Re: trusting the processor chip
At 12:25 AM 4/27/96 -0500, Snow wrote:
On Thu, 25 Apr 1996, jim bell wrote:
This analysis seems to assume that the entire production run of a standard product is subverted. More likely,I think, an organization like the NSA might build a pin-compatible version of an existing, commonly-used product like a keyboard encoder chip that is designed to transmit (by RFI signals) the contents of what is typed at the keyboard. It's simple, it's hard to detect, and it gets what they want.
I thought that most (all?) chips already radiated on the electromagnetic spectrum? Isn't that what tempest is about?
There's a difference between trying to find a needle in a haystack, and finding a day-glo, red-hot needle that plays music at 110 decibels in that same haystack. Digital logic chips do radiate EMI, but some radiate very little (because their are few logic transitions or they occur relatively infrequently) or are buried within other circuitry and they don't have a particularly good antenna. The Trojan horse chip I'm hypothesizing would be specifically designed to radiate a fairly loud, continuous signal, on wires that are long enough to make a good antenna. Ideally, the chip would have a crystal to produce a very constant frequency, so that other noise not on that frequency could be ignored. The best place to put such a chip would be a location outside the computer's case, or at least it would have access to the outside. I think that a keyboard controller would be optimum, because I suspect that there are a relatively small number of different designs. Jim Bell jimbell@pacifier.com
I realize that when one argues with a fool, no one can tell the difference, but as the dumbest person on the list, I figure I can learn from just about anyone here. Not that I am calling Mr. Bell a fool. On Sat, 27 Apr 1996, jim bell wrote:
At 12:25 AM 4/27/96 -0500, Snow wrote:
On Thu, 25 Apr 1996, jim bell wrote:
product is subverted. More likely,I think, an organization like the NSA I thought that most (all?) chips already radiated on the electromagnetic spectrum? Isn't that what tempest is about? There's a difference between trying to find a needle in a haystack, and finding a day-glo, red-hot needle that plays music at 110 decibels in that <snip> The best place to put such a chip would be a location outside the computer's relatively small number of different designs.
I still maintain that this would be less feasible than either: a) Tempest. Why bother resubverting each new processor (think about it, Which processor? Intel (all variants) Motorola (all variants), Digital (Alpha) etc. When it would be easier (It seems to me at least) to develop a system that _can_ find that needle in a hay stack, and simply develop translators for each kind of chip (which could be done in software I'd think) to show what the chip is doing. b) physcailly compromising the work enviroment so that you see what the person is typing as well as what is on the screen. As well as get Voice etc. c) This I just thought of, and is kind of a hybrid of Mr. Bells idea and a tempest style attack, it isn't thought through real well, but I _think_ it would work. Each processor would emit on a certain band, so you build a "repeater" that takes that band, encodes it, steps it to a different band and retrans it. This device probably could be made small enough to fit _easily_ inside a case, and draw very little power (the transmitting distance would not need to very far) and since most people never open their cases, it would be fairly safe from detection. It could even be designed to piggyback on common device interface cards (parallel/serial cards, Video cards) so that even if one _did_ open ones case you probably wouldn't notice. All that this would entail _after_ development would be a simple B&E. This wouldn't solve the problem of decoding, but it heats the needle, and makes it sound off at many times less cost than subverting the chip. Petro, Christopher C. petro@suba.com <prefered> snow@crash.suba.com
The promised reference: "The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems" Olin Silbert, Oxford Systems Inc, Phillip A Porras, The Aerospace Corp, Robert Lindell, --- " --- Abstract: An in-depth analysis of the 80x86 processor families identifies architectural properties that may have unexpected, and undesirable, results in secure computer systems. In addition, reported implementation errors in some processor versions render them undesirable for secure systems because of potential security and reliability problems. In this paper, we discuss the imbalance in scrutiny for hardware protection mechanisms relative to software, and why this imbalance is increasingly difficult to justify as hardware complexity increases. We illustrate this difficulty with examples of architectural subtleties and reported implementation errors. My comments: This is a high-security view paper, so they go on looking for all possible covert channels etc. Not what we are discussing here, perhaps. They note one problem with Page Access Control by the TCB through the VERR and VERW instructions. In some cases it is possible that these instructions leave "grant access" when they should have said the opposite. They note that the Timestamp Counter (TCS) in the pentium might give out high-resolution timing information. This can be used attack sw RSA running in another task for example, I believe. They have 102 flaw reports collected for 80386, 80486, Pentium. There are 8 major security flaws reported. "7. The bits of the I/O Permission Bitmap (IOPB) correspond to individual byte addresses in the I/O address space. The D0 step of the 386 permits access to certain addresses prohibited by the I/O bitamap: if a 4-byte access is performed, only 3 of the 4 relevant bytes are checked." There were 9 denial-of-service as well, here's one "LAL, LSL, VERR, VERW for a null (zero) selector (A1 step) [Turl88]" Quite fun reading, although I also recognizes that this kind of attack is a bit down on the list of best cost/effort ratios. -Christian
participants (3)
-
Christian Wettergren -
jim bell -
Snow