On Sep 22, 2013, at 7:56 PM, d.nix wrote:
> ...If for example, the paper regarding manipulating the RNG circuit by
> alternate chip doping is valid, then an adversary with deep pockets
> and vast resources might well be able remotely target specific systems
> on demand. Possibly even air gapped ones if this function is
> controllable via a 3G signal as I have read elsewhere.
>
> Or perhaps just outright reroute and tap information prior to
> encryption, or subtly corrupt things in other ways such that processes
> fail or leak data....
You started off concerned about misuse of a "remote override" function that
Intel deliberately puts on the chips - a valid concern - but now have wandered
off into arbitrary chip modifications. Those, too, are perhaps valid concerns
- but they've been concerns for many years. Nothing new here, except that the
deeper we look, the more ways we find to hide attacks within the hardware.
That said, the doping paper, if I understood the suggestion correctly,
discussed a way to modify individual chips, not whole runs of them.
(Presumably you could modify whole runs by spiking the production process, but
that would be difficult to hide: Chip manufacturing is by its nature a very
tightly controlled process, and an extra step isn't something that people would
miss. It would probably even show up in the very tightly watched yield
statistics: The extra step would delay wafers on the line, which would cause
the yield to drop. The beauty of the doping attack is that it's undetectable -
at least right now; for every attack, a defense; for every defense, an attack.
But exactly how one might make the *implementation* of the attack undetectable
isn't at all clear.)
> Hmmmm. Maybe time to pull my old 1996 SGI R10K and R4400 boxes out of
> storage. For a few *very* dedicated and air gapped tasks they might be
> a small measure of worthwhile trouble.
You'll be amazed at how slow they now seem....
Still, it raises the question: If you can't trust your microprocessor chips,
what do you do? One possible answer: Build yourself a processor out of MSI
chips. We used to do that, not so long ago, and got respectable performance
(if not, perhaps, on anything like today's scale). An MSI chip doesn't have
enough intrinsic computation to provide much of a hook for an attack. Oh,
sure, the hardware could be spiked - but to do *what*? Any given type of MSI
chip could go into many different points of many different circuit topologies,
and won't see enough of the data to do much anyway. There may be some
interface issues: This stuff might not be fast enough to deal with modern
memory chips. (How would you attack a memory chip? Certainly possible if
you're make a targeted attack - you can slip in a small processor in the design
to do all kinds of nasty things. But commercial of the shelf memory chips are
built right up to the edge of what we can make, so you can't change a
ll that much.)
Some stuff is probably just impossible with this level of technology. I doubt
you can build a Gig-E Ethernet interface without large-scale integration. You
can certainly do the original 10 Mb/sec - after all, people did! I have no
idea if you could get to 100 Mb/sec.
Do people still make bit-slice chips? Are they at a low-enough level to not be
a plausible attack vector?
You could certainly build a respectable mail server this way - though it's
probably not doing 2048-bit RSA at a usable speed.
We've been talking about crypto (math) and coding (software). Frankly, I,
personally, have no need to worry about someone attacking my hardware, and
that's probably true of most people. But it's *not* true of everyone. So
thinking about how to build "harder to attack" hardware is probably worth the
effort.
-- Jerry
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
