3

Introduction

This is a spin of from my question on security.se. To give more context:

If I have a threat model where

  • the adversary

    • wants to corrupt computation or steal information
    • does not want to be noticed at all (or at least until I made sensitive computation)
    • knows the software I use
    • does lie about and modify higher hardware such as CPUs before handing it out
    • can not access the hardware directly later

  • I

    • want to compute correctly and secretly (or and at least prevent theft of sensitive information)
    • want to exchange information with the outside
    • have access to mathematically verified software (and additionally have access to clean hardware for Bootstrapping only)
    • can check lower hardware such as wires for manipulation and can repair or rewire
    • can not check higher hardware for manipulation

In brackets (...) are some weakened circumstances.

Manipulation of hardware by malicious manufacturers is problematic attack vector in the chain of trust. My idea is to use simple verifiable parts to control the smart complex parts (e.g. compare output of confused CPUs). You can read it if you are interested. It is my main question. It links to the spin-offs and is updated.

Question

Before the edit of the question I thought that it is simple to make an corrupt IC act intelligently (e.g. a corrupt XOR gate could output 0 at certain times. That says the input is the same. This could be triggered after it sees a certain pattern.) But user The Photon explains that you would need on the order 10x as many gates as you need for just the XOR and that would be visible in the midst of 2 or 3 gates. But there seem to be different opinions by other users. It would be useful if I could use IC for a design.

After many edits the question is now specific: It asks about designs that can be used to make it difficult to subvert IC (or transistors or diodes) for a malicious manufacturer undetected. State of the art methods would be good information.

Please consider answering for the method: In what ways could the malicious manufacturer hide a modification? How can you detect that?

Gabriel Schulz
  • 31
  • 2
  • An XOR gate only has two inputs and one output. If some "adversary" were to hide something inside there, how do you think they'd get their data out to be used? And if you won't use ICs, transistors, or diodes, what are you planning to make this thing out of? Relays? – The Photon Dec 08 '16 at 00:09
  • @ThePhoton - Hey, there is no need to downvote the question. Corruption of hardware is an interesting threat model. That is what I think. It could help more if you explained. Why can you not make computations without semiconductors. Or how you can verify that the semiconductor is clean. I will explain in the question how to make use of a two input and one output structure. – Gabriel Schulz Dec 08 '16 at 00:25
  • I'm voting to close this question as off-topic because it sets off the spam alarm... – ThreePhaseEel Dec 08 '16 at 00:45
  • 1
    @ThreePhaseEel - I am sorry if I offended you. First I can **proof** that I am **not a spamer**. Click on the link to my question on https://security.stackexchange.com/questions/144442/if-smart-hardware-is-evil-can-i-still-securely-run-software. It was well received there. Secondly I am genuinely interested in this. I want to improve the answer so it is on-topic. For example I do not know what "set off the spam alarm". And I saw my question as "a specific electronics design problem" (on-topic). Please help a new user to be useful to the community. – Gabriel Schulz Dec 08 '16 at 01:53
  • The kind of chips that do simple tasks (like XOR) at high speeds aren't made on the same process that are used in microprocessors that fits 100s of millions of transistors on a chip. They use relatively large, power-hungry transistors. To do what you suggest, you'd need on the order 10x as many gates as you need for just the XOR. You can decap one and tell there isn't 10x as much logic there as you expected. – The Photon Dec 08 '16 at 02:15
  • @ThePhoton - You say that I can verify that the XOR, transistor or diode is dumb? If I open them I can see that they can not remember (e.g 4 bits of) information? That is useful. I thought you could hide some transistors. They are small. – Gabriel Schulz Dec 08 '16 at 02:42
  • 1
    The transistors aren't particularly easy to see. But the metal connecting them is pretty obvious, when it's on the scale of this kind of part. – The Photon Dec 08 '16 at 02:48
  • 2
    It's a lot easier to hide 100 gates amidst 100,000,000 gates, than it is to hide 100 gates in the midst of 2 or 3 gates. – The Photon Dec 08 '16 at 02:55
  • @ThePhoton - This is the information that I search. I could edit my question. "Why are ICs difficult to subvert for a malicious manufacturer?" And I would rewrite my text. You could explain the details (e.g. why is it difficult make a connection that is difficult to see?) – Gabriel Schulz Dec 08 '16 at 03:07
  • @ThePhoton – I edited my question. I hope it is “on-topic” now. Is there something more that I should consider? – Gabriel Schulz Dec 09 '16 at 22:01
  • 1
    I think this is a reasonable question and will have a go at an answer tomorrow. – pjc50 Dec 09 '16 at 22:35
  • I am having a difficult time to see how this question is relevant for anything. There is no context, it is too broad and undefined, this isn't a place for discussion. It is a Q&A site. A good question wont need clarification in the comments is not broad and is answerable. – Voltage Spike Dec 09 '16 at 22:35
  • If you want to not write bad questions, here are the guidelines: http://electronics.stackexchange.com/help/how-to-ask http://electronics.stackexchange.com/help/on-topic http://electronics.stackexchange.com/help/dont-ask If you want to know how those guidelines are interpreted, then check the meta. – Voltage Spike Dec 09 '16 at 22:39
  • 1
    The question may now be on topic, but it is still "too broad". To answer all the questions presented here would require a few hundred page textbook. – The Photon Dec 09 '16 at 23:15
  • "What ways could a malicious manufacturer hide a modification?" asks for a list. And there's no way to answer completely. It's up to the cleverness of the adversary. If it were possible to answer this question, then malicious manufacturers would be out of a job. – The Photon Dec 09 '16 at 23:17
  • "What abilities are impossible to hide and why?" Again --- it depends on the cleverness of the adversary. There's no way you get a complete answer to this question by asking a finite number of people. – The Photon Dec 09 '16 at 23:18
  • BTW -- the spam alarm your original question set off was the Stack's, not the one in my head – ThreePhaseEel Dec 10 '16 at 05:15
  • 1
    Subvert discrete semiconductors (transistors, diodes)? Quite easy. It is done all the time. There is a growing problem with counterfeit semiconductors coming out of that certain part of the planet. And counterfeit integrated circuits as well. This is just in commercial trade and not in mil-spec parts. Although counterfeit military-spec parts have shown up in the supply chain as well. So yes, this is a real and growing problem. But so far it seems to be only at the distrbutor and seller level, not intentionally included in targeted gear going into sensitive applications. (maybe??) – Richard Crowley Dec 10 '16 at 06:05
  • 3
    The people trying to close this are ignorant and do not design ics as a job, yet fancy themselves as ic designers. Yes this is a big problem, especially with ics designed overseas. It is called designed for trust, or DFT. Typically ring oscillators or heat transducers are used to verify that no malicious hardware has been squeezed into your filler space (since doing so will necessarily either increase power or increase nodal capacitance). – jbord39 Dec 10 '16 at 07:27
  • 1
    @laptop2d – I read the help center before I started writing any questions. :) I copied some parts of my question from Security to give more context. Also for user ThePhoton I changed some paragraphs. It makes clearer that I do not look for a complete list of all possible exploits. There logically is no such list. https://electronics.stackexchange.com/help/dont-ask does not deny “constructive subjective questions”. I think my question passes the six requirements there. – Gabriel Schulz Dec 10 '16 at 08:53
  • The question is still "too broad" there is no application – Voltage Spike Dec 11 '16 at 03:45
  • @GabrielSchulz the links were for general reading if you found them interesting – Voltage Spike Dec 11 '16 at 03:46
  • @laptop2d , John D, The Photon, ThreePhaseEel, Dwayne Reid D - Ok, I edited the question. I hope it can pass the strict requirements of the closing voters now. But you are giving me a hard time, you know? I am sorry, but I feel like putting in a lot of effort. It is not honored. I will not be able to make the question any more specific or on-topic without robbing it of any sense. And you could not either. There are worse questions than mine. Thank you for your consideration. – Gabriel Schulz Dec 12 '16 at 01:34
  • @jbord39 - The question is closed. But that sounds interesting. Could you explain more on my [original question](https://security.stackexchange.com/questions/144442/if-smart-hardware-is-evil-can-i-still-securely-run-software) on Security.SE? – Gabriel Schulz Dec 13 '16 at 05:29

0 Answers0