supply chain security€¦ · supply chains are hard even when security isn’t a concern –...
TRANSCRIPT
Supply Chain Security:“If I Were a Nation-State…”
Bluehat.il 2019 bunnie
@bunniestudios
I’m a Hardware Guy.
When Everyone Was Doing the Dotcom Thing...
I Wasted My Time Doing This…
Time Passes…
נהור סגי לעווירא צווחין סמייא בשוק“In the land of the blind, the one-eyed man is King”
(if Google is to be believed)
A Few Years Designing Silicon…
Now: Mostly, I Build Systems…
Which Means Dealing with Supply Chains.
Supply Chains are Not Friendly Territory
Supply Chain Attacks: Why, What, & Where
Supply Chain Attacks: Why?
● Getting in– Backdoors to assist rootkits/exploits
● Getting out– Exfiltrating or leaking data
● Sabotage– Selective defeat/destruction of equipment
Substitute Component
● Simple “BOM swap”: many components look alike
So Only Accept “Authentic” Chips! Right?
Fun Fact: Kingston Doesn’t Have a Fab.Then Where Do Kingston DDR Chips Come From?
The RAM Market is Fluid
● RAM makers produce RAM chips faster than they can test them– eTT/uTT (effectively tested, untested) & “downgrade” sold as
unmarked chips– Substantially cheaper
Add System Component
About Them X-Rays...
Obvious
Less obvious
Add IC in package
● Hide an additional chip inside a package● Chips are harder to see under X-ray● Multiple chips in package is a mature technology
A Closer Look: Wirebonding
Wirebonding
Wirebonding is Versatile: Chip on Chip
● Complex, 3D bonding patterns● Purpose: supply chain
flexibility– Mfg will routinely swap out
sub-components to optimize cost, yield
Design or Implant?
● Silicon is fairly transparent to X-rays
● Copper traces tend to mask silicon
Closer Look: A “Typical” Wirebond IC
3D View X-Ray view
Piggybacking an Implant IC
Unmodified With implant
X-Ray View
Unmodified With implant
An Actual Piggy Back in X-Ray
https://electroiq.com/chipworks_real_chips_blog/2010/09/13/samsungs-eight-stack-flash-shows-up-in-apples-iphone-4/
Top view: looks like straight wires
Side view: visible, but requires unobstructed line of sight
Wirebonded Implants
● Leverages mature, commodity technology● $ few thousand, few weeks to develop
– Using commodity outsourced equipment– Maybe couple $100k’s to buy wirebonder + molding line outright– Can use commodity MCUs/FPGAs for exploit
● Detectable in X-rays
Concept: Through-Silicon Via
https://www.youtube.com/watch?v=20t4FCH3K60
0.1-0.2mm
Implant IC with TSV
Unmodified With implant
X-Ray View: Wirebond Positions Unchanged
Unmodified With implant
Wirebond + TSV Implants
● Requires bespoke MITM chip● Harder to detect with X-rays
What about WLCSP?
WaferLevelChipScalePackage
● No wirebonds● Direct chip-to-
board via solderballs
WLCSPs are Increasingly Popular...
iFixit CC BY NC SA 3.0
Detection: Unmodified
WLCSPs Often Have a Seam
WLCSP Implants
● Pro: Logistically easier than wirebond implants– Target chips sold in chip form– No package to reverse engineer
● Pro: TSV/WLCSP is commodity tech– WLCSP very common in mobile, increasingly common in servers– HBM graphics chips use TSV (Radeon R9, Nvidia GP100, GV100, Titan V)
● Con: Requires fabricating custom TSV template for attacks– mid-$100k’s to set up– Needs access to a mid-end fab
● Pro: Hard to detect– Almost no X-ray footprint– Almost no visual footprint
Total IC Substitution
● Develop or adapt an exploit IC● Possible objectives:
– Add shadow memory● This is trivial: e.g. enlarge I2C/SPI EEPROM
– Modify system control behaviors● PSU/reset/clocks controlled by simple ICs● Emulate system controllers with e.g. FPGA of about same die size + RDL
https://electroiq.com/2011/05/rdl-an-integral-part-of-today-s-advanced/
Ultimate Attack: IC Backdoors
● “Ultimate” attack– Bimodal – hard to set up the relationships to execute, but once
established, easy to repeat
● Persistent● Hard to attribute● Hard to detect
https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf
Netlist Tampering: ASIC vs COT
● ASIC – “Application Specific Integrated Circuit”– Customer does RTL + floorplan– Foundry does detail place/route,
IP integration, pad ring– Popular for e.g. cheap support
chips: ● Server BMC● Disk controllers● Set top boxes
● COT – “Customer Owned Tooling”– Customer does full flow, down
to a nominal GDS-II mask– Several extra headcount +
$millions for back-end tooling software
– Necessary for high-performance / flagship products (CPU/GPU/router)
ASIC Flow Example: SOCIONEXT
● $1.3bb revenue (2016)
So I’m Safe with COT, Right?
COT Weaknesses: “Hard IP” Tampering
● COT designers still leave large “holes” in the layout for hard IP– Foundry merges proprietary
blocks with agreed upon connection points
https://cornell-ece5745.github.io/ece5745-tut8-sram/
Hard IP: What Types?
● RF/analog– PLL, ADC, DAC, bandgap
● RAM● ROM● eFuse● Pad rings● Basically, all the points you need to backdoor your RTL
Mask Editing
● All masks also go through an editing (“checking”) step
Proc. of SPIE Vol. 8322 83220C-1
Example: Dopant Tampering
● No morphological change● Circuit behavior change
http://people.umass.edu/gbecker/BeckerChes13.pdf
Spare Cell Rewiring
● Place/route doesn’t use 100% of silicon area– Best practice adds “spare”
logic throughout for easier mask fixes
– Requires large morphological changes
Signal Bypass
https://www.researchgate.net/figure/Layout-of-a-D-Flip-Flop-with-asynchronous-reset-containing-8-dummy-gates-4-gaps-and-2_fig2_274254091
https://www.researchgate.net/figure/The-architecture-of-a-typical-DFF_fig11_221922917
Signal Bypass
Supply Chain Attacks: Where?
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
wallet.fail @ 35C3 (T. Roth, D. Nedospasov, J. Datko)
How Far Away Can We Target one Individual?
● “BTO” (Build To Order)– “Mass Customization” (MC)– “Custom Turnkey Order” (CTO)
https://blogs.opentext.com/maintaining-apples-customer-satisfaction-levels-its-all-about-logistics/
From the Factory to Your Doorstep!
● Operations like CTS push “flavoring” deep into the supply chain
https://www.wired.co.uk/article/liam-casey
Note: Swapping Chips is “Easy”
● Replacing BGA chips in ~30 mins
https://www.youtube.com/watch?v=gImJWY12HXY
So: Big Picture Likely Correct; Details Sketchy
● Reported scheme doesn’t pass Occam’s Razor– The implant as described is hard to
build, easy to find
Key Take-Aways
● Supply chains are hard even when security isn’t a concern– Fakes, gray markets already a hard problem– The red team doesn’t care about your secrets, they just want your money :-)
● Accessible, commodity tech readily adapted to yield difficult-to-detect implants– Fakes/scammers “seed” the market for implant tech– low-$10k’s can yield a wirebond implant– mid-$100k’s can yield a WLCSP implant
● Very large attack surface– Workers & couriers: porous, transient communities– Distributors, factories: misaligned interests– BTO practices extends attack surface across borders and companies
Thanks!
@bunniestudios