SlideShare a Scribd company logo

Designing and implementing malicious processors

N
NebyueAwoke

This document outlines the design and implementation of malicious processors (IMPs) capable of enabling software-based attacks. It discusses two general hardware mechanisms - a memory access mechanism and a shadow mode mechanism. The memory access mechanism allows unprivileged software to access privileged memory regions, enabling attacks like privilege escalation. The shadow mode mechanism allows executing malicious code in a hidden mode. The document evaluates the circuit-level impacts and performance overhead of implementing these mechanisms on a Leon3 processor and discusses potential defending strategies and their limitations.

Education
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Designing and implementing malicious processors Sam King, Joe Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, Yuanyuan Zhou Presented by: Nebiyu Awoke
Outlines 2 o Introduction o System Design o Hardware Design o Implementation o Evaluation o Defending Strategy o Conclusions o Discussion
3 Introduction https://i1.wp.com/semiengineering.com/wp content/uploads/Synopsys_silicon-lifecycle-fig1.jpg?ssl=1  Commercial-off-the-shelf (COTS)  Insecure IC supply chain - design, manufacturing and testing a diverse set of countries  Why Hardware attack? - lower level of control
4 Cont.. IBM “trojan circuit” - To steal encryption keys - 406 additional gates Limitations - Operates on hardware-level abstractions directly. - Ignore higher-level abstractions and system-level aspects - Defensive strategy, - Ignored existing counter-strategies an attacker may employ - Hard-coded attack; - The malicious circuit is useful for only this one specific purpose.
5 Cont .. What’s new?  Design and implementation of general purpose hardware to support software based attacks.
6 System Design  Circuit design space: - Memory access mechanism - Shadow mode mechanism  Potential attacks: - Privilege escalation attack - Login backdoor - Stealing passwords
7 Cont..  Memory access mechanism: bypass MMU - Privilege escalation attack - Gives a root without checking credentials or creating log entries  Shadow mode mechanism: - Login backdoor - Lets an attacker log in as root without supplying a password, - Stealing passwords
8 Hardware Design  Tradeoff and assumptions - Timing perturbations: - The performance impact of the modification - Visibility of the attack: - Weather or not sign of the attack appears on the data or address bus - Flexibility: - Can it support various software payloads?
9 Memory Access Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573 provides hardware support for unprivileged malicious software by allowing access to privileged memory regions..
10 Cont.. Visibility: visible Flexibility: flexible Timing Perturbations: have no effect Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
11 Shadow Mode  Have full processor privileges and are invisible to software.  Reserve instruction cache lines and data cache lines for the attack - hide attack from hardware outside of IMP  Two bootstrap mechanisms - a small section of bootstrap code that initializes the attack or - a predefined trigger, which initiates malicious FW  The exact mechanism used to bootstrap attacks depends on the goals of the attacker and the IMP architect.  Debugging hardware: support transitions into shadow mode
12 Cont.. Hardware differences when shadow mode is active Visibility: not visible as long as accessing main memory Flexibility: flexible Timing Perturbations: will have a performance effect
13 Malicious Services  Privilege escalation - Turn off protection to privileged memory regions. - Escalates the privileges of a user process to root privilege level Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
14 Cont..  Login backdoor  Stealing passwords - Interposes on the write library call, searching for the string “Password:” - On the following read call it interposes to record potential passwords. - Leak passwords - Uses system calls to access the network interface. - Overwrite existing network frames with our own packets.
15 Implementation  Development board: FPGA  Processor: Leon3 implements SPARC v8 IS  Modify the design at the VHDL level  OS: Linux  Memory access mechanism modify the data cache and the MMU  Shadow mode mechanism modify instruction and data caches  Run at 40 MHz, which is the recommended clock speed
16 Evaluation  Circuit-level perturbations The circuit-level impact of IMPs compared to a baseline (unmodified) Leon3 processor. 0.05% and 0.08% increase in logic add 68 lines of code for MAM & 117 lines of code for SM  Timing perturbation - CPU bound SPEC benchmarks: bzip2, gcc, parse , and twolf - I/O bound benchmark: wget 1.32% overhead 1.34% overhead 13.0% overhead
17 Defending Strategy  Analog side effects - Using power analysis: however, power analysis began as an attack technique .  Digital perturbations - IC testing: waiting for a specific triggering input will pass testing - Reverse engineering: time-consuming, expensive, destructive - Fault-tolerance techniques: Hw redundancy make it expensive because of cost, power consumption, and board real estate.  The best defense is most likely a combination approach.
18 Conclusions - Hardware Trojan (HT), has emerged as an important research topic in recent years. - IC supply chain is large and vulnerable - Designed two general purpose mechanisms: MAM & SM - Implement attacks: privilege escalation, back-door logins and steal passwords - Hw modification of high level flexibility with low detectability - Defending approaches are to inefficient to detect
Discussions ◉ Is it possible to design ICs with self protection awareness? ◉ Are these attacks able to escape all the existing counter strategies? ◉ How can assure a high level defending strategy like on-chip monitoring during run time? ◉ Is IMP feasible in terms of performance, power, area and security costs? ◉ What about other attacks like disabling or destroying a system at some future time? 19

More Related Content

PPTX
Reconfigurable trust forembeddedcomputingplatforms
Abdullah Deeb
 
PDF
Cyber_Attack_Forecasting_Jones_2015
Malachi Jones
 
PDF
MIT Bitcoin Expo 2018 - Hardware Wallets Security
Charles Guillemet
 
PDF
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki
 
PPTX
Meltdown and Spectre
yeokm1
 
PPTX
2464
Amin Khorsandi
 
PDF
Security in Embedded systems
Naveen Jakhar, I.T.S
 
PDF
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
inside-BigData.com
 
Reconfigurable trust forembeddedcomputingplatforms
Abdullah Deeb
 
Cyber_Attack_Forecasting_Jones_2015
Malachi Jones
 
MIT Bitcoin Expo 2018 - Hardware Wallets Security
Charles Guillemet
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki
 
Meltdown and Spectre
yeokm1
 
2464
Amin Khorsandi
 
Security in Embedded systems
Naveen Jakhar, I.T.S
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
inside-BigData.com
 

What's hot (18)

PPTX
Jonny doin safe io t- lt_spice failsafe
Jonny Doin
 
PPTX
Osd diksha presentation
dikshagupta111
 
PPTX
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
CODE BLUE
 
PDF
Careful Packing
Flavio Toffalini
 
PPTX
Defense
Tawfiq Shah
 
PDF
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 
PDF
DSDConference07
Adam Taylor CEng FIET
 
PPTX
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
CODE BLUE
 
PDF
Meltdown & Spectre attacks
Marian Marinov
 
DOCX
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEEMEMTECHSTUDENTPROJECTS
 
PPTX
Thesis presentation
CHIACHE lee
 
PDF
Breaking hardware enforced security with hypervisors
Priyanka Aash
 
PDF
Cybersecurity Assessment of Communication-Based Train Control systems
Sergey Gordeychik
 
PDF
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
FFRI, Inc.
 
PDF
System-level Threats: Dangerous Assumptions in modern Product Security
Cristofaro Mune
 
PPTX
Security for io t apr 29th mentor embedded hangout
mentoresd
 
PPTX
Infrastructure Attacks - The Next generation, ESET LLC
Infosec Europe
 
PDF
Chap 4 lesson02emsysnewinterruptbasedi_os
Montassar BEN ABDALLAH
 
Jonny doin safe io t- lt_spice failsafe
Jonny Doin
 
Osd diksha presentation
dikshagupta111
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
CODE BLUE
 
Careful Packing
Flavio Toffalini
 
Defense
Tawfiq Shah
 
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 
DSDConference07
Adam Taylor CEng FIET
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
CODE BLUE
 
Meltdown & Spectre attacks
Marian Marinov
 
IEEE 2014 JAVA PARALLEL DISTRIBUTED PROJECTS Rre a-game-theoretic-intrusion-r...
IEEEMEMTECHSTUDENTPROJECTS
 
Thesis presentation
CHIACHE lee
 
Breaking hardware enforced security with hypervisors
Priyanka Aash
 
Cybersecurity Assessment of Communication-Based Train Control systems
Sergey Gordeychik
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
FFRI, Inc.
 
System-level Threats: Dangerous Assumptions in modern Product Security
Cristofaro Mune
 
Security for io t apr 29th mentor embedded hangout
mentoresd
 
Infrastructure Attacks - The Next generation, ESET LLC
Infosec Europe
 
Chap 4 lesson02emsysnewinterruptbasedi_os
Montassar BEN ABDALLAH
 
Ad

Similar to Designing and implementing malicious processors (20)

PPT
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Priyanka Aash
 
PDF
Exploring Hardware Security
Speck&Tech
 
PDF
Tdffffffffffffffffffffffffffffffffffffffehranipoor.pdf
RamithaDevi
 
PPT
Embabded system security for feuture .ppt
gunjansingh2917683
 
PDF
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
JonesSmith7
 
PDF
Hardware Attack Mitigation Techniques AnalysisFull Text
ijcisjournal
 
PDF
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
ijcisjournal
 
PDF
Cracking Hardware
Black Sea Summit — IT-conference in Odessa
 
PPTX
Pentesting embedded
antitree
 
PDF
Acpi and smi handlers some limits to trusted computing
UltraUploader
 
PDF
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
PROIDEA
 
PPTX
A2: Analog Malicious Hardware
yeokm1
 
PDF
Tower defense for hackers: Layered (in-)security for microcontrollers
Milosch Meriac
 
PPTX
Securing embedded systems
aissa benyahya
 
PDF
Micro-Architectural Attacks on Cyber-Physical Systems
Heechul Yun
 
PDF
2019 FRSecure CISSP Mentor Program: Class Four
FRSecure
 
PDF
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
PPTX
CAQA5e_ch1 (3).pptx
SPOCSumaLatha
 
PDF
Austin c-c++-meetup-feb2018-spectre
Kim Phillips
 
PDF
Intel IT Experts Tour Cyber Security - Matthew Rosenquist 2013
Matthew Rosenquist
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Priyanka Aash
 
Exploring Hardware Security
Speck&Tech
 
Tdffffffffffffffffffffffffffffffffffffffehranipoor.pdf
RamithaDevi
 
Embabded system security for feuture .ppt
gunjansingh2917683
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
JonesSmith7
 
Hardware Attack Mitigation Techniques AnalysisFull Text
ijcisjournal
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
ijcisjournal
 
Cracking Hardware
Black Sea Summit — IT-conference in Odessa
 
Pentesting embedded
antitree
 
Acpi and smi handlers some limits to trusted computing
UltraUploader
 
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
PROIDEA
 
A2: Analog Malicious Hardware
yeokm1
 
Tower defense for hackers: Layered (in-)security for microcontrollers
Milosch Meriac
 
Securing embedded systems
aissa benyahya
 
Micro-Architectural Attacks on Cyber-Physical Systems
Heechul Yun
 
2019 FRSecure CISSP Mentor Program: Class Four
FRSecure
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
CAQA5e_ch1 (3).pptx
SPOCSumaLatha
 
Austin c-c++-meetup-feb2018-spectre
Kim Phillips
 
Intel IT Experts Tour Cyber Security - Matthew Rosenquist 2013
Matthew Rosenquist
 
Ad

Recently uploaded (20)

PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
RTP_AR_KS1_Tutor's Guide_English [FOR REPRODUCTION].pdf
RobertMentino1
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
RTP_AR_KS1_Tutor's Guide_English [FOR REPRODUCTION].pdf
RobertMentino1
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
master seminar digital applications in india
ananyaray35
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 

Designing and implementing malicious processors

  • 1. Designing and implementing malicious processors Sam King, Joe Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, Yuanyuan Zhou Presented by: Nebiyu Awoke
  • 2. Outlines 2 o Introduction o System Design o Hardware Design o Implementation o Evaluation o Defending Strategy o Conclusions o Discussion
  • 3. 3 Introduction https://i1.wp.com/semiengineering.com/wp content/uploads/Synopsys_silicon-lifecycle-fig1.jpg?ssl=1  Commercial-off-the-shelf (COTS)  Insecure IC supply chain - design, manufacturing and testing a diverse set of countries  Why Hardware attack? - lower level of control
  • 4. 4 Cont.. IBM “trojan circuit” - To steal encryption keys - 406 additional gates Limitations - Operates on hardware-level abstractions directly. - Ignore higher-level abstractions and system-level aspects - Defensive strategy, - Ignored existing counter-strategies an attacker may employ - Hard-coded attack; - The malicious circuit is useful for only this one specific purpose.
  • 5. 5 Cont .. What’s new?  Design and implementation of general purpose hardware to support software based attacks.
  • 6. 6 System Design  Circuit design space: - Memory access mechanism - Shadow mode mechanism  Potential attacks: - Privilege escalation attack - Login backdoor - Stealing passwords
  • 7. 7 Cont..  Memory access mechanism: bypass MMU - Privilege escalation attack - Gives a root without checking credentials or creating log entries  Shadow mode mechanism: - Login backdoor - Lets an attacker log in as root without supplying a password, - Stealing passwords
  • 8. 8 Hardware Design  Tradeoff and assumptions - Timing perturbations: - The performance impact of the modification - Visibility of the attack: - Weather or not sign of the attack appears on the data or address bus - Flexibility: - Can it support various software payloads?
  • 9. 9 Memory Access Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573 provides hardware support for unprivileged malicious software by allowing access to privileged memory regions..
  • 10. 10 Cont.. Visibility: visible Flexibility: flexible Timing Perturbations: have no effect Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
  • 11. 11 Shadow Mode  Have full processor privileges and are invisible to software.  Reserve instruction cache lines and data cache lines for the attack - hide attack from hardware outside of IMP  Two bootstrap mechanisms - a small section of bootstrap code that initializes the attack or - a predefined trigger, which initiates malicious FW  The exact mechanism used to bootstrap attacks depends on the goals of the attacker and the IMP architect.  Debugging hardware: support transitions into shadow mode
  • 12. 12 Cont.. Hardware differences when shadow mode is active Visibility: not visible as long as accessing main memory Flexibility: flexible Timing Perturbations: will have a performance effect
  • 13. 13 Malicious Services  Privilege escalation - Turn off protection to privileged memory regions. - Escalates the privileges of a user process to root privilege level Lauren B. & Shuang Q. https://www.eecs.umich.edu/courses/eecs573
  • 14. 14 Cont..  Login backdoor  Stealing passwords - Interposes on the write library call, searching for the string “Password:” - On the following read call it interposes to record potential passwords. - Leak passwords - Uses system calls to access the network interface. - Overwrite existing network frames with our own packets.
  • 15. 15 Implementation  Development board: FPGA  Processor: Leon3 implements SPARC v8 IS  Modify the design at the VHDL level  OS: Linux  Memory access mechanism modify the data cache and the MMU  Shadow mode mechanism modify instruction and data caches  Run at 40 MHz, which is the recommended clock speed
  • 16. 16 Evaluation  Circuit-level perturbations The circuit-level impact of IMPs compared to a baseline (unmodified) Leon3 processor. 0.05% and 0.08% increase in logic add 68 lines of code for MAM & 117 lines of code for SM  Timing perturbation - CPU bound SPEC benchmarks: bzip2, gcc, parse , and twolf - I/O bound benchmark: wget 1.32% overhead 1.34% overhead 13.0% overhead
  • 17. 17 Defending Strategy  Analog side effects - Using power analysis: however, power analysis began as an attack technique .  Digital perturbations - IC testing: waiting for a specific triggering input will pass testing - Reverse engineering: time-consuming, expensive, destructive - Fault-tolerance techniques: Hw redundancy make it expensive because of cost, power consumption, and board real estate.  The best defense is most likely a combination approach.
  • 18. 18 Conclusions - Hardware Trojan (HT), has emerged as an important research topic in recent years. - IC supply chain is large and vulnerable - Designed two general purpose mechanisms: MAM & SM - Implement attacks: privilege escalation, back-door logins and steal passwords - Hw modification of high level flexibility with low detectability - Defending approaches are to inefficient to detect
  • 19. Discussions ◉ Is it possible to design ICs with self protection awareness? ◉ Are these attacks able to escape all the existing counter strategies? ◉ How can assure a high level defending strategy like on-chip monitoring during run time? ◉ Is IMP feasible in terms of performance, power, area and security costs? ◉ What about other attacks like disabling or destroying a system at some future time? 19