FANCI: Identifying Malicious Circuits

Presented by: Jayce Gaines

Slides adapted from:Adam Waksman

Matthew Suozzo Simha Sethumadhavan

Computer Architecture & Security Technologies LabDepartment of Computer Science

Columbia University

1

How Much Do You Trust Hardware?

[1]

[2]

[3]

[4]

1) The Guardian 2012, 2) New York Times 2012, 3) The Register 2013, 4) Tech Review 2013

These are all actual headlines from 2012 and ’13:

The Problem of Third-Party IP

16

190

(International Business Strategies, 2012)

The Problem of Third-Party IP

Why is this a problem?

- Can you trust the third party?

- Will they add malicious back doors to your proprietary work?

- Can you be assured to find backdoors if they exist?

Our Solution• Automatically identify malicious

circuits in third-party hardware design IP

.

.

.assign bus_x87_i = arg0 & arg1; always @(posedge clk) beginif (rst) data_store_reg7 <= 16’b0;else beginif (argcarry_i37 == 16’hbacd0013) begin data_store_reg7 <= 16’d7777;

endelse data_store_reg7 <=

data_value7; endendassign bus_x88_i = arg2 ^ arg3;assign bus_x89_i = arg4 | arg6 nor

arg5;...

• Automatically identify malicious circuits in third-party hardware design IP• Engineers read few lines instead of

thousands or millions

.

.

.assign bus_x87_i = arg0 & arg1; always @(posedge clk) beginif (rst) data_store_reg7 <= 16’b0;else begin

if (argcarry_i37 == 16’hbacd0013) begin data_store_reg7 <= 16’d7777;

endelse data_store_reg7 <=

data_value7; endendassign bus_x88_i = arg2 ^ arg3;assign bus_x89_i = arg4 | arg6 nor

arg5;...

Our Solution

Overview

• Motivation• Hardware can be evil, don’t live in

denial• Evil hardware is stealthy

• Algorithm• Rank by degree of stealth

• Results• No false negatives, pragmatic and

effective

• The Future of FANCI• How would we attack FANCI?

• Conclusions• Can we really use this tool today?

What is FANCI?

FANCI – Functional Analysis for Nearly-unused Circuit Identification

- In the simplest form FANCI analyzes hardware designs and determines if there are any possible backdoors hidden in the design.

- The goal is to prevent these backdoors from making it past the first stages of hardware design, at which point it would be extremely costly and time consuming to fix.

- FANCI is show to do this automatically with great success.

Backdoors: Fact #1

Backdoor = Trigger + Payload

Ex: AES Key Stealing Ciphertext Key Exfiltration

Instead of generating Ciphertext…0xba5eba11

d(0xba5eba11)

Backdoors: Fact #1

Backdoor = Trigger + Payload

Ex: AES Key Stealing Ciphertext Key Exfiltration

…a backdoor can give access to the key!0xba5eba11

key

Backdoors: Fact #2

Stealth

= Power

It’s easy to overlook well hidden or subtle backdoors. Especially ones that aren’t active!

Backdoors: Fact #3

Validation != Security

With so much code it is not only possible, but likely that stealthy portions of code are not tested properly!

What FANCI Does

• We need to catch stealthy circuits that validation is not able to catch.

• The goal is to take the burden off of validators and make an automatic tool that is able to easily find hidden code.

• We want to be able to do this with as little error as possible, avoiding false positives and negatives, and allowing for easy verification.

What FANCI Does

It’s obvious that by design malicious code wants to be well concealed and buried in benign code to avoid detection.

Identifying Stealthy Code• FANCI offers a new quantitative measure of

stealth• We rank wires in a circuit by stealth value.

• Any wire is connected to many other wires• Stealth value is computed from the control values of

all the wires its connected to.

Defining Control

A B C OUT

1 1

0 1

1 0

0 0

1 1

0 0

1 0

0 1

Out = f(A, B, C)

How often does an input matter?

1 01 0

0 10 1

1 11 1

0 00 0

How often does an input matter?

A B C OUT

1 1

0 1

1 0

0 0

1 1

0 0

1 0

0 1

C Matters?

YES

YES

NO

NO

1 01 0

0 10 1

1 11 1

0 00 0

Take C. We can see that in about 2 of 4 cases, it will impact the outcome.

How often does an input matter?

A B C OUT

1 1

0 1

1 0

0 0

1 1

0 0

1 0

0 1

C Matters?

YES

YES

NO

NO

Control = #Observed / Total = 2/4 = 0.5

So, the effect of C on OUT is 0.5

1 01 0

0 10 1

1 11 1

0 00 0

Larger Circuits

E OUT

1 1

0 1

1 1

0 0

1 0

0 1

E Matters?

YES

YES

NO

Control = #Observed / Total = 2/16 = 0.125

32 Rows16 Pairs

A B C D

1 1 1 11 1 1 0

1 1 1 11 1 1 1

0 0 0 00 0 0 0

However, with a larger set and more input values we get a much lower impact ratio.

Larger Circuits

So what does this mean?

- With Larger sets of input it is easier to hide impact.

- A low chance of affecting output lends itself to stealthiness and makes it easier to hide malicious code. Thus it is given a higher stealth value.

- FANCI uses this stealth value to determine potential for maliciousness.

Example: 4-to-1 Mux• Consider a real circuit (4-to-1

multiplexer)• How can we measure control?

Example: 4-to-1 Mux• When does the output M depend on the value of A?

• When S1 and S2 = 0 (one fourth of cases)

• The total effect will be 0.25

0.25

0.25

0.25

0.25

Example: 4-to-1 Mux

• M is dependent on S1 and sometimes affected• When A is different from C (and S2 = 0)

• When B is different from D (and S2 = 1)

• One half of cases (total effect = 0.5)

0.25

0.25

0.25

0.25

0.5 0.5

Does This Look Suspicious?

M

A B C D S1

S2

0.25

0.25

0.25

0.25

0.5 0.5

0.25 0.25 0.25 0.25 0.50 0.50

Does This Look Suspicious?

M

No.Because all control values are high and around the same range, it is unlikely that malicious code would be hidden here.

0.5 0.5

0.25 0.25 0.25 0.25 0.50 0.50A B C D S

1

S2

0.25

0.25

0.25

0.25

Does This Look Suspicious?

0.25

0.25

0.25

0.25

6

{S}

2-63 0.5 0.5

M

A B C D ES1

S2

{S3-

66}

E2-65

0.25 0.25 0.25 0.252-65 0.50 0.50

2-63

Logic

4

Consider this Multiplexer. We now have 5 inputs and the range 3-66 for S, with values shown in the vector.

Does This Look Suspicious?

0.250.25

0.25

0.25

{S}

2-63 0.5 0.5

M

A B C D ES1

S2

{S3-

66}

E2-65

Definitely yes.The control values of E and the range are suspicious due to how rarely they will change the value of M. Perfect for disguising malicious back-doors.

6

0.25 0.25 0.25 0.252-65 0.50 0.50

2-63

Logic

4

Does This Look Suspicious?

0.250.25

0.25

0.25

{S}

2-63 0.5 0.5

M

A B C D ES1

S2

{S3-

66}

E2-65

Definitely yes.The control values of E and the range are suspicious due to how rarely they will change the value of M. Perfect for disguising malicious back-doors.

6

0.25 0.25 0.25 0.252-65 0.50 0.50

2-63

Logic

4

Just checking the min value is often not enough.Better heuristics are needed to evaluate the vector.

Computing Stealth From Control

M

A B C D S1

S2

0.250.250.250.25

0.5 0.5

Mean(M) = (2.0 / 6) = 0.33Median(M) = 0.25Triviality(M) = 0.50

0.25 0.25 0.25 0.25 0.50 0.50

We use three different heuristics for evaluation.Mean, Median and Triviality.

-The Median in the context of backdoor triggers is often close to zero when low or unaffecting wires are present.-The Mean is sensitive to outliers. If there are few dependencies, and one of them is unaffecting, it is likely to get noticed, when compared to the control value.-Triviality is a weighted average of the values in the vector. Weighted by how often they are the only value affecting the output. If it is 0 or 1 it is trivial.

Computing Stealth From Control

M

A B C D ES1

S2

{S3-

66}

Mean(M) = (2.0 / 71) = 0.03Median(M) = 2-63Triviality(M) = 0.50

0.250.250.25

0.25

2-65

6

{S}2-63 0.5 0.5

E

0.25 0.25 0.25 0.252-65 0.50 0.50

2-63

Logic

4

Computing Stealth From Control

M

A B C D ES1

S2

{S3-

66}

Mean(M) = (2.0 / 71) = 0.03Median(M) = 2-63

Triviality(M) = 0.50

0.250.250.25

0.25

2-65

{S}2-63 0.5 0.5

E

6

Triviality detects more triggers. Mean/median detect more payloads.

0.25 0.25 0.25 0.252-65 0.50 0.50

2-63

Logic

4

Here we can see that the mean and median are affected greatly by potential payloads in the wires.

Results• Stealth metrics are effective for existing benchmarks

• No false negatives for TrustHub benchmarks• TrustHub is a hardware backdoor benchmark used for testing

detection applications such as FANCI.

• Effective even on large designs• Able to process full (academic) microprocessor cores

• Efficient enough for modern designs• About 1 day to process an average sized module

• Can catch well-hidden backdoors• 100% coverage against “stealthy, malicious backdoors” (SSP

2011)

Effectiveness On TrustHub

False positive rates for the four different metrics andfor TrustHub benchmarks. The RS232 group — which is the

smallest — has about 8% false positives. The others have much lower rates (less than 1%).

How Would We Attack FANCI?

• Frequent-Action Backdoor• No stealth, requires incompetent/non-existent validation

engineers

• False Positive Flooding• Contrived design, requires naïve integration engineer

• Pathological Pipeline (State Explosion) Backdoor• Contrived design, requires naïve integration engineer

• Foundry (Physical/Parametric) Backdoor• Malicious device from benign design, requires malicious foundry

Security Assurances

• Zero false negatives so far• Mathematical connection exists between stealth and

validation

• FANCI flags wires if and only if they are stealthy• Static and not probabilistic or dynamic

• Can operate on digital, synchronous design IP• Source code or gatelists

• Can achieve design-side security with minimal validation• Works well with current state of practice

The Big Picture: Hardware Security

FANCI is designed to stop possible backdoors that cannot be detected by validation alone during early stages of device/hardware design. (Register Transfer Level Code, Design Synthesis, Physical Synthesis)

This can allow us to fix the issue or get a new third party to take over the IP design before the backdoor gets permanently integrated.

Conclusions• Hardware backdoors: A serious, immediate threat

• Currently no way to certify trustworthiness• Causes tech. localization (increased costs)

• FANCI: Static analysis to identify suspicious circuits• Zero false negatives so far• Minimal reliance on validation personnel

• Current Status• Practical, ready for modern designs (e.g., AFRL, CSAW)• First hardware certification tool for trustworthy IP