Latest news on my Hardware Security Research

Sergei Skorobogatov

sps32 (at) cam.ac.uk

Media coverage of our latest research findings

Latest news:

We wrote Researchers' response: Microsemi: Security claims with respect to ProASIC3 May 31, 2012 which clarifies some of the questions raised by media and by the long awaited Microsemi Response: Security Claims With Respect to ProASIC3 May 31, 2012

The story behind it:

We presented our paper "Breakthrough silicon scanning discovers backdoor in military chip" (slides) at Cryptographic Hardware and Embedded Systems Workshop (CHES-2012) in Leuven on 10th September. An early draft was accidently made public on 28th May and it caused a lot of rumour on the Internet and in various blogs claiming that we found that 'Chinese manufacturers putting backdoors in American chips'. This is not true as anyone can see from the drafts of our papers which we had released to clear the issue without being accused of making false claims. We never said that Chinese have put a backdoor inside Actel's chips and it does not say so in our papers.
Recently we have reviewed our findings with Microsemi SoC (formerly Actel) and they have confirmed that this is the factory test interface to these devices. We have also shared information on how our new PEA technology works with some other chip manufacturers. Some have confirmed that our technique significantly increases the sensitivity of DPA and put many security devices at much higher risk.
We have been contacted by several companies which use Actel ProASIC3 and other Flash FPGAs in critical applications. They are very concerned about the backdoor which allows an attacker to gain full access to all IP blocks (ARRAY bitstream, FROM, NVM). Therefore, we have developed and successfully tested some protection techniques which can make the attack more difficult to perform. However, it is not possible to completely eliminate the backdoor vulnerability due to its silicon hardware nature. Only new chip design can solve this problem. All that can be done at this stage to the existing products in the field is to increase the time and cost of the attack.
People are constantly searching for our technology and asking us for any details. The overall description of the PEA technique is given in our patent titled 'Integrated Circuit Investigation Method and Apparatus', patent number WO2012/046029 A1. It is published and free to search for. Developing anything with the technology for commercial gain requires a license or agreement with the IP owner Quo Vadis Labs.


Drafts released and upcoming publications on QVL technology

We released the drafts of our full papers on QVL technology due to accidental publicity, because someone put the link to our very old drafts of abstracts on Reddit. Now people can judge on their own rather than speculating on what we had wrote about.
Full version of our paper "In the blink of an eye: There goes your AES key" is now published in IACR Cryptology ePrint Archive, Report 2012/296, 2012. It explains how the AES key from highly secure FPGA can be extracted in less than a second with 100-dollar worth hardware.
Full version of our paper "Breakthrough silicon scanning discovers backdoor in military chip" will appear at CHES2012 workshop in September. It will expose some serious security issues in the devices which are supposed to be unbreakable. Here is the draft version of our paper: Breakthrough silicon scanning discovers backdoor in military chip (DRAFT)


FAQ: Frequently asked questions about QVL technology

With the growing interest to the QVL technology from industrial companies and government departments it will be beneficial to answer some frequently asked questions.
Can QVL technology break unbreakable chips?
Yes and No. It is based on side-channel attacks and therefore has some obvious limitations. However, in some cases it can improve the efficiency of DPA attacks by a factor of 1 million. For example, in order to extract the AES key from a secure FPGA one would need about 1 hour with a classic DPA setup that cost between 50k USD and 100k USD (descent oscilloscope, modern PC and special software). QVL setup will do the job in 0.01 seconds with the components cost below 100 USD. This is 100'000 times improvement in time and 1'000 times less in cost. However, attacking properly designed ASIC data protection solution might take over 1000 years with DPA, but just 1 day with QVL. In general, if by 'unbreakable' one assumes 'infeasible' because of time and/or cost then QVL can usually help.
Can QVL technology improve existing techniques like SPA, DPA, EMA, DEMA?
Yes, it can extend existing methods with the new technique called pipeline emission analysis (PEA) aimed at boosting the sensitivity of leakage signals sensing by 10dB to 40dB. That way the attack time can be substantially reduced thus threating security in devices like smartcards, secure memories, ASICs and FPGAs previously thought to be unbreakable.
What are the areas of possible applications for the QVL technology?
There are many areas of applications for QVL technology. The most important are: improving sensors sensitivity in automotive, aerospace, medical and military applications; testing semiconductor chips for side-channel emissions to eliminate DPA attacks against cryptographic applications and password protections; hardware assurance testing against trojans and backdoors; monitoring of device activities by following execution and algorithm flow in real time.
Who can benefit from the QVL technology?
Chip manufacturers who look for improving security protection and post-production testing. System developers who want independent analysis of the chips used in their devices to avoid side-channel leakages, trojans and backdoors. Security evaluation companies which are interested in improving their analysis techniques and expanding test methods.
How Quo Vadis Lab can help?
We can educate engineers in industrial companies and government agencies so that they can be aware of the technology, its limitations and possible applications. We can develop special test boards according to the requirements, specification, needs and application. We can provide technical support and consulting.
What is the greatest danger from the QVL technology?
Like DPA attacks it can be used to break crypto keys, passwords and algorithms, but it is far more efficient and very cheap, so everyone can afford it. If used by malicious people it can threat the security in many secure semiconductor chips including smartcards, secure memory, RFID and ASICs. Therefore, it would be beneficial to test existing secure products against the QVL and improve the security protection when necessary.
Are there any limitations for distribution of the QVL technology?
Yes, there are export control regulations and strict NDA for anyone who wants to know more about the technology. It is not available to private individuals and any requests are subject to checks and approvals.
Is there a dedicated website for the technology?
Yes: www.quovadislabs.com


Hardware Assurance and its importance to National Security


(this was a letter sent to interested government parties last year to raise the concern about hardware assurance and serves as a warning for anyone interested in silicon level vulnerabilities)

Current issues. UK officials are fearful that China has the capability to shut down businesses, military and critical infrastructure through cyber attacks and spy equipment embedded in computer and telecommunications equipment. The Stuxnet worm is the most famous and best case example of a cyber attack on a network which wreaked devastation having easily compromised conventional software defensive systems. There have been many cases of computer hardware having backdoors, Trojans or other programs to allow an attacker to gain access or transmit confidential data to a third party. Considerable focus and expense has been invested in software computer networks and system defences to detect and eradicate such threats.
However, similar technology with antivirus or anti Trojan capability for hardware (silicon chips) is not available. The computer or network hardware underpins and runs all the software defence systems. If the hardware has a vulnerability then all the energy in defending at the software level is redundant. An effort must be made to defend and detect at the hardware level for a more comprehensive strategy.
Our findings. Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.
Key features of our technology:
  • scans silicon/hardware for backdoors, Trojans and unexpected behaviour
  • low cost
  • very fast result turnaround time
  • high portability
  • adaptable - scale up to include many types of chip
Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.
Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China), or indeed if the specifications themselves contain a deliberately inserted potential threat.
Conclusions. It is clear that cyber attacks will increasingly be of this nature, having most impact; it is imperative that this issue is addressed as a matter of urgency. We would suggest making hardware assurance (HWA) & hardware defence (HWD), the testing of silicon chips for backdoors and Trojans, and their defence, a greater priority within the National Cyber Strategy. Until now it was not possible to perform such analysis in a timely or cost effective manner. Our technology provides a solution. A variation in this technology could be used as a backstop defence on a computer or network system where it can monitor instructions and possible reprogramming or activation of a buried spy system in a real time environment, thereby preventing Stuxnet type attacks.
Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.

Hardware Assurance related links

Can Darpa Fix the Cybersecurity 'Problem From Hell?'
Ensuring Hardware Cybersecurity
'Overlooked' hardware security needs closer scrutiny
The Navy Bought Fake Chinese Microchips That Could Have Disarmed U.S. Missiles
Ensuring Hardware Cybersecurity
Defense Industrial Base Assessment: Counterfeit Electronics
Cyberspace policy review
High Performance Microchip Supply
DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools
UK critical systems cyber warning
Spies, military looking for hacker-, backdoor-proof circuits
U.S. Senate Panel Targets Counterfeit Electronic Parts
Background Memo: Senate Armed Services Committee Hearing on Counterfeit Electronic Parts in the DOD Supply Chain
TROJAN CHIPS COULD CRIPPLE US ATTACK ON IRAN
The Hunt for the Kill Switch
SEMICONDUCTOR TECHNOLOGY AND U.S. NATIONAL SECURITY
Foreign chips causing concern for the military
Shadow Supply Chain Demands System-Level Verification
Old Trick Threatens the Newest Weapons
Stuxnet


In the blink of an eye: There goes your AES key (DRAFT)

Abstract. This paper is a short summary of a real world AES key extraction performed on a military grade FPGA marketed as 'virtually unbreakable' and 'highly secure'. We demonstrated that it is possible to extract the AES key from the Actel/Microsemi ProASIC3 chip in a time of 0.01 seconds using a new side-channel analysis technique called Pipeline Emission Analysis (PEA). This new technique does not introduce a new form of side-channel attacks (SCA), it introduces a substantially improved method of waveform analysis over conventional attack technology. It could be used to improve upon the speed at which all SCA can be performed, on any device and especially against devices previously thought to be unfeasible to break because of the time and equipment cost. Possessing the AES key for the ProASIC3 would allow an attacker to decrypt the bitstream or authenticate himself as a legitimate user and extract the bitstream from the device where no read back facility exists. This means the device is wide open to intellectual property theft, fraud and reverse engineering of the design to allow the introduction of a backdoor or Trojan. We show that with a very low cost hardware setup made with parts obtained from a local electronics distributor you can improve upon existing SCA up to a factor of x1,000,000 in time and at a fraction of the cost of existing SCA equipment.


Breakthrough silicon scanning discovers backdoor in military chip (DRAFT)

Abstract. This paper is a short summary of the first real world detection of a backdoor in a military grade FPGA. Using an innovative patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi ProASIC3 chips. The backdoor was found to exist on the silicon itself, it was not present in any firmware loaded onto the chip. Using Pipeline Emission Analysis (PEA), a technique pioneered by our sponsor, we were able to extract the secret key to activate the backdoor. This way an attacker can disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. Clearly this means the device is wide open to intellectual property theft, fraud, re-programming as well as reverse engineering of the design which allows the introduction of a new backdoor or Trojan. Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact it can be easily compromised or it will have to be physically replaced after a redesign of the silicon itself.


Hardware Health Monitoring using side-channel information

Using new technology for health monitoring of hardware systems used in automotive, aerospace and industrial applications.


Developing new technology for effective side-channel analysis

Using new methods of side-channel analysis for finding cryptographic keys leakage, as well as backdoors and trojans in secure chips.


Physical Attacks and Tamper Resistance

Many semiconductor chips used in a wide range of applications require protection against physical attacks or tamper resistance. These attacks assume that a direct access to the chip is possible with either establishing electrical connections to signal wires or at least doing some measurements. The importance of protection against physical attacks is dictated by the amount of valuable and sensitive information stored on the chip. This could be secret data or company secrets and intellectual property (IP), electronic money for service access, or banking smartcards. The security in chips serves to deter prospective attackers from performing unauthorized access and benefiting from it.

'Physical Attacks and Tamper Resistance' is available as Chapter 7 in the book 'Introduction to Hardware Security and Trust'


Hardware security evaluation

The article Copy Protection in Modern Microcontrollers was left in its original state as it was back in 2001. Since then more than 10 years have passed. During that time I tested various microcontrollers, smartcards, secure memory chips and FPGAs. Most of them were found vulnerable to all sorts of the attacks listed in the above PhD thesis. Those chips were from the following manufacturers: Motorola, Microchip, Atmel, Hitachi, NEC, Xilinx, Lattice, Actel, Cypress, Zilog, Dallas, Mitsubishi, Freescale, Renesas, Altera, Texas Instruments, Intel, Scenix, Fujitsu, STMicroelectronics, Winbond, Holtek, Philips, Temic, Cygnal, Toshiba, Samsung, Ubicom, Siemens, Macronix, Elan, National Semiconductor, NXP.

The list of chips vulnerable to low-cost attacks is very long, here are just some of them: 68HC05xx, 68HC705xx, 68HC08xx, 68HC908xx, 68HC11xx, PIC12Cxx, PIC12Fxx, PIC16Cxx, PIC16Fxx, PIC17Cxx, PIC18Cxx, PIC18Fxx, PIC24HJxx, dsPIC30Fxx, dsPIC33FJxx, AT89Cxx, AT89Sxx, AT90Sxx, ATtinyxx, ATmegaxx, H8/3xx, D78xx, D78Fxx, XC95xx, XCR3xx, XC2Cxx, A500Kxx, A3Pxx, CY7C6xx, Z867xx, Z86Exx, DS2432, M306xx, EPM3xx, EPM7xx, EPM9xx, MSP430Fxx, N87Cxx, SXxx, ST62Txx, ST72Fxx, W921Exx, HT48Rxx, P87LPCxx, T89Cxx, SAB-Cxx, MX10xx, EL78Pxx, LPC3xx

Keywords: hardware security, analysis, evaluation, computer testing, microcontroller, smartcard, embedded systems, tamper resistance, smartcard systems, breaking copy protection, IP, data extraction, AES key, DES, TDES, RSA, SHA-1, electronic engineering, invasive, non-invasive, semi-invasive attacks, optical probing, side-channel, EMA, power analysis, cryptography, encryption, crypto, digital electronics, controllers, MCU, CPLD, FPGA, ASIC, IC, fuse, antifuse, flash, EPROM, EEPROM, lock bits, attacking, cracking, hacking, crack, hack, unlock, unprotect, break, reverse engineer, recover, recovery, PIC, AVR, MSP430, H8, ST62, Z86, HC908, PIC16, PIC18, PIC24, dsPIC30, dsPIC33, DS2432, AT89, AT90, ATMEGA, ATtiny, PA3, A3P, ProASIC, ProASIC3, Igloo, Fusion, SmartFusion, passkey, flashlock, iButton

Sergei Skorobogatov <sps32 (at) cam.ac.uk> <Sergei.Skorobogatov (at) hushmail.com>
created 14-10-2011 -- last modified 07-02-2013 -- http://www.cl.cam.ac.uk/~sps32/