'Chinese manufacturers putting backdoors in American chips'. This is not true as anyone can see from the drafts of our papers which we had released to clear the issue without being accused of making false claims. We never said that Chinese have put a backdoor inside Actel's chips and it does not say so in our papers.
Recently we have reviewed our findings with Microsemi SoC (formerly Actel) and they have confirmed that this is the factory test interface to these devices. We have also shared information on how our new PEA technology works with some other chip manufacturers. Some have confirmed that our technique significantly increases the sensitivity of DPA and put many security devices at much higher risk.
We have been contacted by several companies which use Actel ProASIC3 and other Flash FPGAs in critical applications. They are very concerned about the backdoor which allows an attacker to gain full access to all IP blocks (ARRAY bitstream, FROM, NVM). Therefore, we have developed and successfully tested some protection techniques which can make the attack more difficult to perform. However, it is not possible to completely eliminate the backdoor vulnerability due to its silicon hardware nature. Only new chip design can solve this problem. All that can be done at this stage to the existing products in the field is to increase the time and cost of the attack.
People are constantly searching for our technology and asking us for any details. The overall description of the PEA technique is given in our patent titled 'Integrated Circuit Investigation Method and Apparatus', patent number WO2012/046029 A1. It is published and free to search for. Developing anything with the technology for commercial gain requires a license or agreement with the IP owner Quo Vadis Labs.
4 June 2012
Our paper In the blink of an eye: There goes your AES key was accepted to IACR Cryptology ePrint Archive, Report 2012/296, 2012.
1 June 2012
We were told that Microsemi has finally issued their response to our findings and claims:
Microsemi Response: Security Claims With Respect to ProASIC3 May 31, 2012
We wrote our response that clarifies some issues they raised:
Researchers' response: Microsemi: Security claims with respect to ProASIC3 May 31, 2012
31 May 2012
We have been contacted by several companies which use Actel ProASIC3 and other Flash FPGAs in critical applications. They are very concerned about the backdoor which allows an attacker to gain full access to all IP blocks (ARRAY bitstream, FROM, NVM). Therefore, we have developed and successfully tested some protection techniques which can make the attack more difficult to perform. However, it is not possible to completely eliminate the backdoor vulnerability due to its silicon hardware nature. Only new chip design can solve this problem. All that can be done at this stage to the existing products in the field is to increase the time and cost of the attack.
People are constantly searching for our technology and asking us for any details. The overall description of the PEA technique is given in our patent titled 'Integrated Circuit Investigation Method and Apparatus', patent number WO2012/046029 A1. It is published and free to search for. Developing anything with the technology for commercial gain requires a license or agreement with the IP owner Quo Vadis Labs.
30 May 2012
It seems that the discussions about our papers are still up and going on various Internet forums and blogs. Some people think that what we found is just a debug feature used during production. However, the dictionary gives the following definition: backdoor - an undocumented way to get access to a computer system or the data it contains. This is exactly what Actel design house planted into ProASIC3, Igloo, Fusion and SmartFusion FPGAs.
No one knows for sure who designed and inserted the backdoor. However, our findings point to the fact that it is very likely the design house being involved. At the time when the chips were developed (2002-2005) it was Actel. In 2010 Microsemi took it over and we do not know if Microsemi was aware of any backdoors in Actel products. We found some traces of the backdoor existance in the development software files by simply searching through the Libero directory for STAPL file names using simple WinXP Search tool. When we analysed the structure of the JTAG security registers we spotted that there are some blank spaces in registers and bits not being used by standard STAPL programing files. Later on, the backdoor findings filled these white spaces.
Another concern is the difference between Military, Automotive, Industrial and Commercial grades. These differences are in the testing and approval procedures. All those chips share the same silicon die design but must pass different levels of testing requirements. Because military parts are not publically sold we cannot comment our results on them, but for the publication results we chose A3P250 industrial device because it behaves in the similar way as military-grade parts.
We found that in many systems the JTAG interface is wired out and have network connection for the purpose of firmware updates. As these updates are done via encrypted channel using AES key the developers were assured of its high security. This alone is not true as one of our papers shows how the AES key can be extracted from such devices in almost no time and with low cost. Once an attacker can establish a connection to the JTAG interface he could activate the backdoor, get the design IP out, reverse engineer it, then modify it and finally reprogram the chip. He does not even need the AES key for that as the backdoor bypasses all encryption mechanisms.
29 May 2012
There was a lot of rumour on the Internet and in various blogs claiming that we found that 'Chineese manufacturers putting backdoors in American chips'. This is not true as anyone can see drafts of our papers which we had to release yesterday to clear the issue with being accused of making false claims. It is the US manufacturer Actel who inserted the backdoor at the gates level of JTAG controller in ProASIC3, Igloo, Fusion and SmartFusion devices. Moreover, the traces of the backdoor can be found in the development software Libero through simple Windows XP Search for particular bits in standard STAPL file. With the backdoor key you can extract the IP (FROM, ARRAY/bitstream, NVM/NFMB) or even reprogram the factory backdoor key and make your own key.
We never said that Chineese have put a backdoor inside Actel's chips and it does not say so in our papers. It is as though people have put 2+2 together and made 4 or 5 or 6 depending on what their agenda is. We believe that other chips will have backdoors and since a US chip has them and you can do lots of things that give you a vast amount of control over the devices then is there any reason to suggest other manufacturers have not done the same. The US military have been looking at the issues of hardware assurance and part authenticity for a good number of years.
Also that fact that since it is possible now to scan for backdoors in a way that was not possible before, people will start to take a look at this area whether to use it to remove IP or to use it for other purposes.
28 May 2012
Today we release the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit. Now people can judge on their own rather than speculating on what we had wrote about.
In the blink of an eye: There goes your AES key
Breakthrough silicon scanning discovers backdoor in military chip
14 May 2012
New upcoming publications on QVL technology:
Our new paper "In the blink of an eye: There goes your AES key" will be published soon. It explains how the AES key from highly secure FPGA can be extracted in less than a second with 100-dollar worth hardware.
Our new paper "Breakthrough silicon scanning discovers backdoor in military chip" will appear at CHES2012 in September. It will expose some serious security issues in the devices which are supposed to be unbreakable.
10 December 2011:
The page on the latest news about Hardware Security was updated with answers on frequently asked questions (FAQ) about QVL technology.
11 November 2011:
The page on the latest news about Hardware Security was updated with our draft on Hardware Assurance and its importance. Some Hardware Assurance related links were added.
14 October 2011:
The page on the latest news was updated with some insight for the future publications on QVL technology. For more information please visit 'Hardware Security Research news'.
16 September 2011:
With the growing interest for QVL technology we decided not to waste our time and efforts on several demonstrations of crypto key extraction, but to concentrate on the most fascinating achievements. Briefing was made in August to a government department after the project sponsor and myself received an invitation to talk about the technology and our results. Shortly after this we were asked for the time not to publish any data or results until the potential impact could be discussed within other government departments. We are therefore not going to publish the results of the technology until we have given enough time for these meetings to take place. What we can report about the project is that AES secret key extraction via side-channel attacks was made in 0.01 seconds from a chip with 'one of the highest levels of design security in the industry' marketed as 'highly secure' and 'virtually unbreakable'. The most amazing achievements, though, are in the area of hardware assurance and silicon scanning for trojans and backdoors. However, due to the importance and sensitivity of such work it is unlikely to be published before 2012. Results to follow as soon as we are able to publish.
5 August 2011:
Some fascinating results were achieved with QVL technology that employs new design. It was prototyped and successfully tested on some secure chips. For more information please visit www.quovadislabs.com/projects.html. The results will be presented on a closed briefing in late August. First public announcement of some results will likely be made in September.
19 April 2011:
The project sponsor and IP holder QVL has decided to release some information about this technology on their website (www.quovadislabs.com). In the meantime, I presented QVL technology at 2nd ARO Special Workshop on Hardware Assurance (abstract,
slides and
video).
7 April 2011:
QVL that sponsors the project and owns the intellectual property has updated its website (www.quovadislabs.com). Now you can contact them directly with your questions. In the meantime I will keep updating on major events and achievements.
18 February 2011:
It turned out that the power and effectiveness of QVL technology was underestimated. It can potentially be used against many hardware cryptographic implementations, as well as against password schemes. What is more important, it can be effectively used for finding hardware trojans and backdoors, thus saving time and efforts on analysis. Initially small and limited QVL project is now turned into more fundamental and comprehensive tool. At the same time, fundamental research into possible ways of improving both side-channel attacks and QVL sensors is now launched. Project collaborators are now seeking for sponsors and supporters to make this a success.
21 January 2011:
Some further tests were carried out and new sensor design is on the way from the collaborators. The technology was proved to be effective against various implementations of cryptographic algorithms in semiconductor chips. It was also found to be effective against hardware password protection schemes and secure hardware locking keys. New evaluation board is being designed with more tests scheduled for February-March.
24 December 2010:
The probes for my evaluation are in the final production stage, however, festive season put some delays, so no samples to be expected for testing before mid January.
25 November 2010:
Some good news from industrial collaborators. They improved and extended the capabilities of QVL probe that made possible something unthinkable - new Pandora tester which could extract the AES key from a secure chip in less than 0.01 second. Very likely I will be testing that new technology as well if I get enough funding for developing evaluation board and to carry out various tests.
26 October 2010:
New design of the probes is under way from the industrial collaborator. At least 3 different probes will be provided for evaluation to select the best performing one. This should happen sometime in November. At my side I will be writing a code for the control board and do the actual evaluation. Then the report will be passed to the project coordinator who will make any announcements and disclosures.
1 October 2010:
Some improved algorithms are being tested to match the demand for high-speed decision making. Only simulated so far, but looking good. The next revised version of the sensor is not ready yet, so real experiments are scheduled for late October. From the 10 problems outlined so far only 7 will be addressed, however, this might be just enough to achieve 1-second analysis time, thus leaving some room for further improvements.
21 September 2010:
The third set of experiments was carried out and showed some good results. More experiments are scheduled for this week. Full report will be sent to parties participating in the project, however, only restricted report will be available to general research sponsors. Outline of achievements will be posted here at the end of September.
27 August 2010:
The first device for evaluation is still under consideration and its name will not be disclosed until the 1-second target is achieved.
The next update will include the time achieved during initial sensor testing. This is currently scheduled to the end of September, but will depend on the time of the sensor arrival.
The requirement for 1-second challenge is reasonable as it allows to perform the attack in many ways without raising any suspicion. Is it realistic to address all these challenges? Yes, if we reinvent the way side-channel attacks are done. At least 10 problems must be solved to get an average of 1'000'000 times improvement. Solution to one of the problem is presented. What will be disclosed at this time:
The aim of the research project is to develop new more efficient evaluation technology for side-channel analysis and to demonstrate its effectiveness on real world devices. When to expect first results?
The project is using innovative QVL probe with patented technology which allows significant breakthrough in signal detection by picking up even tiny variations in data flow. This technology will become a very good and efficient analysis tool for chip manufacturers who are cautious about hardware security protection in their products, especially against side-channel attacks.
The project was anounced to public at CHES2010 Rump session on 19 August 2010, Santa Barbara, USA: SLIDES
Please stay tuned for updates.
Sergei Skorobogatov
<Sergei.Skorobogatov (at) cl.cam.ac.uk>
created 02-08-2010 -- last modified 17-09-2012 -- http://www.cl.cam.ac.uk/~sps32/