[Cryptography] Hardware Trojan Protection

Bill Frantz frantz at pwpconsult.com
Tue Sep 24 16:36:13 EDT 2013 

On 9/22/13 at 6:07 PM, leichter at lrw.com (Jerry Leichter) wrote 
in another thread:

>Still, it raises the question:  If you can't trust your 
>microprocessor chips, what do you do?  One possible answer:  
>Build yourself a processor out of MSI chips.  We used to do 
>that, not so long ago, and got respectable performance (if not, 
>perhaps, on anything like today's scale).  An MSI chip doesn't 
>have enough intrinsic computation to provide much of a hook for 
>an attack.  Oh, sure, the hardware could be spiked - but to do 
>*what*?  Any given type of MSI chip could go into many 
>different points of many different circuit topologies, and 
>won't see enough of the data to do much anyway.  There may be 
>some interface issues:  This stuff might not be fast enough to 
>deal with modern memory chips.  (How would you attack a memory 
>chip?  Certainly possible if you're make a targeted attack - 
>you can slip in a small processor in the design to do all kinds 
>of nasty things.  But commercial of the shelf memory chips are 
>built right up to the edge of what we can make, so you can't 
>change a
>ll that much.)
>
>Some stuff is probably just impossible with this level of 
>technology.  I doubt you can build a Gig-E Ethernet interface 
>without large-scale integration.  You can certainly do the 
>original 10 Mb/sec - after all, people did!  I have no idea if 
>you could get to 100 Mb/sec.
>
>Do people still make bit-slice chips?  Are they at a low-enough 
>level to not be a plausible attack vector?
>
>You could certainly build a respectable mail server this way - 
>though it's probably not doing 2048-bit RSA at a usable speed.
>
>We've been talking about crypto (math) and coding (software).  
>Frankly, I, personally, have no need to worry about someone 
>attacking my hardware, and that's probably true of most 
>people.  But it's *not* true of everyone.  So thinking about 
>how to build "harder to attack" hardware is probably worth the effort.

You might get a reasonable level of protection implementing the 
core of the crypto operations in a hardware security module 
(HSM) using Field Programmable Gate Arrays (FPGA) or Complex 
Programmable Logic Device (CPLD). There is an open source set of 
tools for programming these beasts based on Python called MyHDL 
<www.myhdl.org>. The EFF DES cracker may have some useful ideas too.

The largest of these devices are also pressing the current chip 
limits. There isn't a lot of extra space for Trojans. In 
addition, knowing what to look at is somewhat difficult if pin 
assignments etc are changed from chip to chip at random.

As with any system, there are tool chain issues. Open source 
helps, but there is always the Key Thompson attack. The best 
solution I can think of is to audit the output. Look very 
carefully at the output of the tool chain, and at the final 
piece that loads the configuration data into the device.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"Web security is like medicine - trying to 
do good for
408-356-8506       |an evolved body of kludges" - Mark Miller
www.pwpconsult.com |

More information about the cryptography mailing list