Access Restriction

Author Dong, Qing ♦ Yang, Kaiyuan ♦ Sylvester, Dennis ♦ Hicks, Matthew ♦ Austin, Todd
Source ACM Digital Library
Content type Text
Publisher Association for Computing Machinery (ACM)
File Format PDF
Language English
Abstract While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party---often overseas---to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester. In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before affecting a chip's functionality). In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transit between digital values. When the capacitors are fully charged, they deploy an attack that forces a victim flip-flop to a desired value. We weaponize this attack into a remotely controllable privilege escalation by attaching the capacitor to a controllable wire and by selecting a victim flip-flop that holds the privilege bit for our processor. We implement this attack in an OR1200 processor and fabricate a chip. Experimental results show that the purposed attack works. It eludes activation by a diverse set of benchmarks and evades known defenses.
Description Affiliation: Rice University, Houston, TX and University of Michigan, Ann Arbor (Yang, Kaiyuan) || Virginia Tech, Blacksburg, VA and University of Michigan, Ann Arbor (Hicks, Matthew) || University of Michigan, Ann Arbor, MI (Dong, Qing; Austin, Todd; Sylvester, Dennis)
Age Range 18 to 22 years ♦ above 22 year
Educational Use Research
Education Level UG and PG
Learning Resource Type Article
Publisher Date 2005-08-01
Publisher Place New York
Journal Communications of the ACM (CACM)
Volume Number 60
Issue Number 9
Page Count 9
Starting Page 83
Ending Page 91

Open content in new tab

   Open content in new tab
Source: ACM Digital Library