The back-and-forth between hardware-level attackers and defenders is built upon the assumption that malicious circuits must operate in a tradeoff space of software-level stealth and hardware-level stealth. To achieve software-level stealth, previous attacks employed complex state machines in order to make triggering the attack unlikely during testing and normal execution. Defenders responded with approaches capable of detecting large amounts of added circuitry. Alternatively, to achieve hardware-level stealth, previous attacks made small changes that resulted in always-on attacks. In response, defenders developed better test case generation algorithms.
In this talk, I show how a fabrication time attacker can leverage the analog properties of digital circuits to create hardware attacks that achieve both hardware-level stealth (i.e., requiring as little as one gate) and software-level stealth (i.e., requiring an unlikely trigger sequence). Then, I show how attackers can weaponize the analog attack circuit to escalate privilege using a trigger sequence of seemingly innocuous arithmetic instructions. Finally, I show how attackers can leverage the ample open space in modern ASICs to implant both the trigger and the attack circuits. Experiments with a fabricated chip containing our implants---representing the first openly malicious processor---highlight the stealth and power of analog malicious circuits, motivating a shift in defensive strategy.
Matthew Hicks is a member of the technical staff at MIT Lincoln Laboratory, where he leads a hardware security research group that serves as a convergence point between academia and the defense industry. Prior to joining MIT/LL, Matthew spent one year as a lecturer and two years as a postdoc in the Division of Computer Science at the University of Michigan. His research interests span Security, Architecture, and Embedded Systems. His current projects address hardware security, hardware for security, battery-less devices, and approximate computing. His research has been used by military contractors, hardware security startups, and has inspired others to devise code analysis techniques aimed at uncovering malicious hardware. He earned a PhD in 2013 and a MS in 2008, both in Computer Science from the University of Illinois at Urbana-Champaign. He earned a BS in Computer Science from the University of Central Florida in 2006.