Toward a Trustable, Self-Hosting Computer System Gabriel L. Somlo CERT – SEI Carnegie Mellon University Pittsburgh, PA 15213 Email: [email protected] Abstract—Due to the extremely rapid growth of the the software could, in theory, be presumed to be perfectly computing and IT technology market, commercial hard- secure and free of bugs. ware made for the civilian, consumer sector is increasingly We propose to build trustable computer systems on (and inevitably) deployed in security-sensitive environ- top of Field Programmable Gate Arrays (FPGA), which, ments. With the growing threat of hardware Trojans and due to their generic nature, make it qualitatively harder backdoors, an adversary could perpetrate a full system compromise, or privilege escalation attack, even if the to conceal intentional backdoors implemented in silicon. software is presumed to be perfectly secure. We propose a From there, we leverage the transparency and auditability method of field stripping a computer system by empirically of Free and Open Source (FOSS) hardware, software, proving an equivalence between the trustability of the and compiler toolchains to configure FPGAs to act fielded system on one hand, and its comprehensive set as Linux-capable Systems-on-Chip (SoC) that are as of sources (including those of all toolchains used in its trustworthy as the comprehensive sources used in both construction) on the other. In the long run, we hope their specification and construction. to facilitate comprehensive verification and validation of The remainder of this paper is laid out as follows: fielded computer systems from fully self-contained hard- ware+software sources, as a way of mitigating against Section II presents a brief overview of the hardware the lack of control over (and visibility into) the hardware development lifecycle, pointing out similarities and con- supply chain. trasts to software development. Section III examines hardware backdoor classification criteria relevant to the I. Introduction solution proposed in Section IV. A proof of concept implementation of our proposed solution, currently still Hardware vulnerabilities have presented an increas- undergoing development, is outlined in Section V. Con- ingly dire security threat across the entire user popu- siderations regarding the performance of our prototype lation for the last several decades [1]. The gravity of are presented in Section VI. Finally, conclusions and the problem is compounded by the constantly growing plans for future work are discussed in Section VII. length of microchip design, development, and fabrication supply chains, including outsourcing, the multinational II. Hardware vs.Software Development nature of major chipmakers, and the global and highly mobile nature of the workforce they employ. Due to the Modern hardware is developed in a way that shares extremely rapid growth of the microchip market over the many similarities with software [9]. After an architec- last several decades, customers with enhanced security tural design step, the desired behavior is expressed in sensitivity (e.g., governments, militaries, and security a source hardware description language (HDL). HDLs agencies) are increasingly forced to use chips targeted (e.g., Verilog and VHDL) tend to be languages with at the civilian consumer market, and individually no strong functional and declarative characteristics. Source longer have the market size that would put them in “code” is then compiled, resulting in either photolito- a position to demand adequate supply chain security graphic masks for dedicated application-specific inte- assurances from their vendors [2]. As evidenced by grated circuits (ASICs), or configuration data (bitstream) both academic research and practical industry experience for field-programmable gate arrays (FPGAs). Debugging [3], [4], [5], [6], [7], [8], carefully planted hardware and documentation are also stages shared with software Trojans or backdoors may allow malicious attackers to development, as well as iterating through all stages mul- completely take over a victim computer system, even if tiple times until the desired behavior is accomplished. module alu_mod ( op // operator: financial and time commitments required to fabricate input alu_op_t op, a + // operands: dedicated ASICs at high volume. FPGAs also offer input logic [31:0] a, b, // result: output logic [31:0] res); x good value when the projected production volume is not always_comb begin m expected to cover the sunk costs of ASIC fabrication. unique case (op) ALU_ADD: res = a + b; ^ u res ALU_MUL: res = a * b; x Generally, hardware designs deployed on FPGAs are ALU_XOR: res = a ^ b; ALU_AND: res = a & b; larger, slower, and more power-hungry than equivalent ALU_OR : res = a | b; & default: res = 32'b0; optimized ASICs. However, in Section IV we argue that endcase end or endmodule: alu_mod b 0 FPGAs also offer valuable additional security assurance a) b) c) opportunities. III. Overview of Hardware Vulnerabilities News outlets and IT trade publications often refer to malicious firmware [10], [11] as “hardware” attacks, primarily due to where they are stored (typically, flash on a computer’s motherboard), and to their persistent nature (capability to survive a hard disk wipe and OS reinstall). To be precise, from this paper’s perspective, those would d1) d2) be considered software attacks, as the malicious behavior Fig. 1. Hardware Compilation Pipeline. is still codified in the form of CPU instructions. The hardware vulnerabilities discussed below manifest in the behavior of the CPU (and associated chip set) itself, and The main stages of a hardware compilation pipeline occur at or below the CPU’s instruction set architecture are shown in Fig. 1. First, the HDL source code (Fig. 1a) (ISA) in terms of the abstraction layers affected. is passed through an elaboration stage that builds a graph Several classification criteria for hardware vulnerabili- of standard blocks (Fig. 1b) representing the specified ties have emerged from industry and academic hardware design. Next, logic synthesis and optimization converts security research [12], [13], [14], [15], [16]. Without loss high-level blocks into an optimized graph consisting of of generality, we find the following simplified breakdown basic logic gates (Fig. 1c). relevant: From there, technology mapping, placement, and rout- • Insertion Method: Development stage (see Fig. 1) ing generate either a set of optimized masks, to be where the vulnerability is introduced: etched into dedicated silicon ASICs using an expensive – Design, Implementation: Vulnerabilities present and labor-intensive photolitography process (Fig. 1d1), in source code, introduced accidentally or ma- or bitstream to instruct an FPGA’s configurable logic liciously; e.g., Spectre [7] and Meltdown [8]. blocks (CLBs) and programmable interconnect elements – Toolchain: A compromised HDL compiler on how to wire themselves together in order to “act out” toolchain may generate maliciously misbehav- the required design (Fig. 1d2). When multiple authors’ ing ASIC masks or FPGA bitstream from per- designs are linked together, they are referred to as fectly clean and innocent sources [5]. either Hard (ASIC masks) or Soft (FPGA bitstream) – Fabrication: Malicious ASIC fabrication plants intellectual property (IP) cores. may reverse engineer a customer’s masks, and While both traditional CPUs and FPGAs are “pro- carefully alter them to insert backdoors or grammable”, the crucial difference is that the former exe- Trojans into the microchips being produced. cute a sequential stream of instruction opcodes read from Examples include subtly altering a random RAM, while the latter receive their entire configuration at number generator to weaken encryption [3], or once. While a CPU’s opcode sequence tells it what to do, allowing a CPU’s privilege mode flag to be the bitstream tells an FPGA what to be. FPGA bitstream flipped during the execution of a prearranged resides in a special memory that is written once during sequence of unprivileged instructions [6]. configuration, and remains unmodified for as long as the • Severity: Level of damage incurred by the system’s configured device is in operation. owner during an attack: FPGAs are frequently used to debug, test, and val- – Denial of Service (DoS): An attacker can de- idate a hardware design before making the very large stroy the system, or otherwise degrade its per- Research Review 2019 Anchoring Trust for Fielded Systems formance, making it unavailable to its owner; e.g., a “self-destruct” switch or timer. CVBuilder C – Privilege Escalation: Any method facilitating Sources Compiler an attacker’s unauthorized access to a system or SystemCV its data; includes everything from side channels Sources Fielded (blueprint, for data exfiltration to a remote take-over. Build Tool System design, etc.) First, we observe that ASIC fabrication attacks (ca- pable of inserting both DoS and privilege escalation Field Stripping a Weapons System: Building a Trustworthy Computer [DISTRIBUTION STATEMENT A] Approved for public release and Gabriel L. Somlo, Ph.D. unlimited distribution. 13 backdoors) can not be prevented without ownership and Fig. 2. Trust Anchor© 2019 Carnegie Mellon University for Fielded Computer Systems. control of the chip foundry, an increasingly difficult and unlikely proposition. Proposed mitigation attempts include: visually inspecting a microscopic die-shot of be compared to a “needle in a haystack”, perpetrating the silicon [17], obfuscating the chip’s interaction with a similar attack
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-