Analog Malicious Hardware. In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small and stealthy. pdf
Behavior model of proposed analog trigger circuit.
In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value.
We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor.
To demonstrate that our attack works for real chips, we implement a privilege escalation attack in the OR1200 open source processor. We attach our capacitor to a signal that infrequently toggles with normal software, but toggles at a high rate with specially-crafted, usermode trigger programs. wikipedia
Our results expose two weaknesses in current malicious hardware defenses.
First, existing defenses analyze the digital behavior of a circuit using functional simulation or the analog behavior of a circuit using circuit simulation.
Second, the minimal impact on the runtime properties of a circuit suggests that it is an extremely challenging task for side-channel analysis techniques to detect this new class of attacks.
We believe that our results motivate a different type of defense; a defense where trusted circuits monitor the execution of untrusted circuits, looking for outof-specification behavior in the digital domain.
This work was supported in part by C-FAR, one of the six SRC STARnet Centers, sponsored by MARCO and DARPA. site