tailieunhanh - Designing and implementing malicious hardware

Our memory access mechanism provides hardware sup- port for unprivileged malicious software by allowing ac- cess to privileged memory regions. Malicious software triggers the attack by forcing a sequence of bytes on the data bus to enable the memory access circuits. This se- quence can be arbitrarily long to avoid false positives and the particular sequence must be agreed upon be- fore deployment. Once the sequence is observed, the MMU in the data cache ignores CPU privilege levels for memory accesses, thus granting unprivileged soft- ware access to all memory, including privileged mem- ory regions like the operating system’s internal mem- ory. In other words, loading a magic value on the data bus. | Designing and implementing malicious hardware Samuel T. King Joseph Tucek Anthony Cozzie Chris Grier Weihang Jiang and Yuanyuan Zhou University of Illinois at Urbana Champaign Urbana IL 61801 Abstract Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack malicious circuits can bypass traditional defensive techniques. Yet current work on trojan circuits considers only simple attacks against the hardware itself and straightforward defenses. More complex designs that attack the software are unexplored as are the countermeasures an attacker may take to bypass proposed defenses. We present the design and implementation of Illinois Malicious Processors IMPs . There is a substantial design space in malicious circuitry we show that an attacker rather than designing one specific attack can instead design hardware to support attacks. Such flexible hardware allows powerful general purpose attacks while remaining surprisingly low in the amount of additional hardware. We show two such hardware designs and implement them in a real system. Further we show three powerful attacks using this hardware including a login backdoor that gives an attacker complete and high-level access to the machine. This login attack requires only 1341 additional gates gates that can be used for other attacks as well. Malicious processors are more practical more flexible and harder to detect than an initial analysis would suggest. 1 Introduction Motivation Attackers may be able to insert covertly circuitry into integrated circuits ICs used in today s computer-based systems a recent Department of Defense report 16 identifies several current trends that contribute to this threat. First it has become economically infeasible to procure high performance ICs other than through commercial suppliers. Second these commercial suppliers are increasingly moving the design manufacturing and testing stages of IC production to a diverse