In a world driven by IOT devices, autonomous vehicles, personal assistants, the effects of IC hacking can be devastating. This is not the worst case scenario as safety is on the table too in case of autonomous vehicles, medical devices and weapons systems.
Olivier Thomas, founder at Texplained SARL and author of ARES (Automated Reverse Engineering Software), a software toolchain for the efficient analysis of designs of independent of their logical size, writes about the importance and relevance of IC analysis.
The current piracy situation
ICs are running everything in our digital world. When software and network security is evaluated, the assumption that the hardware is safe is made. What if that was not the case?
IC Reverse-Engineering has reached a stage where an entire IC could be cloned at its physical level, opening doors for counterfeiting.
Invasive Attacks created more than a decade ago are the tool of choice for memory dumps. When an attacker has access to the embedded code, he can build clones and emulations that are visible in markets such as consumables: printer-ink cartridges, video-games controllers are basic examples of products that are sold at expensive prices, letting the door open for cheaper compatible products. Those are usually made after a memory dump made by Invasive Attacks.
Furthermore, having access to the embedded software gives the opportunity for pirates to find out easier way to attack a device. This way, remote attacks can be strategized and can lead to all sorts of piracy.
In a world driven by IOT devices, autonomous vehicles, personal assistants... the effects can be devastating with personal data at risk. This is not the worst case scenario as safety is on the table too (autonomous vehicles, medical devices, weapons systems...).
Other risks such as hardware backdoors also have to be addressed as IC designers do not own factories anymore and rely on third parties for the actual manufacturing of their ICs. During that stage, extra circuitry could be added to create undocumented backdoors for various reasons - all being bad.
Finally, in our globalized economy, new comers could study existing devices to gain a time advantage for their own products. Reverse-Engineering of ICs can be used for stealing hardware IPs which results in an unfair advantage as stealing IPs means no R&D investment and market loss for the legitimate IC vendors.
The role of analysis
IC analysis can be used to detect backdoors implemented on the supply chain or IPs infringements.
As Invasive Attacks and therefore Reverse-Engineering based Invasive Attacks are not really evaluated inside the current certification schemes, an entire class of attacks are hidden from the integrators who do not have a complete view on the different threats. Extending the analysis to those types of attacks is providing a more accurate statement on a product security.
Reverse-Engineering is bringing new attacks techniques. Semi-Invasive attacks are made more effective by using Reverse-Engineering data. Manipulating clock or power lines (Non-Invasive Attacks) can be redefined by the ability to do this locally inside an IC... There is much more to come.
Those coming techniques are at the same time an advantage as evaluations will be sped up but also a new threat as the catalog of potential attacks is still growing.
At the end of the day: What's the fuss? It's only little chips running EVERYTHING!
The accepted major challenges regarding IC analysis are costs, time and expertise.
Price of a complete assessment is pretty expensive and evaluating the IC regarding RE and Invasive Manipulations is believed to add a significant extra cost. This is certainly true for current evaluation but this statement is more than arguable for pirate groups that can literally spend several millions USD to acquire machines and still be profitable after the commercialization of their first off-branded product for example.
For less fortunate attackers, machine access or lab time can be rented at affordable prices which are still decreasing. Those prices reflects for a part the second hand market that becomes very valuable.
The time argument is also highly questionable as pirates often have access to Reverse-Engineering software. Therefore, attacks are realized much faster than before.
Finally, the expertise argument is still the most subjective one. Hardware analysis involving Reverse-Engineering the IC and potentially modifying it looks complicated as the attacker must have strong knowledge of micro-electronics, Failure Analysis, CPU architecture, ... but this argument is more than a decade old and does not take into consideration the natural learning curve. Would you think new attackers do not benefit from the more than 10 years of expertise of their predecessors?
The truth is the current challenges are mainly Failure Analysis related. The difficult task is the imagery of the ICs and their sample preparation. This has to be balanced because if an IC is produced, it means that all necessary investigation equipment and techniques have been developed in the first place. Pirates of course need to adapt to current new technology but have all the necessary knowledge to stay close behind the IC makers.
Limitations to IC security come from the fact that security does still rely on obfuscation rather than on proper design. In this condition, micro-controllers and microprocessors usually do not protect well enough their secrets.
Removing the most potent attacks from the evaluation and certification schemes also has a dangerous effect as the security of those devices is only partially evaluated. Preventing security researchers from looking at ICs can only have a negative impact on the overall security.
At the same time, many new players comes with anti-RE and anti-counterfeiting solutions. One can be tempted to classify those as marketing based protections as they are often based on false assumptions. RE is the fact to understand a system from looking at it. Using the right techniques makes every features of an IC visible which by nature is enough to find out the functionality of the circuitry. How can taking pictures of an IC can be prevented? This question appears to be illegal in some sense as a proper implemented security should be efficient even if its circuitry is exposed: security by design.
At Texplained, we do not only teach how to evaluate IC security to its silicon level, we also evaluate the resiliency of state of the art secure elements against all types of attacks and build counter-measures - based on those evaluations - in the form of hardware IP blocs that protect the most essential part of a design: embedded software, cryptographic keys and personal data.
Oliver Thomas will be conducting a two day training on IC REVERSE ENGINEERING 101 at Hardwear.io. This training will provide security professionals the skills necessary for performing the vulnerability analysis of Integrated Circuits (ICs). To register for training click here.