The new, nearly invisible spy can be located right in your computer chip

If it appears on your computer chip, every current protection becomes meaningless, and you won't even be able to detect it.

Software vulnerabilities can be very difficult to detect. Intentionally placing a backdoor, created by spies or vandals, is often more awkward. Imagine, a backdoor is put in not a good application in the operating system, but more deeply in the processor hardware itself running the computer.

Imagine that silicon backdoor is completely invisible not only to computer software, but even to chip designers, who didn't know that it was added by the chip maker, like in some factories in China. It is just a single part between hundreds of millions or billions of other parts. And each of them is only about one-thousandth the width of a human hair.

Software vulnerabilities can be very difficult to detect.

In fact, researchers at the University of Michigan not only imagined this nightmare of computer security, they also built and demonstrated its effectiveness. In a study that just won the "best material" award at IEEE Security and Security Topics last weekend, they demonstrated this idea by describing in detail the creation of a super hardware backdoor. how small

And they showed that, by running a series of seemingly harmless commands on the processor that had been attached to that backdoor, a hacker could activate the feature on the chip, allowing them to access it entirely on the system. operating. Most worrisome, this kind of super-small hardware backdoor cannot be captured by any modern hardware security analysis method , and can be placed only by a chip factory employee.

"Finding this backdoor with current technology is a very, very challenging thing, if not impossible." One of the computer science professors at the University of Michigan, who led the study, Todd Austin said. "It's a needle in a straw mountain". Or as Google engineer, Yonatan Zunger said after reading this document. "This is the smartest and most unobtrusive way of attacking computer security I've ever known."

Finding this backdoor with current technology is very, very challenging, if not impossible.

Analog attack

The "intelligence and discreetness" of researchers in Michigan backdoors is not just about size, or it's hidden in hardware instead of software. Its frightening lies in violating the security industry's most basic assumptions about a chip's digital functions, and how they can be destroyed.

Rather than just a slight change in the chip's "digital" properties - a tweak to the logic of the chip's computing functions - researchers describe their backdoor as an "analog device. " ": a physical hacking tool takes advantage of the way electric current flows through transistors of a chip, so that it can attack to trigger an unforeseen result. Therefore, this backdoor is named: A2, short for both Ann Abor (the city where the University of Michigan is located) and Analog Attack (analog attack).

Below is a description of the method of analog hack

After the chip is completely designed and ready for fabrication, a vandal adds a single component to the chip mask, a detailed design of the chip layout. . That single unit or "cell" - which has hundreds of millions or billions on a modern chip - was created in a similar way to making basic blocks for the rest of the chip: wires leads and transistors act as toggle switches, controlling the logic functions of the chip. But this cell is secretly designed to act as a capacitor, a device that temporarily stores charge.

After the chip is designed and ready for fabrication, a vandal adds a single component to the chip's mask.

Every time a malicious program (or malicious code on a web page) runs a vague statement, the capacitor cell will "steal" a small amount of charge and store it in the wires of cells without affecting the other functions of the chip. For each repetition of that statement, the capacitor takes up a little extra charge.

Only after the "trigger" command is sent thousands of times, does the capacitor store enough charge to turn on a logic function on the processor, in order for the harmful program to have full access to it. Operating system that it is not allowed to have. "The attacker will have to do some rare, strange, high-frequency events for a while." Mr. Austin said. "And finally, the system will switch to the preferred state so that the attacker can do whatever they want."

This capacitor-based trigger design means that it is almost impossible to be accidentally discovered by someone when checking the security of the chip, because to do so there must be a series of long and meaningless statements to " open " this backdoor. And over time, the capacitor will also leak out its charge, close that backdoor, making it even harder to detect the hole.

This capacitor-based trigger design means that it is almost impossible to be accidentally discovered by someone when checking the chip's security.

New attack rules

The backdoor processor level has been previously suggested. But by building a backdoor exploiting unintended physical properties on chip parts - the ability to accidentally store and leak small amounts of charge - instead of the logic functions as expected. The researchers said their backdoor could be about a thousandth the size of previous attempts.

And it's more difficult to detect with current techniques such as analyzing the image of the chip or measuring its power consumption to detect abnormalities."We take advantage of the" Outside Matrix "rule to perform a trick that would normally be expensive and obvious in the usual way." Mr. Matthew Hicks, another University of Michigan researcher said. "By following that other set of rules, we make a much more invisible attack."

Michigan researchers went so far as to put their backdoor A2 inside a simple open source processor, OR1200, to test their attack. Because the backdoor's mechanism depends on the physical characteristics of the on-chip electrical wiring system, they even tried "activating" in their own way such as heating or cooling the chip in the range of -25 degrees Celsius. to 100 degrees Celsius, and found it still works in all cases.

Measures that researchers tested to detect backdoors.

Although their invention is dangerous to the future of computer security, researchers at the University of Michigan claim that their goal is to prevent such undetectable hardware backdoors, not to use it. them. They said, in fact, there are probably governments around the world who have thought of analog attack methods similar to those of researchers.

"By publishing this document, we can say that it is a real imminent threat." Mr. Hicks said. "Now we need to find a defensive way for this problem."

But with the current protection measures used to combat backdoor-level processors, the attack of A2 is not detected, they argue that a new method is essential: In particular, they argue that the Modern chips need a reliable component to continuously check for unacceptable programs, which are not appropriate for operating system priority.

To ensure the security of that part, it may be necessary to create it in a secure facility or ensure that the design is not modified before fabrication. That would be easier than ensuring the same level of trust for the entire chip.

But they also acknowledge that implementing these repairs will take time and money. But without doing so, the evidence they gave showed that the security of a computer could be deeply intervened and hard to detect before it was sold.

"I want this document to start a dialogue between designers and manufacturers about how we establish trust in hardware production." Mr. Austin said. "We need to establish trust in our production, or something very bad will happen."