Hardware Security, Covert Channel Detection, and Malware
December 14, 2015
This article discusses hardware security, covert channels, and malware.
Security has different domains. Typically when people think of information security they primarily focus on the software domain, but remember that the hardware domain is as important.
Recent academic discoveries enhanced the capabilities of attackers (advanced persistent threats) to create newly evolved stealth hardware trojans which cannot be detected. In addition to this discovery, we have covert channels that hide malware behavior in the software domain.
Hardware Trojans: Why Securing the Supply Chain is Imperative
There are theoretical methods in development for detecting certain kinds of hardware trojans, such as the “clock sweeping technique” (Zheng, Wang, & Bhunia, nd) and “exhaustive testing of k-bit subspaces” (Lesperance, Kulkami, Cheng, 2015).
There are also theoretical techniques for producing undetectable hardware trojans. These undetectable hardware trojans represent a big threat. Because of the nature of this threat we may have to assume that hardware not produced in a trusted way, through a trusted foundry with a transparent supply chain, could be compromised.
In 2013 two newly released academic papers offered a theoretical basis for producing stealth hardware trojans from which with we have no way to distinguish in order to detect:
- One by Becker, Regazonni, Paar & Burleson titled: “Stealthy dopant-level hardware trojans” which made news in the information security blogsphere,
- And another by Wei & Potkonjak titled: “The undetectable and unprovable trojan horse“
How do you combat the undetectable stealth hardware trojans?
Ethereum and securing the supply chain with Provenance
Ethereum is described as a “world computer” by its evangelists, but to be more technical, Ethereum was intended to be a blockchain with a Turing complete scripting language, allowing for generalized programmability in the development of DAOs. DAO stands for decentralized autonomous organization. Another relevant acronym is DAC which stands for decentralized autonomous corporation.
The scripts on Ethereum are called “smart contracts”; and are self-enforcing because the code is supposed to represent the rule(s). Ethereum is categorized as a Bitcoin inspired project since it took some of the concepts Bitcoin uses, such as proof of work, and uses solutions like Merkle chains, but it goes further by taking risks Bitcoin did not take to solve the problem of creating DAOs/DACs. Ethereum aims to be very flexible, allowing for open experimentation.
Securing the supply chain is not going to be an easy task. The current trends in technology point to decentralized solutions, such as those provided by Provenance which expects to run on Ethereum. Even in this case, the fact that Ethereum is Turing complete (undecidable), means there could be decentralized apps that behave in non-deterministic ways. Ethereum itself is software and it does not solve the problem of hardware trojans which may in fact compromise the machines running the software.
Hardware trojans remain an open problem. Securing the supply chain itself appears to be the only possible solution to mitigating stealth hardware trojans.
Malware is going stealth
While covert channels exist in some shape or form, the techniques involved and difficulty in detecting covert channels, currently favors the malware makers. Covert channels are communications channels which transmit information in unexpected and often undetected ways.
For example, a machine may have a firewall, it may have have intrusion prevention/intrusion detection systems, it may have the latest anti-virus/anti-rootkit software, but it doesn’t matter. The covert channel could use anything from the IP packet identifier field, to timing, to inaudible sounds.
Defense Mechanisms and Covert Channels
Defense mechanisms for covert channels include isolation, as demonstrated by the QUBES operating system, and detection.
Isolation attempts to put every process in it’s own sandbox, so processes cannot communicate in unexpected ways.
Detection relies on statistical analysis and is more difficult to utilize than isolation.
Covert channels require shared resources. While isolation minimizes the threat, the noise level makes statistical analysis very difficult. In a covert IP timing channel if there is significant traffic, then it becomes infeasible to detect the covert transmission through noise. Covert channels are currently useful to botnet and malware makers.
About the Guest Author
Dana Edwards is a technological visionary, an information security expert and a
social futurist. Born and raised in Boston Massachusetts, he
obtained a Bachelors degree in ethics, social & political philosophy
from UMass, a Masters degree in Cybersecurity from UMUC, and is CompTIA
He has been fascinated by and continuously studied computer
technology and information security since 1997 when he received his
first computer. As a student, teacher and problem solver, he wishes to
share some of his knowledge with the world, and to inspire, conduct, and
promote innovative experiments in cybersecurity.
Becker, G. T., Regazzoni, F., Paar, C., & Burleson, W. P. (2013). Stealthy dopant-level hardware trojans. In Cryptographic Hardware and Embedded Systems-CHES 2013 (pp. 197-214). Springer Berlin Heidelberg.
Becker, G. T., Regazzoni, F., Paar, C., & Burleson, W. P. (2014). Stealthy dopant-level hardware Trojans: extended version. Journal of Cryptographic Engineering, 4(1), 19-31.
Brewster, C. Semantic blockchains in the supply chain.
Lesperance, N., Kulkarni, S., & Cheng, K. T. (2015, January). Hardware Trojan detection using exhaustive testing of k-bit subspaces. In Design Automation Conference (ASP-DAC), 2015 20th Asia and South Pacific (pp. 755-760). IEEE.
Shield, J., Hopkins, B., Beaumont, M., & North, C. (2015, January). Hardware Trojans–A Systemic Threat. In Proceedings of the 13th Australasian Information Security Conference (AISC 2015) (Vol. 27, p. 30).
Sharifi, E., Mohammadiasl, K., Havasi, M., & Yazdani, A. (2015). Performance analysis of Hardware Trojan detection methods. International Journal of Open Information Technologies, 3(5), 39-44.
Wei, S., & Potkonjak, M. (2013, May). The undetectable and unprovable hardware trojan horse. In Proceedings of the 50th Annual Design Automation Conference (p. 144). ACM.
WOOD, D. G. (2014). ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER.
Zheng, Y., Wang, X., & Bhunia, S. SACCI: Scan-Based Characterization Through Clock Phase Sweep for Counterfeit Chip Detection.