http://spectrum.ieee.org/semiconductors/design/creative-winners-in-hardware-... Creative Winners in Hardware Trojan Contest Simple attacks and creative defenses Photo: Polytechnic Institute of New York University BY Mark Anderson // January 2010 5 January 2010bIn November, engineering students from five top universities gathered at the Polytechnic Institute of NYU, in Brooklyn, N.Y., for the Embedded Systems Challenge. The aim was to test new attacks and defenses against an underappreciated breed of Trojan horsebembedded malware built into integrated circuits. The winning teambs results, set to appear in journals and at conference proceedings in 2010, reveal how vulnerable many systems are to "chip attacks" The contest also demonstrated the high degree of technical sophistication required for these attacks, making it more likely that attackers will pursue specialized applications, such as sensitive military equipment or high-security financial computers. Attacking Dadbs new Windows 7 PC probably isnbt worth the extreme investment of time and moneybespecially when cheaper and quicker phishing and software-based malware attacks still work all too well. "Itbs something that people arenbt really much aware of," says contest judge Jim Howard, director and chief engineer of information assurance at Camden, N.J.bbased L-3 Communications, which designs application-specific integrated circuits for high-security applications, such as military communications systems. "The majority of application-specific integrated circuits are manufactured outside the United States....People could be putting flaws in these chips that they can activate. Howard imagines that "people are probably trying to do this kind of stuff" in chips destined for military systems. It seems militaries around the world are also imagining the possibilities, including Pakistan, whose defense ministers refused American efforts to help secure the countrybs nuclear arsenal out of fear that U.S. contractors might insert a software or hardware Trojan horse that could later disable the weapons. The contest centered around blueprints for a simple cryptography chip built on a field-programmable gate array (FPGA) that had just one input and one output. "Secret" text went in, while encrypted text emerged from the chipbs output terminal. First, teams had to harden their own chip design against other teamsb anticipated Trojan horses. Then, when the teams received the blueprints for their opponentsb hardened chips, they had to devise attacks on their opponentsb chip designs that would output either the cipher key or the unencrypted secret text. As a result, each face-off in the competition consisted of an integrated circuit that contained both a defending teambs add-on circuits as well as the corresponding opposing teambs Trojan horse circuitry. The first-place team in this yearbs Embedded Systems Challenge used one of the most deceptively simple attacks imaginable, Howard says. Led by NYU-Poly graduate student Jeyavijayan Rajendran, the team devised attacks that, when activated, simply connected the input wire to the output wire and bypassed the encryption circuitry altogether. b Itbs the most obvious approach," says Rajendranbs faculty advisor, Ramesh Karri, associate professor of electrical and computer engineering at NYU-Poly. But itbs not foolproof. Bypassing all the encryption logic means that the output signal appears suspiciously soon after the input. So "if somebodybs taking a fingerprint of the [chipbs] delay, then this may not even work. It depends on the defense, too." Karri, who organized this yearbs contest along with NYU-Poly computer science graduate student Kurt Rosenfeld, says that they intentionally weighted the competition to favor a strong defense. Photo: Polytechnic Institute of New York University bSince defending is much harder than attacking usually, we tilted the scoring in favor of defenders," Rosenfeld says. Every successful defense of a chip against an attack earned a team two points while a failed defense didnbt affect a teambs score at all. On the other hand, a successful attack on a chip earned a team one point, while a thwarted attack took one point away from the attacking team. Such a playing field led to the surprise second-place finish of Vanderbilt University. Electrical engineering graduate student Trey Reecebthe only Vanderbilt team memberbmounted no attacks at all. But the fact that his chip design caught four out of the five attacks against it still netted him the silver medal. Reece says his line of defense depended on an oscillator in the chipbs circuitry that consisted of three NAND gates. "I also tossed in another 10 gates just to disguise what I was doing,b he says. When activated during the competitionbs testing phase, Reecebs oscillator coursed with a harmonically shifting current, giving off a distinct output pattern. Any tampering with the internal logic in the cryptography engine would result in a different output pattern and thus detection of the Trojan horse. The only team that defeated Reecebs chip was NYU-Polybwhich used the simple input-connected-to-output approach. The third-place team, from Yale, avoided oscillators as its defense mechanism because in any bulk-chip fabrication process, faculty advisor Yiorgos Makris says, oscillators would yield a lot of false alarms due simply to the varying material properties of different silicon wafers. Instead, he says, his teambconsisting of grad students Yier Jin and Nathan Kuppbopted for a sly scheme that hid its chip in plain sight. Rather than giving their opponents high-level blueprints for their chip, the Yale team buried their chip's details deep in the the design description, making it much more difficult for an adversary to understand. Moreover, they embedded additional registers in the design to give them a view to the inner workings of the chip that might reveal an attack. (This strategy, Makris says, would be equivalent in a software competition to handing over .exe files as opposed to source code.) Yalebs strategy was so successful, in fact, that no team attacked its chip. Howard says that obfuscating onebs design and intent is certainly an important strategy in real-world chip design techniques. "I thought what they did was very creative," Howard says. But because the competition awarded successful defenses against actual attacks and no one attacked, "they also outsmarted themselves," he says. About the Author Mark Anderson writes about science and technology from Northampton, Mass. In the January 2010 issue of IEEE Spectrum, he described Intrinsitybs Hummingbird a hot-rodded smartphone chip with the power of a PC processor.