Researchers find back door in milspec silicon
A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.
The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”
Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London’s Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”
The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.
The pair used the Actel’s own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”
The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.
But the paper hints PEA is a more sensitive version of DPA, describing it as follows:
“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”
PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.
“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”
The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.
One imagines the presentation will be rather well attended. ®