5 January 2010—In November, engineering students from five top universities gathered at the Polytechnic Institute of NYU, in Brooklyn, N.Y., for the Embedded Systems Challenge. The aim was to test new attacks and defenses against an underappreciated breed of Trojan horse—embedded malware built into integrated circuits.
The winning team’s results, set to appear in journals and at conference proceedings in 2010, reveal how vulnerable many systems are to "chip attacks" The contest also demonstrated the high degree of technical sophistication required for these attacks, making it more likely that attackers will pursue specialized applications, such as sensitive military equipment or high-security financial computers. Attacking Dad’s new Windows 7 PC probably isn’t worth the extreme investment of time and money—especially when cheaper and quicker phishing and software-based malware attacks still work all too well.
"It’s something that people aren’t really much aware of," says contest judge Jim Howard, director and chief engineer of information assurance at Camden, N.J.–based L-3 Communications, which designs application-specific integrated circuits for high-security applications, such as military communications systems. "The majority of application-specific integrated circuits are manufactured outside the United States....People could be putting flaws in these chips that they can activate.
Howard imagines that "people are probably trying to do this kind of stuff" in chips destined for military systems. It seems militaries around the world are also imagining the possibilities, including Pakistan, whose defense ministers refused American efforts to help secure the country’s nuclear arsenal out of fear that U.S. contractors might insert a software or hardware Trojan horse that could later disable the weapons.
The contest centered around blueprints for a simple cryptography chip built on a field-programmable gate array (FPGA) that had just one input and one output. "Secret" text went in, while encrypted text emerged from the chip’s output terminal. First, teams had to harden their own chip design against other teams’ anticipated Trojan horses. Then, when the teams received the blueprints for their opponents’ hardened chips, they had to devise attacks on their opponents’ chip designs that would output either the cipher key or the unencrypted secret text. As a result, each face-off in the competition consisted of an integrated circuit that contained both a defending team’s add-on circuits as well as the corresponding opposing team’s Trojan horse circuitry.
The first-place team in this year’s Embedded Systems Challenge used one of the most deceptively simple attacks imaginable, Howard says. Led by NYU-Poly graduate student Jeyavijayan Rajendran, the team devised attacks that, when activated, simply connected the input wire to the output wire and bypassed the encryption circuitry altogether.
“It’s the most obvious approach," says Rajendran’s faculty advisor, Ramesh Karri, associate professor of electrical and computer engineering at NYU-Poly. But it’s not foolproof. Bypassing all the encryption logic means that the output signal appears suspiciously soon after the input. So "if somebody’s taking a fingerprint of the [chip’s] delay, then this may not even work. It depends on the defense, too."
Karri, who organized this year’s contest along with NYU-Poly computer science graduate student Kurt Rosenfeld, says that they intentionally weighted the competition to favor a strong defense.