New version page

Tamper Evident

Upgrade to remove ads

This preview shows page 1-2-3-4-5 out of 16 pages.

Save
View Full Document
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 16 pages.
Access to all documents
Download any document
Ad free experience

Upgrade to remove ads
Unformatted text preview:

IntroductionRelated WorkThreat ModelAssumptionsAttack TriggersBackdoor TypesPrinciples for Microprocessor ProtectionEmitter Backdoor ProtectionControl Corrupter Backdoor ProtectionA Case StudyMicroarchitecture and OptimizationsTrustNet OptimizationDataWatchOptimizationApplications of Prior SolutionsEvaluationApplicabilityEvaluation MethodologyAttack Space CoverageAttacks and DetectionTrafficArea EstimatesConclusionAcknowledgementsTamper Evident MicroprocessorsAdam WaksmanDepartment of Computer ScienceColumbia UniversityNew York, [email protected] SethumadhavanDepartment of Computer ScienceColumbia UniversityNew York, [email protected]—Most security mechanisms proposed to date unques-tioningly place trust in microprocessor hardware. This trust,however, is misplaced and dangerous because microprocessorsare vulnerable to insider attacks that can catastrophically com-promise security, integrity and privacy of computer systems. Inthis paper, we describe several methods to strengthen the funda-mental assumption about trust in microprocessors. By employingpractical, lightweight attack detectors within a microprocessor,we show that it is possible to protect against malicious logicembedded in microprocessor hardware.We propose and evaluate two area-efficient hardware methods— TRUSTNET and DATAWATCH — that detect attacks onmicroprocessor hardware by knowledgeable, malicious insiders.Our mechanisms leverage the fact that multiple componentswithin a microprocessor (e.g., fetch, decode pipeline stage etc.)must necessarily coordinate and communicate to execute evensimple instructions, and that any attack on a microprocessormust cause erroneous communications between microarchitec-tural subcomponents used to build a processor. A key aspect ofour solution is that TRUSTNET and DATAWATCH are themselveshighly resilient to corruption. We demonstrate that under realisticassumptions, our solutions can protect pipelines and on-chipcache hierarchies at negligible area cost and with no performanceimpact. Combining TRUSTNET and DATAWATCH with priorwork on fault detection has the potential to provide completecoverage against a large class of microprocessor attacks.1Index Terms—hardware security, backdoors, microprocessors,security based on causal structure and division of work.I. INTRODUCTIONOne of the key challenges in trustworthy computing isestablishing trust in the microprocessors that underlie allmodern IT. The root of trust in all software systems restson microprocessors because all software is executed by amicroprocessor. If the microprocessor cannot be trusted, nosecurity guarantees can be provided by the system. Providingtrust in microprocessors, however, is becoming increasinglydifficult because of economic, technological and social fac-tors. Increasing use of third-party “soft” intellectual propertycomponents, the global scope of the chip design process,increasing processor design complexity and integration, thegrowing size of processor design teams and the dependenceon a relatively small number of designers for a sub-component,all make hardware highly susceptible to malicious design.1Appears in Proceedings of the 31st IEEE Symposium on Security &Privacy (Oakland), May 2010Free to distribute for educational use. Copyright restrictions may applyotherwise.A sufficiently motivated adversary could introduce backdoorsduring hardware design. For instance, a hardware designer, bychanging only a few lines of Verilog code, can easily modifyan on-chip memory system to send data items it receives toa shadow address in addition to the original address. Suchbackdoors can be used in attacking confidentiality e.g., byexfiltrating sensitive information, integrity e.g., by disablingsecurity checks such as memory protection, and availabilitye.g., by shutting down the component based on a timer or anexternal signal. Some recent high-profile attacks have been at-tributed to untrustworthy microprocessors [10]; hardware trustissues have been a concern for a while now in several domains,including in military and public safety equipment [67], and thisissue has attracted media attention lately [45].Because hardware components (including backdoors) arearchitecturally positioned at the lowest layer of a computa-tional device, it is very difficult to detect attacks launched orassisted by those components: it is theoretically impossible2to do so at a higher layer e.g., at the operating system orapplication, and there is little functionality available in currentprocessors and motherboards to detect such misbehavior. Thestate of practice is to ensure that hardware comes from atrusted source and is maintained by trusted personnel — avirtual impossibility given the current design and manufac-turing realities. In fact, our inability to catch accidental bugswith traditional design and verification procedures, even inhigh-volume processors [59], makes it unlikely that hiddenbackdoors will be caught using the same procedures, as thisis an even more challenging task.3In this paper we investigate how microprocessor trust canbe strengthened when manufactured via an untrusted designflow. Figure1 shows the standard steps used to manufacturemicroprocessors. This paper focuses on one of the initialproduction steps, which is the coding phase of hardware design(register transfer level, or RTL). Any backdoor introducedduring the initial phase becomes progressively more difficultto catch as it percolates through optimizations and tools in the2It should be noted, however, that in practice it may be possible to detectdiscrepancies in the state of the system, such as cache misses. Such detectioncannot be guaranteed, and it largely depends on both external artifactsused for the detection (e.g., a reference time source) and on sub-optimalimplementation of the backdoor.3The International Technology Roadmap for Semiconductors notes that thenumber of bugs escaping traditional audit procedures will increase from fiveto nine per 100,000 lines of code in the coming years [2].Specifications High-level Design Design Validation Physical Design (low-level) Tapeout and Fabrication Deployment Prior Work: Detection of backdoors inserted by malicious foundries [12, 16, 17, 24, 40, 53, 69]TrustNET and DataWatch detects backdoors inserted by malicious chip designers (no prior solution)Standard Microprocessor Design ProcedureFig. 1. Microprocessor design flow and scope of this paper.later phases. Prior work on detecting


Download Tamper Evident
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Tamper Evident and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Tamper Evident 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?