Supply Chain Security:“If I Were a Nation-State…”

Bluehat.il 2019 bunnie

@bunniestudios

I’m a Hardware Guy.

When Everyone Was Doing the Dotcom Thing...

I Wasted My Time Doing This…

Time Passes…

נהור סגי לעווירא צווחין סמייא בשוק“In the land of the blind, the one-eyed man is King”

(if Google is to be believed)

A Few Years Designing Silicon…

Now: Mostly, I Build Systems…

Which Means Dealing with Supply Chains.

Supply Chains are Not Friendly Territory

Supply Chain Attacks: Why, What, & Where

Supply Chain Attacks: Why?

● Getting in– Backdoors to assist rootkits/exploits

● Getting out– Exfiltrating or leaking data

● Sabotage– Selective defeat/destruction of equipment

Substitute Component

● Simple “BOM swap”: many components look alike

So Only Accept “Authentic” Chips! Right?

Fun Fact: Kingston Doesn’t Have a Fab.Then Where Do Kingston DDR Chips Come From?

The RAM Market is Fluid

● RAM makers produce RAM chips faster than they can test them– eTT/uTT (effectively tested, untested) & “downgrade” sold as

unmarked chips– Substantially cheaper

Add System Component

About Them X-Rays...

Obvious

Less obvious

Add IC in package

● Hide an additional chip inside a package● Chips are harder to see under X-ray● Multiple chips in package is a mature technology

A Closer Look: Wirebonding

Wirebonding

Wirebonding is Versatile: Chip on Chip

● Complex, 3D bonding patterns● Purpose: supply chain

flexibility– Mfg will routinely swap out

sub-components to optimize cost, yield

Design or Implant?

● Silicon is fairly transparent to X-rays

● Copper traces tend to mask silicon

Closer Look: A “Typical” Wirebond IC

3D View X-Ray view

Piggybacking an Implant IC

Unmodified With implant

X-Ray View

Unmodified With implant

An Actual Piggy Back in X-Ray

https://electroiq.com/chipworks_real_chips_blog/2010/09/13/samsungs-eight-stack-flash-shows-up-in-apples-iphone-4/

Top view: looks like straight wires

Side view: visible, but requires unobstructed line of sight

Wirebonded Implants

● Leverages mature, commodity technology● $ few thousand, few weeks to develop

– Using commodity outsourced equipment– Maybe couple $100k’s to buy wirebonder + molding line outright– Can use commodity MCUs/FPGAs for exploit

● Detectable in X-rays

Concept: Through-Silicon Via

https://www.youtube.com/watch?v=20t4FCH3K60

0.1-0.2mm

Implant IC with TSV

Unmodified With implant

X-Ray View: Wirebond Positions Unchanged

Unmodified With implant

Wirebond + TSV Implants

● Requires bespoke MITM chip● Harder to detect with X-rays

What about WLCSP?

WaferLevelChipScalePackage

● No wirebonds● Direct chip-to-

board via solderballs

WLCSPs are Increasingly Popular...

iFixit CC BY NC SA 3.0

Detection: Unmodified

WLCSPs Often Have a Seam

WLCSP Implants

● Pro: Logistically easier than wirebond implants– Target chips sold in chip form– No package to reverse engineer

● Pro: TSV/WLCSP is commodity tech– WLCSP very common in mobile, increasingly common in servers– HBM graphics chips use TSV (Radeon R9, Nvidia GP100, GV100, Titan V)

● Con: Requires fabricating custom TSV template for attacks– mid-$100k’s to set up– Needs access to a mid-end fab

● Pro: Hard to detect– Almost no X-ray footprint– Almost no visual footprint

Total IC Substitution

● Develop or adapt an exploit IC● Possible objectives:

– Add shadow memory● This is trivial: e.g. enlarge I2C/SPI EEPROM

– Modify system control behaviors● PSU/reset/clocks controlled by simple ICs● Emulate system controllers with e.g. FPGA of about same die size + RDL

https://electroiq.com/2011/05/rdl-an-integral-part-of-today-s-advanced/

Ultimate Attack: IC Backdoors

● “Ultimate” attack– Bimodal – hard to set up the relationships to execute, but once

established, easy to repeat

● Persistent● Hard to attribute● Hard to detect

https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf

Netlist Tampering: ASIC vs COT

● ASIC – “Application Specific Integrated Circuit”– Customer does RTL + floorplan– Foundry does detail place/route,

IP integration, pad ring– Popular for e.g. cheap support

chips: ● Server BMC● Disk controllers● Set top boxes

● COT – “Customer Owned Tooling”– Customer does full flow, down

to a nominal GDS-II mask– Several extra headcount +

$millions for back-end tooling software

– Necessary for high-performance / flagship products (CPU/GPU/router)

ASIC Flow Example: SOCIONEXT

● $1.3bb revenue (2016)

So I’m Safe with COT, Right?

COT Weaknesses: “Hard IP” Tampering

● COT designers still leave large “holes” in the layout for hard IP– Foundry merges proprietary

blocks with agreed upon connection points

https://cornell-ece5745.github.io/ece5745-tut8-sram/

Hard IP: What Types?

● RF/analog– PLL, ADC, DAC, bandgap

● RAM● ROM● eFuse● Pad rings● Basically, all the points you need to backdoor your RTL

Mask Editing

● All masks also go through an editing (“checking”) step

Proc. of SPIE Vol. 8322 83220C-1

Example: Dopant Tampering

● No morphological change● Circuit behavior change

http://people.umass.edu/gbecker/BeckerChes13.pdf

Spare Cell Rewiring

● Place/route doesn’t use 100% of silicon area– Best practice adds “spare”

logic throughout for easier mask fixes

– Requires large morphological changes

Signal Bypass

https://www.researchgate.net/figure/Layout-of-a-D-Flip-Flop-with-asynchronous-reset-containing-8-dummy-gates-4-gaps-and-2_fig2_274254091

https://www.researchgate.net/figure/The-architecture-of-a-typical-DFF_fig11_221922917

Signal Bypass

Supply Chain Attacks: Where?

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/

wallet.fail @ 35C3 (T. Roth, D. Nedospasov, J. Datko)

How Far Away Can We Target one Individual?

● “BTO” (Build To Order)– “Mass Customization” (MC)– “Custom Turnkey Order” (CTO)

https://blogs.opentext.com/maintaining-apples-customer-satisfaction-levels-its-all-about-logistics/

From the Factory to Your Doorstep!

● Operations like CTS push “flavoring” deep into the supply chain

https://www.wired.co.uk/article/liam-casey

Note: Swapping Chips is “Easy”

● Replacing BGA chips in ~30 mins

https://www.youtube.com/watch?v=gImJWY12HXY

So: Big Picture Likely Correct; Details Sketchy

● Reported scheme doesn’t pass Occam’s Razor– The implant as described is hard to

build, easy to find

Key Take-Aways

● Supply chains are hard even when security isn’t a concern– Fakes, gray markets already a hard problem– The red team doesn’t care about your secrets, they just want your money :-)

● Accessible, commodity tech readily adapted to yield difficult-to-detect implants– Fakes/scammers “seed” the market for implant tech– low-$10k’s can yield a wirebond implant– mid-$100k’s can yield a WLCSP implant

● Very large attack surface– Workers & couriers: porous, transient communities– Distributors, factories: misaligned interests– BTO practices extends attack surface across borders and companies

Thanks!

@bunniestudios