Implementing Hardware Trojans (and RF magic, “Battery Man”)

Hardware trojans are both easier and harder than they might seem. A group of researchers implemented a series of them in FPGAs for a competition, and found that none of them were able to pass hardware Trojan detection methods.

However, they did come up with a few neat ideas… including exfiltrating data by CDMA modulating the RF emissions of the circuit!

This raises the possibility of deliberate data exfiltration from an air-gapped system using compromising emissions (commonly known as TEMPEST). Instead of just modifying the system to make these emissions easier to pick up, these emissions are evidently a reasonably practical side-channel too.

Notably, this approach is so practical that other researchers have used it to encode a “side channel hardware watermark” in certain designs. The FPGA secretly transmits an ID code allowing an investigator to determine that a particular device really is in use.

RF magic–
“Radar for the masses” man Charvat shows off a DIY 9Ghz UWB radar:

But that’s well known. Check out the following paper for something that’s *really* nuts.

Schantz, “Theory and Practice of Near-Field Electromagnetic Ranging.”

Anyway, here’s the INSANE part. Look at page 4. When you take two magnetic loops and drive them right, THE ENERGY FLOW PROPAGATES ON A CURVED PATH. THROUGH FREE SPACE.

How is it possible for a signal to propagate on a curved path through free space? Specifically, how does this work without the existence of the old “aether” concept from 100 years ago…?

The answer seems to lie in the way the two antennas’ signals mix at a given distance: the two polarization components interfere constructively only along a curved path.

But I can see why thinking of an “aether” made it a hell of a lot easier to visualize this stuff back in the day.

Battery man: Check this guy out. He has the seemingly unique ability to not get harmed by lots of electricity passing through his body… even enough power to cook a hotdog between two metal forks he’s holding.

(He also seems to be able to store electricity and “discharge” himself on command.)

It’s interesting to note that withstanding lots of current was an experiment Estabrooks performed with some of his hypnotic subjects (an experiment I look rather askance at). Specifically, he found that while most people could only withstand twenty or forty volts from a variac… when he hypnotized them, people would take 140 volts or more (at 60Hz) without so much as blinking!

I suspect this became one of the elements of “hypnotic torture-proofing.”

“In this Trojan we use the EM side-channel to covertly
transmit the secret key. The used technique is very similar to classic CDMA communication techniques. The main idea of
this type of Trojan was introduced in [3] using the power side- channel. The Trojan consists of two parts, a signal generating circuit that encodes the key and a leakage generating circuit that leaks out (transmits) this bit stream. The signal generating circuit itself consists again of two parts, a MUX that selects a key bit to be transmitted and a 10 bit LFSR that generates a 1023-bit long bit-stream. The output of the signal generating circuit is the exclusive-or sum of the selected key bit and the output bits of the LFSR.

The function of the leakage generating circuit is to create
an EM-signal with high amplitude when the output of the
signal generating circuit is a logical “1” and a signal with low amplitude when the output is a “0”. This can be realized in
many different ways. In our design we used several ring
oscillators with an enable signal. The ring-oscillators are only active when the input signal is “1” and inactive when the input is “0”. This will result in a higher switching activity when the output is “1” and hence also in a higher EM signal. One idea behind using a ring-oscillator for the leakage generating circuit is that the frequency of the ring-oscillator is different from the clock frequency. Using signal processing this should result in a good signal-to-noise ratio.

To derive the key we use a side-channel analysis. At first
we collect an EM trace of the FPGA while it is running. To
collect measurements we used a DPO7014 oscilloscope from
Tektronix and a 1cm loop H-field probe from the ETS-
Lindgren near field probe set. We then compute the expected
1023 bit long bit-stream of the used LFSR. In the next step we need to map this bit-stream to our measurement data. As the
LFSR is clocked once per clock-cycle, we need to map one bit of the LFSR output to 20 measurement points. We simply do
this by copying each output bit of the LFSR 20 times and
storing the result in an array. In this way we get a 1023bit * 20 = 20460 bit long hypothesis for one complete iteration of the LFSR. We copy this bit-stream until the length of the bit-
stream matches the length of our trace. In the last step we
perform a cross-correlation of this hypothesis with the trace. A correlation peak should be visible when he LFSR sequence is
aligned with the LFSR in the trace. If the currently selected key bit is “0” this correlation peak is positive while it is negative if the key bit is “1”. This method is well known in communication systems as CDMA. We transmit one bit at a
time in this way. In our design the next key bit was selected using an input button, but other methods such as a counter
could be used as well.

Of course, in practice the use of output pins should be
avoided. To show that this type of Trojan can work without
the use of any pins we would like to refer to [3] and [2]. In [3] simulation results were presented for this type of Trojan using the power side-channel. In [2] a side-channel hardware
watermark was introduced and evaluated on an FPGA that
uses the same method to secretly transmit an ID. Although
both papers focus on power analysis, the EM side-channel
could have been used as well.”

%d bloggers like this: