SITIS Archives - Topic Details
Program:  SBIR
Topic Num:  OSD10-IA1 (OSD)
Title:  Countermeasures to Malicious Hardware to Improve Software Protection Systems
Research & Technical Areas:  Information Systems

Acquisition Program:  
  Objective:  Develop innovative countermeasures to malicious hardware modifications for the purposes of developing trusted software protection systems.
  Description:  Software protection system design methodology has focused on reducing the vulnerabilities of those systems to attack by reducing the dependence on untrusted components and making critical information inaccessible to the adversary [1]. These protection systems run primarily on commercial-off-the-shelf (COTS) computers, but often rely on tamper-proof hardware built using COTS parts to provide a secure mechanism to store critical data and/or execute critical pieces of the application being protected [2]. However, the security of the protection system depends on the trustworthiness of the underlying hardware components that are running and storing the software and data. These components include the parts on COTS computer systems on which the applications execute (or partially execute) as well as the COTS parts from which custom hardware-assisted protection solutions are built [2]. National security concerns have been raised over the outsourcing of chip fabrication and other integrated circuit manufacturing overseas, since these devices are used in DoD weapon systems. The risk is that if an adversary can maliciously alter hardware and/or firmware on printed circuit boards, integrated circuits, or reconfigurable components used in DoD systems, the device functionality can be altered, privileges escalated, critical data leaked, or denial-of-service attacks levied on the system at a later date and time when those systems are operational [3]. To add to the risk, hardware can be altered at other stages in the systems engineering process, including design, manufacturing, packaging, integration, and deployment, through the use of third party software/firmware tools used to program the devices or via direct hardware modifications, even within the United States. The goal of this research is to design and develop non-destructive techniques that detect and respond to malicious hardware/firmware modifications that are made for the purposes of software piracy/data exfiltration, reverse engineering, and malicious alteration of critical software applications and data running on COTS systems or whose security system utilizes COTS parts [2]. Solutions of interest include developing countermeasures to hardware Trojans introduced in COTS computer hardware elements (e.g., CPU, chipsets, motherboards, hard disk drives, peripheral cards) [4], as well as attached custom hardware boards or components (such as an FPGA or ASIC) [5] that might be used as part of a hardware-assisted software protection system [2]. Malicious hardware to be considered includes ‘functional’ Trojans that add malicious circuitry to hardware components [6], ‘parametric’ Trojans that modify (but do not add to) the original circuitry [7], and firmware Trojans that alter the hardware device functionality [8]. Hardware/firmware Trojan triggering mechanisms to be addressed include internally and externally activated signals, such as (1) rare input data values, (2) time triggering, (3) internal logic state, and (4) external sensors. Factors to consider in countermeasure development [9] [10] include, but are not limited to, (1) invasiveness of the approach, (2) false positive and false negative rates, (3) types of Trojans detected, (4) ability to detect small Trojans, (5) performance of the detection procedure and the impact on the protected application, and (6) cost.

  PHASE I: 1) Develop a concept to detect and respond to malicious hardware/firmware modifications to COTS parts and systems. 2) Research the advantages and disadvantages of the approach (considering the factors stated above). 3) Produce a detailed research report outlining the design and architecture of the system, as well as the advantages and disadvantages of the proposed approach.
  PHASE II: 1) Based on the results from Phase I, design and implement a fully functioning prototype solution. 2) Emulate a hardware Trojan on a COTS part and demonstrate its effectiveness in compromising a software protection system. 3) Provide test and evaluation results that demonstrate the effectiveness of the solution to detect and react to the hardware Trojan demonstrated in 2). 4) Develop a final report enumerating the specific threats addressed and countermeasures developed in the prototype solution.

  PHASE III

  DUAL-USE APPLICATIONS: The technology developed under this research topic will mitigate the risk of malicious hardware and improve the trustworthiness of software protection systems. DoD applications that will benefit from this technology include a wide range of embedded systems, such as weapons systems, avionics, communications, and sensor systems. Commercial applications include financial systems, voting machines, communication systems, and SCADA systems. As a result, this technology is vital for both the DoD and commercial organizations.

  References:  [1] Software Protection Initiative, The Three Tenets of Cyber Security, http://spi.dod.mil/tenets.htm [2] IBM 476 PCI-X Cryptographic Coprocessor, http://www-03.ibm.com/security/cryptocards/pcixcc/overhardware.shtml [3] Fouad Kiamilev, et. al., “Demonstration of Hardware Trojans,” CVORG, University of Delaware, http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-kiamilev.pdf [4] Loic DuFlot, “CPU bugs, CPU backdoors and consequences on security,” Journal in Computer Virology, Vol. 5, No. 2, May 2009, 91-104. [5] Ilija Hadzic, Sanjay Udani and Jonathan M. Smith, “FPGA Viruses,” http://www.cis.upenn.edu/~jms/papers/fpgavirus.pdf [6] Francis Wolff, Chris Papachristou, Swarup Bhunia, Rajat S. Chakraborty, “Towards Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme,” Case Western Reserve University, http://www.date-conference.com/archive/conference/proceedings/PAPERS/2008/DATE08/PDFFILES/IP5_2.PDF [7] Y. Shiyanovskii, F. Wolff, C. Papachristou, D. Weyer, and W. Clay, “Hardware Trojan by Hot Carrier Injection,” http://arxiv.org/PS_cache/arxiv/pdf/0906/0906.3832v1.pdf [8] Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou, “Designing and implementing malicious hardware,” http://www.cs.uiuc.edu/homes/kingst/Research_files/king08.pdf [9] Benjamin Sanno, “Detecting Hardware Trojans,” Ruhr-University Bochum, Germany, http://www.crypto.ruhr-uni-bochum.de/imperia/md/content/seminare/itsss09/benjamin_sanno.semembsec_termpaper_20090723_final.pdf [10] Markus Kuhn, “Trojan Hardware – some strategies and defenses,” University of Cambridge, http://www.cl.cam.ac.uk/~mgk25/dagstuhl08-hwtrojan.pdf

Keywords:  Malicious Hardware, Hardware Trojans, Firmware Trojans, FPGA viruses, Software Protection, Hardware Supply Chain

Questions and Answers:
Q: Where would I find information on the network systems being used?
A: The main focus area is developing countermeasures for malicious hardware/firmware that might exist on commercial-off-the-shelf desktops, workstations, mobile devices or other embedded systems.
Q: What level of granularity are you wanting addressed? It seems like we could focus on parts at the device level or the chip level, device level being on the order of peripheral devices (e.g., network cards), and chip level being on the order of FPGAs or ASICs.
A: Malicious hardware at either the chip or device level (as you have defined them) is acceptable. The main focus of the topic is to protect commercial-off-the-shelf (COTS) computer systems (i.e., desktops/laptops/mobile devices/embedded systems) from malicious hardware. Assume that the parts (chips or devices) are already compromised or can be compromised in the field (in the case of firmware). Priority will be given to solutions which can be directly applied to COTS components or systems without rework or redesign by the hardware manufacturer. Having said that, we recognize that for a number of reasons this approach may have limitations, so other solution that do require hardware manufacturing modifications will be considered.
However, adoptability and practical implementation of the solution will be significant factors in the evaluation process.

Record: of