"Designing and implementing malicious hardware"
Perry E. Metzger
perry at piermont.com
Mon Apr 28 15:28:06 EDT 2008
Ed Gerck <edgerck at nma.com> writes:
> Each chip does not have to be 100% independent, and does not have to
> be used 100% of the time.
>
> Assuming a random selection of both outputs and chips for testing, and
> a finite set of possible outputs, it is possible to calculate what
> sampling ratio would provide an adequate confidence level -- a good
> guess is 5% sampling.
Not likely.
Sampling will not work. Sampling theory assumes statistical
independence and that the events that you're looking for are randomly
distributed. We're dealing with a situation in which the opponent is
doing things that are very much in violation of those assumptions.
The opponent is, on very very rare occasions, going to send you a
malicious payload that will do something bad. Almost all the time
they're going to do nothing at all. You need to be watching 100% of
the time if you're going to catch him with reasonable confidence, but
of course, I doubt even that will work given a halfway smart attacker.
The paper itself describes reasonable ways to prevent detection on the
basis of most other obvious methods -- power utilization, timing
issues, etc, can all be patched over well enough to render the
malhardware invisible to ordinary methods of analysis.
Truth be told, I think there is no defense against malicious hardware
that I've heard of that will work reliably, and indeed I'm not sure
that one can be devised.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list