Darpa's "trust in IC": a smart article and our comments07/07/2008 Written by SyS64738 (Roberto Preatoni)
Without any doubt, the best article published about the Darpa’s Turst in IC program has appeared on IEEE Spectrum’s website. We welcome you to read that article, then to come back here as we posted our comments (oh boy, we have so much to say…)Zone-H Comments:
Are you a fan of comics? Are you interested in digital warfare? Did you find this news about Darpa’s “Trust in IC” program appealing? Foreviewing?
Take a look at our first Zone-H comic episode “Prologue: Network Failures”, published in year 2006 (but we started to work on its production in year 2005). It’s the story of a total Internet failure due to embedded unsolicited hardware, placed by wise Chinese producers in the core IC of the world’s network equipment.
Click on the image to download it
In this comic episode, the hardware spyware has been placed in the network card’s main chip, inserting extra functionalities such an extra microprocessor, some extra RAM and some extra ROM. The network card is usually functioning as a traditional network card up to the moment it receives a specific sequence of bits which activate the embedded extra hardware, causing network failures (but also allowing to spy on each computer’s traffic).
Needless to say, the comic’s characters are using at some point, the same technology adopted by Darpa’s contractors to reveal embedded unsolicited hardware (an x-ray IC layer scanner).
Quite interesting coincidence.
Anyway, the point is that despite what performed in the reality by the Darpa’s contractors, such efforts might not be sufficient to detect embedded spyware in ICs. In fact, any complex Integrated Circuit can be identified not only by the contained hardware, but being most of the time a logic circuit, also by its natural “embedded logic behavior”.
I remember when I was attending my high-school classes (hell, 25 years ago…), one of the first thing I learned was to design logic circuits, according to the task requirements. A first step was to design the circuit according to the logic requirements. The second step was to simplify it by analyzing its boolean redoundancies, stripping off the unnecessary logic ports. After such operation, a much simpler IC was obtained, with the same functionality of the more complex, original one.
All this to say that to be sure that any given IC is not embedding unsolicited behavior might not be enough the mere x-ray analysis of its core components. The IC should also be analyzed in its originally designed logic behavior.
At the current status, the Darpa’s program is focusing mainly in “hashing” the hardware, comparing it to its original design. But as I explained before, extra functionalities can be embedded even in the original hardware logic design, placing circuits with double logic behavior. In principle, it should be easy to design any complex enough logic circuit that behaves always in a certain way except when a single, specific logic gate gets activated, triggering the secondary behavior. Without the need of extra circuitry (ram, rom, etc).
Detecting such triggering logic circuit is a hard task, or even worse, detecting the secondary behavior especially in high density chips and techniques such x-ray scanning would not be helpful at all. Darpa should focus also in possible ways to detect unsolicited logic behavior.
How? Well, it’s not that easy. We do have some ideas here, we might explain them in a future’s comic episode. Or we might not, let’s see if it would be a wise move first.
But we have some more bad news for you guys. Do you know what is the lifespan of war gears? Decades. It means that what has been produced so far and what is currently produced might already embed unsolicited hardware/logic. The Syrian radar failure story might be a demonstration.
Do you know which is one of the most used microprocessor in modern war gears? Nothing fancy nor ultramodern, as you might imagine. In fact, it’s the old 386 chip. Reliable, powerful enough and, most important, long lasting and not heating. Even modern war helicopters are using the old 386 chip. And that was produced more than 20 years ago. As to say, we might be already flooded by poisoned hardware.
This is why people should stop in focusing only in open source software for security reasons but they should also focus on the necessity to have open sourced hardware. Which currently is and probably will stay a mere dream, given the current set of laws and the lobbistic pressure behind them.
The only way to protect yourself today would be to do any sort of hardware/software reverse engineering but as you well know, it’ll bring you legal troubles. War interests apart, opening up hardware systems should be in everybody’s long term interest, including the same hardware producers and governments. Because “Qui gladio ferit, gladio perit”