Graduate Seminar: Violating the digital abstraction for more stealthy malicious circuits
Location: 310 Kelly Hall
Speaker: Dr. Matthew Hicks, University of Illinois at Urbana-Champaign
The back-and-forth between hardware-level attackers and defenders is built upon the assumption that malicious circuits must operate in a tradeoff space of software-level stealth and hardware-level stealth. To achieve software-level stealth, previous attacks employed complex state machines in order to make triggering the attack unlikely during testing and normal execution. Defenders responded with approaches capable of detecting large amounts of added circuitry. Alternatively, to achieve hardware-level stealth, previous attacks made small changes that resulted in always-on attacks. In response, defenders developed better test case generation algorithms.
In this talk, I show how a fabrication time attacker can leverage the analog properties of digital circuits to create hardware attacks that achieve both hardware-level stealth (i.e., requiring as little as one gate) and software-level stealth (i.e., requiring an unlikely trigger sequence). Then, I show how attackers can weaponize the analog attack circuit to escalate privilege using a trigger sequence of seemingly innocuous arithmetic instructions. Finally, I show how attackers can leverage the ample open space in modern ASICs to implant both the trigger and the attack circuits. Experiments with a fabricated chip containing our implants---representing the first openly malicious processor---highlight the stealth and power of analog malicious circuits, motivating a shift in defensive strategy.