![Page 1: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/1.jpg)
Supply Chain Security:“If I Were a Nation-State…”
Bluehat.il 2019 bunnie
@bunniestudios
![Page 2: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/2.jpg)
I’m a Hardware Guy.
![Page 3: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/3.jpg)
When Everyone Was Doing the Dotcom Thing...
![Page 4: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/4.jpg)
I Wasted My Time Doing This…
![Page 5: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/5.jpg)
Time Passes…
![Page 6: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/6.jpg)
נהור סגי לעווירא צווחין סמייא בשוק“In the land of the blind, the one-eyed man is King”
(if Google is to be believed)
![Page 7: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/7.jpg)
A Few Years Designing Silicon…
![Page 8: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/8.jpg)
Now: Mostly, I Build Systems…
![Page 9: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/9.jpg)
Which Means Dealing with Supply Chains.
![Page 10: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/10.jpg)
Supply Chains are Not Friendly Territory
![Page 11: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/11.jpg)
![Page 12: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/12.jpg)
![Page 13: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/13.jpg)
![Page 14: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/14.jpg)
![Page 15: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/15.jpg)
Supply Chain Attacks: Why, What, & Where
![Page 16: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/16.jpg)
Supply Chain Attacks: Why?
● Getting in– Backdoors to assist rootkits/exploits
● Getting out– Exfiltrating or leaking data
● Sabotage– Selective defeat/destruction of equipment
![Page 17: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/17.jpg)
![Page 18: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/18.jpg)
![Page 19: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/19.jpg)
![Page 20: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/20.jpg)
![Page 21: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/21.jpg)
![Page 22: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/22.jpg)
![Page 23: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/23.jpg)
![Page 24: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/24.jpg)
![Page 25: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/25.jpg)
Substitute Component
● Simple “BOM swap”: many components look alike
![Page 26: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/26.jpg)
![Page 27: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/27.jpg)
![Page 28: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/28.jpg)
So Only Accept “Authentic” Chips! Right?
![Page 29: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/29.jpg)
Fun Fact: Kingston Doesn’t Have a Fab.Then Where Do Kingston DDR Chips Come From?
![Page 30: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/30.jpg)
The RAM Market is Fluid
● RAM makers produce RAM chips faster than they can test them– eTT/uTT (effectively tested, untested) & “downgrade” sold as
unmarked chips– Substantially cheaper
![Page 31: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/31.jpg)
![Page 32: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/32.jpg)
![Page 33: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/33.jpg)
![Page 34: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/34.jpg)
Add System Component
![Page 35: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/35.jpg)
About Them X-Rays...
![Page 36: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/36.jpg)
Obvious
Less obvious
![Page 37: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/37.jpg)
![Page 38: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/38.jpg)
Add IC in package
● Hide an additional chip inside a package● Chips are harder to see under X-ray● Multiple chips in package is a mature technology
![Page 39: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/39.jpg)
A Closer Look: Wirebonding
![Page 40: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/40.jpg)
![Page 41: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/41.jpg)
Wirebonding
![Page 42: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/42.jpg)
![Page 43: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/43.jpg)
Wirebonding is Versatile: Chip on Chip
![Page 44: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/44.jpg)
● Complex, 3D bonding patterns● Purpose: supply chain
flexibility– Mfg will routinely swap out
sub-components to optimize cost, yield
Design or Implant?
![Page 45: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/45.jpg)
● Silicon is fairly transparent to X-rays
● Copper traces tend to mask silicon
![Page 46: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/46.jpg)
Closer Look: A “Typical” Wirebond IC
3D View X-Ray view
![Page 47: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/47.jpg)
Piggybacking an Implant IC
Unmodified With implant
![Page 48: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/48.jpg)
X-Ray View
Unmodified With implant
![Page 49: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/49.jpg)
An Actual Piggy Back in X-Ray
https://electroiq.com/chipworks_real_chips_blog/2010/09/13/samsungs-eight-stack-flash-shows-up-in-apples-iphone-4/
Top view: looks like straight wires
Side view: visible, but requires unobstructed line of sight
![Page 50: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/50.jpg)
Wirebonded Implants
● Leverages mature, commodity technology● $ few thousand, few weeks to develop
– Using commodity outsourced equipment– Maybe couple $100k’s to buy wirebonder + molding line outright– Can use commodity MCUs/FPGAs for exploit
● Detectable in X-rays
![Page 51: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/51.jpg)
Concept: Through-Silicon Via
https://www.youtube.com/watch?v=20t4FCH3K60
0.1-0.2mm
![Page 52: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/52.jpg)
Implant IC with TSV
Unmodified With implant
![Page 53: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/53.jpg)
![Page 54: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/54.jpg)
X-Ray View: Wirebond Positions Unchanged
Unmodified With implant
![Page 55: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/55.jpg)
Wirebond + TSV Implants
● Requires bespoke MITM chip● Harder to detect with X-rays
![Page 56: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/56.jpg)
What about WLCSP?
WaferLevelChipScalePackage
● No wirebonds● Direct chip-to-
board via solderballs
![Page 57: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/57.jpg)
WLCSPs are Increasingly Popular...
iFixit CC BY NC SA 3.0
![Page 58: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/58.jpg)
![Page 59: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/59.jpg)
![Page 60: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/60.jpg)
Detection: Unmodified
WLCSPs Often Have a Seam
![Page 61: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/61.jpg)
WLCSP Implants
● Pro: Logistically easier than wirebond implants– Target chips sold in chip form– No package to reverse engineer
● Pro: TSV/WLCSP is commodity tech– WLCSP very common in mobile, increasingly common in servers– HBM graphics chips use TSV (Radeon R9, Nvidia GP100, GV100, Titan V)
● Con: Requires fabricating custom TSV template for attacks– mid-$100k’s to set up– Needs access to a mid-end fab
● Pro: Hard to detect– Almost no X-ray footprint– Almost no visual footprint
![Page 62: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/62.jpg)
![Page 63: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/63.jpg)
Total IC Substitution
● Develop or adapt an exploit IC● Possible objectives:
– Add shadow memory● This is trivial: e.g. enlarge I2C/SPI EEPROM
– Modify system control behaviors● PSU/reset/clocks controlled by simple ICs● Emulate system controllers with e.g. FPGA of about same die size + RDL
https://electroiq.com/2011/05/rdl-an-integral-part-of-today-s-advanced/
![Page 64: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/64.jpg)
![Page 65: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/65.jpg)
Ultimate Attack: IC Backdoors
● “Ultimate” attack– Bimodal – hard to set up the relationships to execute, but once
established, easy to repeat
● Persistent● Hard to attribute● Hard to detect
https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf
![Page 66: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/66.jpg)
![Page 67: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/67.jpg)
![Page 68: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/68.jpg)
![Page 69: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/69.jpg)
![Page 70: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/70.jpg)
Netlist Tampering: ASIC vs COT
● ASIC – “Application Specific Integrated Circuit”– Customer does RTL + floorplan– Foundry does detail place/route,
IP integration, pad ring– Popular for e.g. cheap support
chips: ● Server BMC● Disk controllers● Set top boxes
● COT – “Customer Owned Tooling”– Customer does full flow, down
to a nominal GDS-II mask– Several extra headcount +
$millions for back-end tooling software
– Necessary for high-performance / flagship products (CPU/GPU/router)
![Page 71: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/71.jpg)
ASIC Flow Example: SOCIONEXT
● $1.3bb revenue (2016)
![Page 72: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/72.jpg)
So I’m Safe with COT, Right?
![Page 73: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/73.jpg)
COT Weaknesses: “Hard IP” Tampering
● COT designers still leave large “holes” in the layout for hard IP– Foundry merges proprietary
blocks with agreed upon connection points
https://cornell-ece5745.github.io/ece5745-tut8-sram/
![Page 74: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/74.jpg)
Hard IP: What Types?
● RF/analog– PLL, ADC, DAC, bandgap
● RAM● ROM● eFuse● Pad rings● Basically, all the points you need to backdoor your RTL
![Page 75: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/75.jpg)
![Page 76: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/76.jpg)
Mask Editing
● All masks also go through an editing (“checking”) step
Proc. of SPIE Vol. 8322 83220C-1
![Page 77: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/77.jpg)
Example: Dopant Tampering
● No morphological change● Circuit behavior change
http://people.umass.edu/gbecker/BeckerChes13.pdf
![Page 78: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/78.jpg)
Spare Cell Rewiring
● Place/route doesn’t use 100% of silicon area– Best practice adds “spare”
logic throughout for easier mask fixes
– Requires large morphological changes
![Page 79: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/79.jpg)
Signal Bypass
https://www.researchgate.net/figure/Layout-of-a-D-Flip-Flop-with-asynchronous-reset-containing-8-dummy-gates-4-gaps-and-2_fig2_274254091
https://www.researchgate.net/figure/The-architecture-of-a-typical-DFF_fig11_221922917
![Page 80: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/80.jpg)
Signal Bypass
![Page 81: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/81.jpg)
Supply Chain Attacks: Where?
![Page 82: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/82.jpg)
![Page 83: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/83.jpg)
![Page 84: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/84.jpg)
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
![Page 85: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/85.jpg)
![Page 86: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/86.jpg)
wallet.fail @ 35C3 (T. Roth, D. Nedospasov, J. Datko)
![Page 87: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/87.jpg)
![Page 88: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/88.jpg)
![Page 89: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/89.jpg)
![Page 90: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/90.jpg)
![Page 91: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/91.jpg)
How Far Away Can We Target one Individual?
● “BTO” (Build To Order)– “Mass Customization” (MC)– “Custom Turnkey Order” (CTO)
https://blogs.opentext.com/maintaining-apples-customer-satisfaction-levels-its-all-about-logistics/
![Page 92: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/92.jpg)
From the Factory to Your Doorstep!
● Operations like CTS push “flavoring” deep into the supply chain
https://www.wired.co.uk/article/liam-casey
![Page 93: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/93.jpg)
![Page 94: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/94.jpg)
Note: Swapping Chips is “Easy”
● Replacing BGA chips in ~30 mins
https://www.youtube.com/watch?v=gImJWY12HXY
![Page 95: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/95.jpg)
So: Big Picture Likely Correct; Details Sketchy
● Reported scheme doesn’t pass Occam’s Razor– The implant as described is hard to
build, easy to find
![Page 96: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/96.jpg)
![Page 97: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/97.jpg)
Key Take-Aways
● Supply chains are hard even when security isn’t a concern– Fakes, gray markets already a hard problem– The red team doesn’t care about your secrets, they just want your money :-)
● Accessible, commodity tech readily adapted to yield difficult-to-detect implants– Fakes/scammers “seed” the market for implant tech– low-$10k’s can yield a wirebond implant– mid-$100k’s can yield a WLCSP implant
● Very large attack surface– Workers & couriers: porous, transient communities– Distributors, factories: misaligned interests– BTO practices extends attack surface across borders and companies
![Page 98: Supply Chain Security€¦ · Supply chains are hard even when security isn’t a concern – Fakes, gray markets already a hard problem The red team doesn’t care about your secrets,](https://reader036.vdocuments.site/reader036/viewer/2022063015/5fd2e9ee101b336c6e6e45a2/html5/thumbnails/98.jpg)
Thanks!
@bunniestudios