August 07, 2011
Security Risk Of Hacked Computer Chips

The US Defense Advanced Research Projects Agency is spending money to come up with counters to the threat that chips in servers, PCs, routers, and other computer equipment could contain Trojans.

The Pentagonís top research division is trying, however. Over the past two months, Darpa, has awarded nine contracts totaling $49 million for its Integrity and Reliability of Integrated Circuits (IRIS) program to check for compromised chips. Seven companies and two universities received the awards.

This problem has non-defense dimensions that are far more pedestrian. Companies create clones of chips made by other companies. Some unethical companies even make counterfeit memory cards which have prompted the development of software to test USB memory sticks for fakes which perform worse than the real thing and which fail at higher rates. There's even a Fake Flash News blog reporting on it.

More complex electronic devices get cloned by counterfeiters, especially in China. While existing known cloners make the fakes in order to make profit from the designs of others it isn't that big a step to make clones that appear to be functionally identical but which have monitoring circuitry that patches into the OS of, say, a router or server and then sends information back to some spy server for analysis. This is what the US military and intelligence agencies fear.

One can imagine the US and NATO allies agreeing to strike deals with computer equipment makers for the manufacture of certain categories of chips or equipment aimed for use in military and other government facilities and in government contractors to get built in NATO countries. Anyone heard of cases where this is done?

Share |      Randall Parker, 2011 August 07 11:25 PM  Computing Security


Comments
epobirs said at August 8, 2011 7:16 AM:

This has been happening for a long time. Look at the roots of the $2 Billion Toshiba floppy controller class action. First, back in the days when a single-chip device was a big deal, NEC produced a floppy controller chip. Toshiba cloned it so closely they replicated the bugs, too. One bug was discovered by IBM engineers working on OS/2. Under some very specific condition aka not in real life, there could be data loss during a file write. IBM notified NEC of the problem and NEC very soon started shipping a fixed version of the chip. End of story as far as NEC cared.

Now, NEC had noticed Toshiba's clone chip and brought legal action but as typical of such things in Japan it was handled behind closed door. Although Toshiba had made payments to NEC, there was no apparent obligation to notify Toshiba of the bug discovered by IBM. Meanwhile, Toshiba becomes a titan in laptop sales, nearly all of which contain Toshiba's cloned floppy controller. Yes, they had a known bug but there is no known instance of data loss by any user. Even so, some lawyers who specialized in class actions against tech companies got wind of this and brought suit in Texas, a notoriously brutal locale for such things. Toshiba settles for $2 Billion after it becomes apparent a jury decision could be far worse.

That started nearly thirty years ago, when Chinese semiconductor outfits weren't part of the picture. The individual chip features used then were like redwood logs compared to the splinters of today's process nodes. There could be a lot of stuff hidden in a counterfeit chip.

PacRim Jim said at August 8, 2011 9:52 AM:

When American chip companies outsourced the design and production of chips to the Chinese, they didn't take into consideration the fact that the Chinese military would insert back doors in the chip microcode.
Now American national security has been compromised.
The DoD shouldn't buy any chip not designed and manufactured in the U.S. (and perhaps Japan).
Penny wise, pound foolish.

ivvenalis said at August 8, 2011 1:00 PM:

epobirs: could be? Is.

http://www.businessinsider.com/navy-chinese-microchips-weapons-could-have-been-shut-off-2011-6#ixzz1QfhXjEYD

It's standard practice to demand that parts be produced in the US even for non-sensitive hardware, but there's little oversight of sub-contractors.

Wolf-Dog said at August 8, 2011 5:55 PM:


At the beginning of the Gulf War I, Saddam Hussein was defeated by a similar method. Before the Coalition air campaign on Iraq, the US agents went to France to modify one of the French printers that Saddam's government was about to purchase for its defense system. This printer was supposed to be used in the computer room controlling Saddam's radar network. Before the US attack the printer secretly sent responses to the Iraqi computer network (supposedly controlling the printer) in the radar control room, causing the computer system to shut down every time they turned it on! This effectively disabled Saddam's radar when the first US planes attacked the Iraqi nerve centers. This total surprise was due in part to the modified French printer Saddam's computers were connected to.

This method would bring down the US empire, causing unconditional surrender similar to the Versailles Treaty imposed on the US.

Vince said at August 8, 2011 6:53 PM:

The DoD shouldn't buy any chip not designed and manufactured in the U.S. (and perhaps Japan).
Penny wise, pound foolish.

There was a time in the 1980s and into the early '90s when this was done. It's just prohibitively difficult when Moore's law is ever chugging along for the DoD to stay current with the mainstream tech community. The time/price/performance mixture is pretty brutal.

You note the foolishness, but it seemed just as foolish to me and many others when the DoD and contractors were using specialized ASICs that were 2-3 generations behind for a hugely inflated costs in our systems.

Nanonymous said at August 8, 2011 9:06 PM:

they didn't take into consideration the fact that the Chinese military would insert back doors in the chip microcode. Now American national security has been compromised.

Shouldn't it be possible to create some sort of comprehensive fingerprint for a chip? Something analogous to checksums for digital data? Then you just compare the designed reference and the sample outputs. (I am pretty clueless in this area, so if this is not theoretically possible, I'd appreciate an explanation why it is so).

Sigivald said at August 9, 2011 1:22 PM:

PacrimJim said: When American chip companies outsourced the design and production of chips to the Chinese, they didn't take into consideration the fact that the Chinese military would insert back doors in the chip microcode.
Now American national security has been compromised.

Except it hasn't.

This hubbub is about the possibility of that happening in theory, someday.

It has not happened yet - and indeed it's going to be very difficult to both put in such a backdoor and find a way to exploit it.

(Yes, there were mentions there of "hacked hardware", but I see no reason to believe those were more than things made to fail, rather than be backdoored/exploitable. The difference is significant.)

(J. Random Chip in a missile or a dedicated piece of comms hardware is, after all, very hard to exploit from afar, especially if you don't have complete details of the entire schematic of the device, to see if there's even a way to electrically get the signal you'd need, to the chip.

In the movies, it's easy. In real life, it's very, very hard to exploit in this sort of black-box situation. Borderline impossible, ion fact - thus, above, my very strong belief that the "hacked" chips obliquely referred to were not "backdoored" for illicit access, but simply made to be broken in more-or-less subtle ways.

In other words: Sabotage is easy. Espionage is hard.)

nerdbert said at August 9, 2011 2:24 PM:

It is possible using JTAG and other wavescan techniques to do the equivalent of an MD5 checksum on a chip using the typical test modes of digital chips. In the typical testing procedure you generate vectors to exercise as much logic as possible between registers and typically you achieve well north of 98% coverage. Inserting logic between the registers in a way that could be hidden from scan testing would be very difficult.

But to rely on something like scan testing you have to be willing to get very close to the testing of the chip and willing to write your own code. You probably have to have testers and even the inexpensive ones cost $5M+, then you have to have a department to write and test the scan vectors, etc.

Most major vendors like Lockheed take fully assembled subsystems from subcontractors and use them and with those it's practically impossible to scan the chips themselves at that level.

You'd require much more vertical integration and expense to combat this problem than we have today in major defense contractors.

Adeline said at August 9, 2011 3:08 PM:

--When American chip companies outsourced the design and production of chips to the Chinese, they didn't take into consideration the fact that the Chinese military would insert back doors in the chip microcode.

THEY didn't? the DoD TOLD THEM they were done with American chip companies. COTS COTS COTS was what they wanted, because they wanted their stuff as fast as what you could buy at Dell. There was no possible way for American companies to compete on price. Worse, DoD, EPA and state regs started telling them they couldn't use solder with lead, couldn't use dopants like arsenic--too hazardous to the environment! So the only place to make them was overseas.

--Now American national security has been compromised.

National security was compromised when they allowed Chinese nationals and Chinese naturalized citizens to take positions in US universities and in defense contractor and govt labs. chip stuff is bad but nothing compared to that.

cbunix23 said at August 9, 2011 3:44 PM:

For what its worth... Alcatel-Lucent signed a National Security Agreement with the US at the time the two companies merged. This agreement governs certain equipment made by ALU which is sold to the US government as well as critical network infrastructure equipment sold to US carriers.

Gary said at August 10, 2011 7:39 AM:

nerdbert said:"It is possible using JTAG and other wavescan techniques to do the equivalent of an MD5 checksum on a chip using the typical test modes of digital chips. In the typical testing procedure you generate vectors to exercise as much logic as possible between registers and typically you achieve well north of 98% coverage. Inserting logic between the registers in a way that could be hidden from scan testing would be very difficult. But to rely on something like scan testing you have to be willing to get very close to the testing of the chip and willing to write your own code. You probably have to have testers and even the inexpensive ones cost $5M+, then you have to have a department to write and test the scan vectors, etc."

It would not be that unreasonable for the DoD to require vendors to supply, under NDA, the scan vectors (which they already have), and to design the host boards with test headers which put each chip into test mode such that some relatively basic equipment could run the scan vectors and verify the integrity of the chip. As was said, this would be a 98% sure thing. Very low risk for the chip vendors since reverse engineering the scan vectors would be very hard. The production testers are expensive, in part because they are fast and versatile. Dedicated equipment wouldn't have to be prohibitively expensive (would the DoD care if it was?). The DoD could make it part of product acceptance testing to do this chip verification.

Post a comment
Comments:
Name (not anon or anonymous):
Email Address:
URL:
Remember info?

                       
Go Read More Posts On FuturePundit
Site Traffic Info
The contents of this site are copyright ©