Team for Research in
Ubiquitous Secure Technology

Defeating UCI: Building Stealthy and Malicious Hardware
Cynthia Sturton, Matthew Hicks, David Wagner

Citation
Cynthia Sturton, Matthew Hicks, David Wagner. "Defeating UCI: Building Stealthy and Malicious Hardware". 2011 IEEE Symposium on Security and Privacy, IEEE, 22, 2011.

Abstract
In previous work Hicks et al. proposed a method called Unused Circuit Identification (UCI) for detecting malicious backdoors hidden in circuits at design time. The UCI algorithm essentially looks for portions of the circuit that go unused during design-time testing and flags them as potentially malicious. In this paper we construct circuits that have malicious behavior, but that would evade detection by the UCI algorithm and still pass design-time test cases. To enable our search for such circuits, we define one class of malicious circuits and perform a bounded exhaustive enumeration of all circuits in that class. Our approach is simple and straight forward, yet it proves to be effective at finding circuits that can thwart UCI. We use the results of our search to construct a practical attack on an open-source processor. Our malicious backdoor allows any user-level program running on the processor to enter supervisor mode through the use of a secret â knock. We close with a discussion on what we see as a major challenge facing any future design-time malicious hardware detection scheme: identifying a sufficient class of malicious circuits to defend against.

Electronic downloads

Citation formats  
  • HTML
    Cynthia Sturton, Matthew Hicks, David Wagner. <a
    href="http://www.truststc.org/pubs/852.html"
    >Defeating UCI: Building Stealthy and Malicious
    Hardware</a>, 2011 IEEE Symposium on Security and
    Privacy, IEEE, 22, 2011.
  • Plain text
    Cynthia Sturton, Matthew Hicks, David Wagner.
    "Defeating UCI: Building Stealthy and Malicious
    Hardware". 2011 IEEE Symposium on Security and Privacy,
    IEEE, 22, 2011.
  • BibTeX
    @inproceedings{SturtonHicksWagner11_DefeatingUCIBuildingStealthyMaliciousHardware,
        author = {Cynthia Sturton and Matthew Hicks and David Wagner},
        title = {Defeating UCI: Building Stealthy and Malicious
                  Hardware},
        booktitle = {2011 IEEE Symposium on Security and Privacy},
        organization = {IEEE},
        day = {22},
        year = {2011},
        abstract = {In previous work Hicks et al. proposed a method
                  called Unused Circuit Identification (UCI) for
                  detecting malicious backdoors hidden in circuits
                  at design time. The UCI algorithm essentially
                  looks for portions of the circuit that go unused
                  during design-time testing and flags them as
                  potentially malicious. In this paper we construct
                  circuits that have malicious behavior, but that
                  would evade detection by the UCI algorithm and
                  still pass design-time test cases. To enable our
                  search for such circuits, we define one class of
                  malicious circuits and perform a bounded
                  exhaustive enumeration of all circuits in that
                  class. Our approach is simple and straight
                  forward, yet it proves to be effective at finding
                  circuits that can thwart UCI. We use the results
                  of our search to construct a practical attack on
                  an open-source processor. Our malicious backdoor
                  allows any user-level program running on the
                  processor to enter supervisor mode through the use
                  of a secret â knock. We close with a discussion
                  on what we see as a major challenge facing any
                  future design-time malicious hardware detection
                  scheme: identifying a sufficient class of
                  malicious circuits to defend against.},
        URL = {http://www.truststc.org/pubs/852.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.