Interdiction in Practice { Hardware Trojan Against a High-Security USB Flash Drive Pawel Swierczynski1, Marc Fyrbiak1, Philipp Koppe1, Amir Moradi1, Christof Paar1,2 IEEE Fellow Abstract As part of the revelations about the NSA Keywords hardware Trojan, · real world attack, · activities, the notion of interdiction has become known FPGA security, · AES to the public: the interception of deliveries to manipu- late hardware in a way that backdoors are introduced. Manipulations can occur on the firmware or at hard- 1 Introduction ware level. With respect to hardware, FPGAs are par- ticular interesting targets as they can be altered by In this section we provide an overview of our research manipulating the corresponding bitstream which con- and related previous works in the area of hardware Tro- figures the device. In this paper, we demonstrate the jans and Field Programmable Gate Array (FPGA) se- first successful real-world FPGA hardware Trojan in- curity. sertion into a commercial product. On the target de- vice, a FIPS-140-2 level 2 certified USB flash drive from Kingston, the user data is encrypted using AES-256 in 1.1 Motivation XTS mode, and the encryption/decryption is processed by an off-the-shelf SRAM-based FPGA. Our investiga- As a part of the revelations by Edward Snowden, it be- tion required two reverse-engineering steps, related to came known that the National Security Agency (NSA) the proprietary FPGA bitstream and to the firmware allegedly intercepts communication equipment during of the underlying ARM CPU. In our Trojan insertion shipment in order to install backdoors [28]. For instance, scenario the targeted USB flash drive is intercepted be- Glenn Greenwald claims that firmware modifications fore being delivered to the victim. The physical Tro- have been made in Cisco routers [12,27,18]. Related jan insertion requires the manipulation of the SPI flash attacks can also be launched in \weaker" settings, for memory content, which contains the FPGA bitstream instance, by an adversary who replaces existing equip- as well as the ARM CPU code. The FPGA bitstream ment with one that is backdoor-equipped or by exploit- manipulation alters the exploited AES-256 algorithm in ing reprogramming / updatability features to implant a a way that it turns into a linear function which can be backdoor. Other related attacks are hardware Trojans broken with 32 known plaintext-ciphertext pairs. After installed by OEMs. It can be argued that such attacks the manipulated USB flash drive has been used by the are particular worrisome because the entire arsenal of victim, the attacker is able to obtain all user data from security mechanism available to us, ranging from cryp- the ciphertexts. Our work indeed highlights the security tographic primitives over protocols to sophisticated ac- risks and especially the practical relevance of bitstream cess control and anti-malware measures, can be inval- modification attacks that became realistic due to FPGA idated if the underlying hardware is manipulated in a bitstream manipulations. targeted way. Despite the extensive public discussions about alleged manipulations by British, US, and other intelligence agencies, the technical details and feasibil- 1Horst G¨ortz Institut for IT-Security, Ruhr-Universit¨at ities of the required manipulations are very much un- Bochum, Germany clear. Even in the research literature most hardware 2University of Massachusetts Amherst, USA Trojans are implemented on high level (e.g., King et al. 2 Pawel Swierczynski et al. [16]) and thus assume an attacker at the system design as consumer electronics and security systems. In 2010 phase [15,24]. more than 4 billion devices were shipped world-wide [19]. Surprisingly many of these applications are security sensitive, thus modifications of designs exhibit a cru- 1.2 Contribution cial threat to real-world systems. Despite the large body of FPGA security research over the past two decades, The goal of the contribution at hand is to provide a case cf. [10], the issue of maliciously manipulating a com- study on how a commercial product, which supposedly mercial and proprietary third-party FPGA design | provides high security, can be weakened by meaningful with the goal of implanting a Trojan that weakens the low-level manipulations of an existing FPGA design. To system security of a commercial high-security device | the best of our knowledge, this is the first time that it is has never been addressed to the best of our knowledge. being demonstrated that a bitstream modification of an SRAM-based FPGAs, for which the configuration bit- FPGA can have severe impacts on the system security stream is stored in external (flash) memory, dominate of a real-world product. We manipulated the unknown the industry. Due to its volatility, SRAM-based FPGAs and proprietary Xilinx FPGA bitstream of a FIPS-140- have to be re-configured at every power-up. Hence, in 2 level 2 certified device. This required several steps a scenario where an adversary can make changes to the including the bitstream file format reverse-engineering, external memory chip, the insertion of hardware Tro- Intellectual Property (IP) core analysis, and a mean- jans becomes a possible attack vector. It is known for ingful modification of the hardware configuration. long time that an FPGA bitstream manipulation is ap- Our target device is a Data Traveler 5000, an overall plicable, but the complexity of maliciously altering the FIPS-140-2 level 2 certified1 Universal Serial Bus (USB) given hardware resources of a third-party FPGA con- flash drive from Kingston. It utilizes a Xilinx FPGA for figuration has not been addressed in practice. However, high-speed encryption and decryption of the stored user from an attacker's point of view, the malicious manip- data. As indicated before, we implant a hardware Tro- ulation of a third-party FPGA bitstream offers several jan through manipulating the proprietary bitstream of practical hurdles that must be overcome. Amongst the the FPGA resulting in a maliciously altered Advanced main problems is the proprietary bitstream format that Encryption Standard (AES)-256 IP core that is suscep- obfuscates the encoding of the FPGA configuration: tible to cryptanalysis. there is no support for parsing the bitstream file to a By the underlying adversary model it is assumed human-readable netlist, i.e., the internal FPGA config- that the adversary can provide a manipulated USB uration cannot be explored. However, previous works flash drive to the victim. For accessing the (seemingly have shown that Xilinx' proprietary bitstream file for- strongly encrypted) user data, the adversary can obtain mat can be reverse-engineered back to the netlist rep- the device by stealing it from the victim. Alternatively, resentation up to a certain extent [26,7,30]. In general, it is also imaginable that a covert, remote channel can it seems to be a safe assumption that a determined be implanted in the target system. Due to our manip- attacker can reverse-engineer all (or at least the rele- ulations, the adversary can easily recover all data from vant) parts of the netlist from a given third-party bit- the flash drive. It seems highly likely that the attack stream. As the next crucial steps, the adversary must remains undetected, because the cryptographic layer is detect and manipulate the hardware design. To the entirely hidden from the user. Similar attacks are possi- best of our knowledge, the only publicly reported de- ble in all settings where encryption and decryption are tection and malicious manipulation of cryptographic al- performed by the same entity, e.g., hard disk encryption gorithms targeting a third-party bitstream is by Swier- or encryption in the cloud. czynski et al. [29], which is also the basis of our work. The related work by Chakraborty et al. [8] demon- 1.3 Related Work strated the accelerated aging process of an FPGA by merging a ring-oscillator circuitry into an existing bit- Two lines of research, which have been treated mainly stream. Furthermore, the presented attack cannot change separately so far, are particularly relevant to our con- the existing parts (described as \Type 1 Trojan" in tribution, i.e., FPGA security and hardware Trojans. their work, e.g., the relevant parts of a cryptographic al- FPGAs are reprogrammable hardware devices which gorithm or access control mechanism) and hence is not are used in a wide spectrum of applications, e.g., net- applicable to undermine the system security of our tar- work routers, data centers, automotive systems as well geted device. Thus, we cover and demonstrate the the- oretically described \Type 2 Trojan" defined by Chark- 1 Many categories even fulfill the qualitative security level aborty et al. [8]. Such Trojans are able to alter the ex- 3, cf. [4] Interdiction in Practice { Hardware Trojan Against a High-Security USB Flash Drive 3 isting hardware resources and expectedly require more stream contains the configuration rules for programmable analysis of the design. logic components and programmable interconnections. Another related work was done by Aldaya et al. [5]. One can agree that it is arguable whether FPGA Tro- The authors demonstrated a key recovery attack for all jans are \true" hardware Trojans. On the other hand, AES key sizes by tampering T-boxes which are stored the bitstream controls the configuration of all hardware in the Block-Ram (BRAM) of Xilinx FPGAs. It is a elements inside the FPGA, and attacks as shown in this ciphertext-only attack and it was demonstrated that paper lead to an actual change of the hardware configu- various previously proposed FPGA-based AES imple- ration. Thus, even though they represent a corner case, mentations are vulnerable to their proposed method. we believe it is justified to classify FPGA Trojans as One other practical hurdle for injecting a Trojan hardware Trojans.