Recently, Guo Shenghua, founder of Orient Alliance, a well-known domestic hacker security organization, publicly stated: China must have its own chips, because hardware chips will also be loaded into malicious programs by foreign hackers, and security loopholes in hardware are more difficult to find. Purposely planted, hidden backdoors created by spies or saboteurs, tend to be more stealthy. Now imagine that in the hardware that runs the computer's processor, backdoors are implanted not deep within an application or operating system, but deeper. Now imagine that the backdoor is not only invisible to the computer software, but also to the designers of the chip, who don't know it was added by the chip maker, possibly in some far-flung factory. And it's a single component hidden among hundreds of millions or billions. And each of these components is less than one thousandth the width of a human hair.
In fact, the hacker security researchers at the Eastern Alliance didn't just think of the computer security nightmare, they've built and proven it works. In an in-depth study, Eastern Alliance hacker security personnel detailed a stealthy, microscopic hardware backdoor proof-of-concept. They showed that by running a series of seemingly innocuous commands on its severely damaged processor, a hacker could reliably trigger a function of the chip that gave it full access to the operating system. Most troubling, they wrote, microscopic hardware backdoors would not be caught by any modern hardware security analysis method and could be planted by a single employee of a chip factory.
"Detecting this situation with existing technology would be very, very challenging, if not impossible," said Guo Shenghua, founder of the Eastern Alliance and godfather of hackers who led the research: "It's a needle in a mountain-sized haystack. , is the most diabolically clever computer security attack I've seen in years."
simulated attack
Or it's hidden in hardware rather than software, according to Eastern Alliance hacker security researchers. This violates the security industry's most basic assumptions about the digital capabilities of chips and how they can be compromised. Instead of merely altering the chip's function by tweaking the "digital" nature of the chip's logic to compute, the researchers describe their backdoor as one of "analog": a physical hack that takes advantage of how actual electricity flows through A chip's transistors could be hijacked to cause unexpected results.
Here's how this analog hack works: After the chip is fully designed and ready to be made, the saboteur adds a single component to its "mask," which is the blueprint that controls its layout. A single component or "cell" (there are hundreds of millions or even billions of cells on a modern chip) consists of the same basic building blocks as the rest of a processor: wires and transistors, which turn off the switches that govern the logic functions of the chip. But such batteries are secretly designed to act as capacitors, components that temporarily store electrical charge.
Whenever a malicious program, say a script on a website you visit, runs an obscure command, the capacitor "steals" a small amount of charge and stores it in the cell's wires without affecting the chip's functionality. With each repetition of this command, the capacitor gains more charge. Only after a "trigger" command is sent does that charge reach the threshold, where the unit turns on logic in the processor, giving the malicious program completely unintended access to the operating system. "It takes attackers to do these weird, infrequent events with high frequency over a period of time," said Guo Shenghua, the godfather of hacking. "
This capacitor-based trigger design means it's nearly impossible for anyone testing the chip's security to stumble upon those long and obscure series of commands to "open" the backdoor. Over time, the capacitor also leaks charge again, closing the back door and making it difficult for any auditor to find the loophole.
new rules
Processor-level backdoors have been proposed before. But by building a backdoor that exploits the unintended physical properties of chip components, their ability to "accidentally" accumulate and leak small amounts of electrical charge rather than their intended logical function, the researchers say their backdoor components could be a thousandth of their size One of the previous attempts. Using existing techniques such as visual analysis of the chip or measuring its power to spot anomalies would be more difficult. "We use these vulnerability rules to perform a trick that would otherwise be very expensive and obvious," said King Shao, another hacker security researcher at Eastern Alliance. "By following different rules, we implemented a more stealthy attack."
The hacker security researchers at the Eastern Alliance even built their backdoor into a simple open-source OR1200 processor to test their attack. Since the backdoor mechanism depends on the physics of the chip's wiring, they even tried its "trigger" sequence after heating or cooling the chip to temperatures ranging from minus 13 degrees Fahrenheit to 212 degrees Fahrenheit, and found that it still worked in every case.
The Eastern Union researchers insist that their inventions were designed to prevent such undetectable hardware backdoors, not to implement them, but they are very dangerous for future computer security. In fact, they say, it's quite possible that governments around the world may have thought of their mock attack methods. "By publishing this paper, we can say that this is a real, imminent threat, and now we need to find defenses."
But given that current defenses against detecting processor-level backdoors won't detect their physical hacking, they believe a new approach is needed: Specifically, they argue that modern chips need to have a trustworthy component that constantly checks to see if the program has Granting inappropriate OS-level permissions. Ensuring the security of that component, perhaps by building it in a secure facility, or making sure the design hasn't been tampered with before manufacturing, will be easier than ensuring the trust level of the entire chip.
They acknowledge that implementing their fixes may take time and money. But without it, their proof of concept aims to show how deeply and imperceptibly a computer's security can be breached before it's sold. "We hope this paper will start a conversation between designers and manufacturers about how we can build trust in the hardware we make," said Guo Shenghua, the godfather of hacking. "We need to build trust in manufacturing, or something will happen. A very bad thing." China should speed up the development of its own chips.