 is a repository of academic computer science papers and a community who loves reading them. I guess most people have been here before so I'm not going to do any of the usual explanation of what happens and how things work. I'll go to today's papers. You have two papers, one by King Ming on analog malicious hardware and one by Ivan. I'm sorry you didn't go out the screen. The papers URL is too long. On fMRI interference for a spatial extent, he'll explain. So without further ado, King Ming. Hey you guys, any problem or not? Okay wait up. You started already? Okay, so before I begin right, you guys remember this paper or not? Actually I gave this talk earlier this year. We love it so it's a reflection of trusting trust. So this paper if you have not read right, it's actually by Ken Thompson. So basically he said that he gave a demo of how you can actually hack components to inject malicious code. The key thing here is actually in his conclusion. The first part of the conclusion he says you can't trust code that you did not create yourself. Okay that's one part. The second part of his conclusion he says we can go lower to avoid detection like exemplar, loader, or hardware microcode which is actually quite similar to what this paper is trying to do. Okay so now I go to abstract. Okay so I just read it out here. So this paper tries to show how a fabrication time attacker can leverage analog circuits to create hardware attacks that is small and stealthy. So you control a circuit that uses capacitors to siphon charge. After that this is used to force a victim flip-flop to a desired value. Then after that you can do a remotely controllable privilege escalation using this wire to select a flip-flop that holds the privilege bit. After that they implement this attack on the OR 1200 processor. So this is abstract. Okay so the main idea here is you want to do privilege escalation with a maliciously modified hardware. Okay so I understand not everyone here is an electrical engineer or a computer engineer so I'll go through some electrical concepts first. Okay so first is the concept the difference between an analog and a digital circuit. Okay so for analog circuit is this graph here so this is actually a continuous signal. There is actually a fraction of a logic level so if you think about a logic level somewhere here so there is signal somewhere in between. For digital signal is at discrete values so for computers we usually deal with binary 0 or 1 so 1 means high logic voltage 0 means low logic voltage but doesn't mean that there's only 0 or 1. You can see on this graph here you can have many discrete values in between. Okay so then the next thing is the capacitor. Okay so a capacitor is a this passive two terminal component you just think of it as a battery a short term battery but the issue with the capacitor is that it can leak that means after a while if you don't charge it right you use the each voltage will drop quite fast. Okay then the next is the concept of a charge pump. Okay so I just copied this for Wikipedia. A charge pump is the kind of DC to DC converter that uses capacitor as energy storage to create higher or low voltage power source. So you can see what it does here in this circuit whenever the clock like turns on right the capacitor charge capacitor voltage will increase you're actually charging the capacitor then when the clock goes down right the capacitor voltage remains concerned it's not being charged. So you can see every time it goes every time the clock sort of engages the voltage will go up so you can pause up to a level that you actually want. Okay then next is what is a flip flop. Okay so this is a flip flop here so it's actually a circuit that has two stable states you can use to store information. So it can hold zero or one so I've returned the truth the truth table here for the s set reset or sr latch. So you can see depending on what you set to r and s right the value q can either remain or change or set to zero. So this is the sr latch. Uh any questions for what? Okay. Oh no no I copied from Wikipedia. Okay no questions. Okay I go on. Okay so this part is a bit more complicated. Is that of a IC integrated circuit design process basically how does a manufacturer make a chip? So actually the concept is very similar to that of printed circuit boards. So this is a chart here that I copied from the paper. Okay so the first part is called the digital design phase this part here. So this is actually where they simulate out they draw out the circuit in software then they simulate out with the hardware description language so there are two types either VHDL or Verilog. So after that once they design the schematic they go on to the back end design so this is where they actually proud out they basically draw out the circuit pathways. Okay so after they do it they do something called a design rule check so design rule check basically means that whether a manufacturer can actually make the chip that you actually draw out. Then let's say if your design passes this design rule check then you will generate out a graphic database system or gds2 file. So for those familiar right a gds2 file actually very similar to that of Gerber file. So in most specific design you design a Gerber design a output of Gerber file send it to the manufacturer. For a chip design you output a gds2 file and send it to the fabricator to make for you. Okay then after you send a gds2 file to the fabricator to the foundry and they'll make the chip then after that you just verify the chip whether it's up to your specifications or not. Okay so this is actually the cross section of a chip what's inside that you can see there are many layers here. Okay so the first part is called the front end of line the front end of line is below here so this is where you all the transistors capacitors resistor flips out all the components of a chip are right at the bottom. So in a PCB analogy this is where the both components are. Okay then above the feol you have the back end of line or beol so the bol is all the copper wires all the traces in PCB terms. So these traces here will detail like how are these components being connected together. So you can see that actually in this chart there's about five layers but in modern chips it's common like to see 10 or 13 layers already. This is quite an old chart. Then right here at the top is a solder bump this is actually where the chip is being attached to a whole PCB or a motherboard. Okay sorry. If you take a please digitalize do you still have any components in the front end of line at that point is it just transistors which are not really components. Okay in shape of the yeah it's a shape I mean in this I think components tiny transistors. Okay also you don't just have transistors you can also have like small resistors yeah resistors capacitors. So there wouldn't be like a physical S&P resistor that you can solder. It will just be a feature of the silica that's gone. It has the property of the resistor and the flip-flop not the actual component. To my understanding you get so-called component library from the foundry. So they know their process and it's specific for the foundry what you can lay out. And yeah mostly transistors sometimes capacitors and you can have capacitors and resistors. Okay yeah. Okay anymore? If there was a need for it. Yeah there's always a need for resistors and capacitors. So for example if you put these in DRAM process we have a different components yeah because the capacitors will be nice they're very small. Okay and continue. Okay so now we come to the ATAC components. So ATAC components they're divided into two parts the trigger and the payload. So the trigger is you can think of it like somebody push the button. So in this case the trigger monitors the wire to know when is the moment to activate the payload. So the payload is basically basically something that is bad like something bad that's done malicious action accomplished when you engage the trigger. Okay so the more about the target platform they chose. So this is an open-risk 1200 processor. Open source. So they use a special instruction set like OR1K not ARM and not x86. It's a very small instruction cache and the thing is this is entirely implemented in it. It's an FPGA using VHDL. I would say not very small cache because oh yeah but yeah I think this is a microprocessor level. It has a microprocessor. It has a microprocessor cache. It has an IMU. It's more like this. Okay I mean the reason they chose it because it's open source they can just make the modifications easily to this. Yeah open source in free open source. Okay so I'll go into bit into the one of the registers they have because they use this register quite often in this attack. So the this register is called a supervision register. I've copied out this page here from their data sheet because the people did not do it. Okay so the first one in this register the first bit is to control the supervisor mode here. So you can read here right if it's 0 it means the current process is user mode process. If it's 1 that means it can be a supervisor process. A root access or something like that. Okay then in this the 11 bit here this is the overflow bit. So if the last aromatic operation overflows the value will change. So if 0 it means there's no overflow in the previous operation then if it's there is overflow it will be 1 for this over bit. Okay so I'll come back to I'm coming back to attack model again so I summarize the previous the abstract so I divided this into five steps. So the first steps I will show the analog whether an analog circuit can actually use a capacitor to generate an attack. The second one is to pick a victim wire to trigger it. So the third one is when the capacitor fully charged they deploy an attack. Here the fourth step is you definitely implement this attack in this processor and finally the fifth step is what code you can run to actually activate this attack. Okay so for step number one so decoy the single stage analog trigger. So this is based on the charge farm design so this is a trigger input here. The trigger input can be thought of as something like a clock signal. Okay so when you keep on triggering this the capacitor will slowly build up its voltage. So once it cross a certain threshold then it will trigger the output. So this is for a single stage. Okay understand? Okay so in the single stage design right the paper said that it's actually very easy to get false positive because of this analog signal it may accidentally trigger when you don't want it to. So that's why they suggest they implemented a multi-stage trigger basically more than one trigger before they actually trigger the final trigger here. Okay so here by having two you lower the probability of a false positive then you can have multiple attack factors also instead of just going through that one particular wire. Okay then step number two is to how do you know which wire to pick up. Okay so we use the overflow flag wire. Okay so just now I mentioned all this overflow flag right so they decided why not use this to wire the extra trigger input. Okay so it comes here. They need to know what is the logical component. Yes they need to know where this register is in the chip. And I would say it is a constraint because even if you steal the mask for the ECPU it's not trigger to reverse engine. Yeah okay I think the entire threat model of this paper is you are Intel. No you actually the threat model is that you are the foundry. Exactly you're Intel. But even then. Okay Intel is one example Intel didn't control the whole thing but certain processors the foundry is separate from the designer. So you're TSMC. Yeah TSMC yes and then you have the GDX2 file. So you can. I guess the thing right if you get something which has everything placed and route it it's not like you can easily point at a part of the chip and say okay this is bit six of the status I think with the GDX2 you need. If you are good and if you have been doing it for a while you should be able to guess and that's what they're making up. Yeah there's a bit of guesswork it's right it's like but in this case because they are trying to do a proof of concept. There is a guy Ken Schrift he does these things where he goes back take all chips and like oh this is this part this is that part. So I guess if you're really really we know what's going on and I'm also guessing it's small chips. I don't think you can do this for like a Pentium 4 or like or whatever. But actually when I come to the end right they say actually this is easier. Later at the end I'll come to that. That's also the question. So you can certainly limit the amount that you need to examine because you discard the whole cache you discard the standard components. I can imagine that you can just buy the routed processors like R but still I mean the logic. That's not the threat model here because that's what they claim that's what they're doing. So you just see how they do it. I mean this is how they do it. The threat model is that the manufacturer when the factory is trying to use their factory processor that they didn't design someone sends to them for manufacturing then it's a really important distinction whether they can you know whether they can reverse engineer it to a high enough level that they can pinpoint individual credit cards. So it's not you know it's not just a really hypothetical question. It goes to the heart of the threat model. Okay all right I'll record this. Also in most electronic devices the processor will be separated by the whole chipset from from outside threat. So unless that is microcontroller. This is the one that actually running the instruction. Yeah it overflowed. That's why they wired this check here. I'll leave it continual first. Okay okay so here the overflow flag is connected to the trigger input. Imagine they triggered overflow many times eventually right the output will be triggered and this they wired the output actually to here to the supervisor board here. So eventually when it triggers comes here then you flip the bit to one. So your process now has supervisor access already. Okay so what about multi-stage trigger? So in this case a two-stage trigger they do it slightly differently. They pick the first wire to be the signed division wire, the second wire to be the unsigned division wire. So in this case I couldn't find the OR1K data sheet so I just leave it first. So assuming they wired these two wires to the trigger input then when you trigger it enough times you will trigger the supervisor mode bit here output. Why is it that you trigger it enough times? Because they need to build up charge here. You just think of this as a clock. So the idea is you want to have a way for your random code that's running under village to become privileged. So your threat model is not just that you compromise the chip is that you then later deliver a payload onto such a trigger creator. Yeah so I understand I'm just curious as to why. Because there isn't a try from. Analog. Because if you don't do that right, anyone who does a divide would see it. You would do it enough times. Because if you just do it once somebody accidentally triggered the thing here. Okay so okay what is the attack payload? So as I mentioned right they actually attach the trigger output to the supervisor bit so it forces a change rate of the bit. So now your user process is given the supervisor privileges really. So they actually attach some gates here. This is the SR latch that is responsible for holding the supervisor bit. Okay so now that we know how to do it right where do we do it? It's like this entire chain here we can which is the best way to put it in here. So can we die anywhere along the chain? Sorry? Basically after setting the supervisor mode on the next trigger again it will be toggled. It means your current process is has the yeah that I understand. Once it sets supervisor mode then it is all the way already. Yeah so eventually the capacitor voltage will drop. Yeah after some time again. No it won't toggle back. I'm guessing it latches. Yeah it latches you maintain all the way. Yeah unless you downgrade yourself. Yeah the small thing to do is to run in supervisor mode until we don't need it anymore. Then you downgrade. Then you downgrade yourself. You can downgrade yourself because yeah you're rude. Okay so okay so now let's say let's begin right by the first stage here. Let's say we can we try to add it here. So this is actually the easiest way to implement because it's on the schematic level but the thing is this is very easily detected. I mean you do any check you sure can find how come got this extra thing over there and the thing is normally at the disk level right the security of the designer's machine is highest at this point. Okay so now we know this part cannot. But you sometimes have the proofs, the test shoots. Yeah the test verification checks. Yeah very different checks easier to detect here. Okay so now we know we cannot do it here. So okay so why not we do it at the back end. At this level you can also drop some IP block which sometimes you don't want to. Yeah you win already. Okay so maybe you can't do it at the digital design phase you do at the back end phase. So this is definitely harder than here. But the thing is you can actually do some simulation and you can still detect it. Yeah so and also the security of the designer machine is still relatively tight also. So we can't do it at the back end also. So this paper says we do it at the fabrication layer. So because the security at the foundry level is relatively less compared to the earlier levels. Okay and then but okay the issue here is that you need also need access to GTS too far. So you can know where to insert your malicious circuit in. So definitely it's much tougher to detect than earlier levels. Okay putting IP block might be easier to detect. I think this one has been published in the user space. Okay. If you go down the way to the fabrication so someone put in some extra parts like the transverse on the time it's super tight everywhere. You can't see okay so that's what I hear this stealth implementation. So okay so we see the CPU die size right it's 2.1 m2. The analog attack only occupies this space 13.4 micrometer square. So it's usually they zoom in here comes here and they zoom in one time. So it's very difficult to detect this. Compared to let's say if you do a digital base a counter one they actually calculated out you need 91 gates. So it's 382 micrometer squares over one order of magnitude bigger. So that's what it says analog is yeah it's much more stealthy. Okay so now we since we see the hardware part so how do we actually trigger this in software. So here the pseudo code I copied from the paper. So it describes how you engage a single stage trigger attack. So we do the divide by zero here and you see this loop here right they do it 500 times because it's unlikely anyone will divide by zero 500 times right okay. So I look at the data sheet this is the instruction data sheet here okay here okay here is a trigger circuit model and here a supervision register. So let's say it's divide by zero what happens. So the data sheet says here on divide by zero okay the result register will be undefined overflow flag will be set okay okay so overflow flag is here. So since we want the overflow flag to trigger input it comes here. So we do it 500 times eventually the output will be triggered and then you trigger the supervisor work okay any questions okay. So this was single stage but single stage may have false positives so that's why they suggested why not do a two stage trigger attack. So they do it two ways sine division and unsine division okay. So here they say okay I don't have the data they actually didn't say anything about this so I just copied the paper here for the two stage trigger we select wires and report whether division sine or sine as trigger inputs okay comes here goes to trigger input to the trigger output and then you you get the supervisor mode already like that. Okay so what is all about the test results okay it works. Okay the reason why I don't want to say it so much is because they dedicated I think four pages of to describe the results which I've lazy to put it in the slide so what it basically did is that they actually varied the voltage because this is the analog attack right it's susceptible to voltage differences and temperature range the test results from 0.8 volts to 1.2 volts and minus 25 to 100 Celsius in this chamber here okay so this is the trend if you increase the temperature you increase the capacitor leakage you actually need more trigger cycles maybe you need more than 500 meaning 1000 or 2000 oh sorry so when you say that they tested it does that mean that instead of running it on FPGA they actually well they fabricated yeah here here inside this picture yeah they did doesn't that cost a fortune no no I just checked it's for say the Canadian researcher is between two and two thousand really for a million square or a million what process micrometers or 1.2 micrometers I was also I was curious I was I listened to a podcast recently that told me about if you're a researcher you get access to some really cheap fabrication It was about $6,000 for 40 dies on an old load. Oh, so even cheaper? Yeah. Also one point. I can tell you that apparently it's some American national, it used to be a part of their NASA or something like that and it spun off and then they do it as a service for researchers. And the load is quite big. I believe they fabricate 65 nanometers. That's actually really good. That's actually really good. I expected that. Am I right? I need to check the paper. I need to check the paper again if I remember this value. Yeah. But anyway, this circuit is not that complicated. This instruction is not that complicated. It's not the X86. It's just project catching. That's probably what it is. Because you need to pay for all wafer. Also, for example, NEMS has their own float zone. They can do the small ones. Which one? I don't know which one. I don't remember. I don't remember the micro. There's no 65 nanometers. Definitely not 65 nanometers. Probably not 65 nanometers. But the thing is, if you're a researcher, you probably have access to this university. Yeah. But 65 nanometers are awesome. Yeah. Another trend is that you increase the voltage. You increase the rate of capacitor accumulation. Lasso cycles. So, yeah, there's some variation here. Okay. So what about possible defects? How do we defend against such an attack? So maybe one way is use a side channel attack. You detect whether there's extra power consumption. But the paper said that there's a power difference of extra gate in one million gates. Then later on, you can't tell. Okay. So you can't use a side channel detection. Maybe you visually inspect the chip. Okay. Obviously, they don't mean naked eye. They use probably a microscope or this. But then the thing is, how you detect 13.4 micrometer square, extra circuitry in a 2.1 mm square. So the issue I would have with visual inspection, I was actually talking and asking questions about electron microscopy examination. What I was told that nowadays, because you have these multiple layers, you don't see at all what happens to global layers. Yeah, and some of this gate is right at the bottom. It's actually non-trivial to just disassemble these layers. Yeah, you can deal with the videos if you find them bigger. Use an STM and drive it harder. Even from the point of view of my electron microscope, I mean the resolution, that's trivial to image. Yeah, but at least you need to know where you're looking for this one. Was there a CCC talk about... Even though you can see... The electron microscope basically works this way, that you can have several mediums, entirely imaged by automated camera in vacuum. But the problem is, you need to delay the thing, because with these heavy atoms, it will not just transfer the electrons through the chip. I remember there was a CCC talk on this and how they do this delaying and how the chip manufacturers try to protect against delaying by doing all sorts of crazy things to allow... They put like wire mesh on top, which is grounded and... I can post the CCC talk if anybody is interested. So the third technique is suggested, split manufacturing. So you have the chip manufactured by two fabricators. So the first fabricators are trusted, but this is more expensive. The second one is the untrusted by cheaper. So the first intuitive way that most of you will think of when you can't split manufacturing is that, first I come to the goal, you obfuscate the design for the untrusted fabricator. So the trusted fabricator will do the upper layers. So here they do, this is how they do. In your design house, you split the chip design into two. So the trusted fabricator will have some of the wires. The untrusted will have the remaining, the gates and other wires. Then the untrusted one will send the unfinished chip to the fabricator, then you can assemble chip. So basically I think they remove some of the top wires. The trusted fabricator will do some part of the top. The untrusted one will do below. Gates here and the other wires. But they cited a paper here that is possible to reverse engineer 96% of the wires. I did not release paper, I did just cite it. So the way they suggested their proposed way is that they split at level one. So level one here, the untrusted manufacturer does not make the gates. In the previous slide, the untrusted manufacturer actually can make some gates, which means they can actually add the gate in, the malicious gate in. So in this case, the trusted manufacturer will handle all the gates. So there's no way the untrusted manufacturer can insert anything malicious there. So this is the design house. The trusted manufacturer will make FEOL here, plus level one, the first copper layer. The untrusted manufacturer will make BEOL, minus the first layer. Then you just send over and then you make the chip here. Okay? But they say that this is expensive to do it. Isn't it much more expensive to do it this way than just their whole trust and money? Yeah, they roll the whole thing but they say it's expensive to do it. So they try to split it out. I mean, if the whole foundry is untrusted, then you cannot do anything. So what they say is that you try to control a trusted manufacturer to do a small portion here. And actually it's no such process as this. Now, to do this, here. How do you ensure the yield? I mean, you shift your shift here and there. Yeah. Yeah, that's what they say. You're on by a few millimeters. No, a few micrometers done. Yeah. So that's what they say, no such. So they say it's tough to collect here. Perfectly move this one. Okay, so this one is special. It's tough to actually draw here. Bad news. We're off by 2.2 millimeters. This is not the whole thing. Bad news. We're off by exactly 2.2 millimeters. So all that happened is we lost the ones on the edges in that area. Yeah. So that promo solution does not exist. Okay. Okay, so they're here. They carved to the potential for x86 attacks. So actually here they say it's actually much harder to detect. But they claim it's easier to implement because x86 has small registers. And this attack only needs one. And x86 has also more 15 wires you can pick from. So you can conduct a multi-stage attack. You don't have to just pick that few wires only. Then I just quoted this from paper. The only aspect of scaling to an x86 class processor that we anticipate as a challenge, maintaining controllability as there are many redundant functional wires. So a trigger would need to tap many wires. Yeah. Or we open the sound from listed effects. I think it's implemented by Intel. Maybe you never know. Well, that's Intel. Yeah. So you mean like the management engine? Yeah. Yeah, yeah. It's a closed source thing. Yes. What's a victim? What exactly controls the victim wire? That means the wire that you trigger. So just now they use the old... Why are some more... Some can be victim... Actually, then you can pick any victim wire. Something that they tell us is probably useless here because there's too much noise going on with the other stuff. You want something that you can reliably trigger. On Intel, I imagine the nice thing about x86 is there's a lot of weird, esoteric instructions no one uses. And then you can have like the three of this. Yeah, exactly. Wait, the victim wire is the one that you're targeting. It's not a trigger. So that would be the one which... Would transfer the signal to the capacitor. No, no, no. Not directly. Going through the capacitor is treated as a charge pump. As a clock. Right, but the victim wire is... The victim wire is the one... When you do 1 divided by 0, the old thing, that's the victim wire. Yeah, the victim wire will have a current going through it at that point in time. And then that is connected to a capacitor. Oh, okay. The victim wire is integrated. And then that... It's victim fabrication and... Okay, so I... Yes, yes. That's a good way to go. Actually, there is this here, right? Okay. So the victim wire in this case is the overflow flap here. Okay. Yeah. Actually, yeah, I think that's the end of the presentation already. Okay. That should be all. Yeah. Okay. Any last questions? Or this? Is there actually an indication that this is happening in a while? Uh... I don't think you will know. I don't think so. Microscopy people probably wanted to be successful. Look at what has its own manufacturing power, right? Yeah. So the top players, I think... They control the pool. ...have their own. Then there are... The other foundries are like two, which is global foundries, TSM, and so on. So there are only two people that would be... Or two corporations that would be able to cheat you. But it could be... It will not be the entire corporation. It could be somebody that's bad inside there. Yeah. It's like, you know... But that could be... Then that could be also inside it. Yeah. Yeah. It could be intelligent. Interesting life fun. Well played, sir. Okay. Any more questions? Oh, yeah. It starts with one word. How does this differ from... Does this thing attack? People have proposed for fabrication time? Assisting attacks, huh? How does this differ from assisting fabrication time attacks? Which attacks are you referring to? Were, I think, digital ones? Or attempting to just add a copper wire in one of the layers? Hopefully the bottom most layers so that you cannot... Just add a wire to do an attack? Yes. But that sounds really, really weird. If you just add a copper wire, that means you need to... You'll be directly attacked over there. It's very easy to trigger. Yeah. You have to detect this. So here, it's very hard to detect because there is... Assisting attacks are digital attacks. So you need a larger space to do it. Okay. Yeah. Any more? Okay. Then that's all. Or do you guys want a five-minute break, maybe? Fire break? Okay. Did you say fire break? Fire break. Fire break. Fire break also.