tag:blogger.com,1999:blog-37798047.post7392236840402492817..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Bogus story: no Chinese backdoor in military chipDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-37798047.post-90437423456027258642012-06-12T00:40:25.038-04:002012-06-12T00:40:25.038-04:00There was a book around 2000 titled "SPYDER W...There was a book around 2000 titled "SPYDER WEB" that dealt with this - fictional book about a spy device attached to Chinese made Cray supercomputers.<br /><br />MUST read - fiction or not it shows the potential of what "Could" happen.<br /><br />-Scott Turchin<br />CISSPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-24962896765515074952012-06-05T06:44:36.664-04:002012-06-05T06:44:36.664-04:00I think it was placed there purposely and not for ...I think it was placed there purposely and not for debugging.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-81734720326538288532012-06-04T10:10:10.405-04:002012-06-04T10:10:10.405-04:00I'd like to thank you for the efforts you have...I'd like to thank you for the efforts you have put in writing this site. I really hope to see the same high-grade blog posts by you in the future as well. In truth, your creative writing abilities has encouraged me to get my own, personal website now ;)<br />Feel free to surf my blog postsports livehttp://sportsfunia.comnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-89113880854184816862012-06-01T15:55:27.788-04:002012-06-01T15:55:27.788-04:00Armorbearer Worldwide is dedicated to protection o...Armorbearer Worldwide is dedicated to protection of individuals at all times in all places and in every situation. Our objective is to assist individuals in creating skills so they can help better secure their loved ones, homes, businesses and resources as well as the environment they communicate with daily.<br /><br /><a href="http://armorbear.com/products" rel="nofollow">Safety Products </a>safety consultancy servicehttps://www.blogger.com/profile/05913436253760972581noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-41108457400182458002012-05-30T22:15:56.118-04:002012-05-30T22:15:56.118-04:00I think it's fair to publish the story in that...I think it's fair to publish the story in that way. When Microsemi says that the chip could be used by military, then it should be safe. A chip that holds a key and has a backdoor isn't safe.<br /><br />From military I expect that they use no special foreign chip at all. Either they create and know the chip, or they should use a common chip as they would use a common and known crypto algorithm.<br />A no-readout promise from foreign chip manufacturers is security through obscurity.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-41810079914646957292012-05-30T17:12:09.157-04:002012-05-30T17:12:09.157-04:00What most people don't realize is that many ma...What most people don't realize is that many many IC's come with reconfigurable options known as an eFuse. Many SoC's such as those in cell phones often have a wide range of debug features enabled in the actual hardware IC, but before going into production the eFuse for these specific features are "blown" so that they no longer operate. some examples of these are JTAG, Debug Uart, Alternate booting options such as via USB, and hardware observability signals. Back in 2010, Motorola came into the headlines regarding how they had specifically "blown" some eFuses on the Droid-X phone that prevented a wide range of upgrades. although we don't have all the details of the device in question, most likely this was a simple production error where the eFuse for these features was simply not "blown" before shipping.....<br /><br />http://www.engadget.com/2010/07/16/motorola-responds-to-droid-x-bootloader-controversy-says-efuse/<br /><br />http://www.tested.com/news/how-to/585-how-efuses-work-and-why-theyre-not-as-bad-as-you-think/Anonymoushttps://www.blogger.com/profile/01886118651769611478noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-80099444913187591312012-05-30T05:13:36.911-04:002012-05-30T05:13:36.911-04:00It is Military Gradeeeeeeee
Why people have diffic...It is Military Gradeeeeeeee<br />Why people have difficulty understanding this thing. I have seen elsewhere the same comment. Even though the architecture is mostly the same (or should be in our case) it designed for wider temperature ranges probably offers hermetic packaging and definitely has a lot of strict quality control to pass through. Also probably uses radiation hardened by design techniques at library level...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-18572478379078656552012-05-30T05:13:17.057-04:002012-05-30T05:13:17.057-04:00I read the authors webpage and it doesn`t say anyt...I read the authors webpage and it doesn`t say anything about that the Chinese have inserted the backdoor. Nor does it suggest that anywhere on the University site. There is a paper on there about hardware assurance on the same page where the papers are for download but responding to concerns raised by the military themselves about how they are worried about chips been compromised. The BBC carried the same story, Wired magazine and Darpa themselves. So why have you link that paper with the published one when they are not connected?<br /><br />There is a reference on the webpage that the US Military are worried about China, thats common knowledge its all over the internet. I dont see how making a comment on something the US Military have said means the authors are hyping the danger. The danger is hyping by the military and press.<br /><br />I`ve read the paper and in it its quite plainly said that the authors believe its inserted by the manufacturer. No one in their right mind think this is just a `debug` issue as you keep claiming or its for some engineering purpose, its totally obvious its designed to get around the security and thats not needed for a debug port or during fab.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-42276362073714392232012-05-29T20:32:20.047-04:002012-05-29T20:32:20.047-04:00Thanks for your comments, Anonymous person above t...Thanks for your comments, Anonymous person above this.<br /><br />I wanted to discuss FPGAs in general rather than deal with the one-time-programming features of this particular model. I suppose since the readback capability is the important part here, I should've covered that as well.<br /><br />But what you say is interesting, that the second key is an integral, well-documented part of the design, if you can just find the right documentation. I'll try to hunt down that document.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-39235648921061111042012-05-29T19:45:44.212-04:002012-05-29T19:45:44.212-04:00I work a lot with said FPGA.
I have indeed integra...I work a lot with said FPGA.<br />I have indeed integrated 15 of these A3P250 and they working smoothly in an airport (fear :-P)<br /><br />This blog gets something wrong : the FPGA configuration is not "a file" in the system, the A3P holds the configuration directly as Flash cells directly at each gate. It's all and well explained in ALL the datasheets.<br />So the system builder "flashes" the part before or after soldering the part, and the FPGA boots instantly. The A3P are not like Xilinx or Altera's chips.<br /><br />Furthermore, there is a 2-key system that was designed to provide flexible IP delivery and protection. The 2nd key is not well publicised but if you dig in certain documents, it is explained. It's not a backdoor.<br /><br />Oh and leave the Chinese alone... Let them build our stuff cheap, and let companies make stupid errors.<br /><br />Mmmmm i should look at what they say on comp.arch.fpga, there are specialists there.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-65173208055331143662012-05-29T19:03:01.260-04:002012-05-29T19:03:01.260-04:00I believe you did a disservice to your reputation ...I believe you did a disservice to your reputation with this post. You wrote like you are authority, based your claims at no knowledge at all (because you hadn't read the leaked paper) and now your claims slowly break down. <br /><br />You have already admitted that your authoritative sounding claims about the complexity of modifying the chip by the vendor are overblown and it is in fact possible.<br /><br />Now you have halfheartedly admitted as well, that there is a "evil" feature in the chip. You weasel around the full extent of this: Fact is that this backdoor allows the reading of values which should not be possible to read back AND that the vendor claimed that such read back is not even physically implemented.<br /><br />Please stop downplaying this finding. Here is a backdoor (and apparently a stupid one with a default key which is claimed to be same in all chops) to circumvent elementary security features.<br /><br />Also I disagree with your downplay of a backdoor. Of course it is malicious. If it was intent to be malicious is irrelevant. It is, and most backdoors are because they are usually security holes.<br /><br />On the good side apparently the backdoor also allows to change the backdoor key, so there is hopefully a way to mitigate this hole.<br /><br />However still the achievement of this work and paper is high. They devised a new way of side channel attack, apparently much more reliable and rewarding than current technology. Using this technology a attacker would still be able to read out a changed backdoor key if he can get his hands on a chip. And most often this would be a security catastrophe on its own. Imagine a crashed fighter jet falling into the hands of iran. They might have only the one chip, but if they can determine the backdoor key, they apparently can get access to all content in the chip. They can likely achieve this already using existing technology but this attack is so much easier.<br /><br />While the researcher might have made some inappropriate remarks and might have accepted that these are blown over to some china conspiracy, this is still no reason to discount this research.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-11667052543092748632012-05-29T17:03:58.858-04:002012-05-29T17:03:58.858-04:00Actually, I think being able "steal the intel...Actually, I think being able "steal the intellectual property" is a meaningful threat to defense systems. When your drone crashes in hostile territory, you'd like to be confident that it will be difficult for the adversary to extract your classified algorithms for target recognition, jamming resistance, etc. (not to mention crypto keys). <br /><br />Of course, there are lots of ways to protect against that (ranging from fail-safe thermite ignition to just hoping it won't happen), and you need to make cost-effectiveness trade-offs in choosing what to protect and how strongly. However, if you relied on a manufacturer's representation of a security mechanism's capability and it turns out to be false, your security calculus changes, and you might be legitimately irritated about that.<br /><br />All that said, I still see no reason to believe that this particular mechanism was deliberately installed as an act of espionage. Why not? Because it was so unsophisticated. It's hidden, sure, but once it's out, it's out, and it's <b>obvious</b> that it's a backdoor. I would expect any adversary with the resources to do this for espionage purposes would do a better job of concealing it and making it look like an accident. I absolutely believe those adversaries are out there, and working diligently to compromise U.S. systems--I just believe they'd do a better job.Anonymoushttps://www.blogger.com/profile/16894020384351883048noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-51560771734731206062012-05-29T14:21:20.594-04:002012-05-29T14:21:20.594-04:00Robert, You are so naive. You are not living toget...Robert, You are so naive. You are not living together with russians and chinese in one country and cannot imagin what how they think about every outsider. You are like our government. Nothing happens. It's all right. Be quiet.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-88492309677076279262012-05-29T13:39:24.653-04:002012-05-29T13:39:24.653-04:00You are all naive. Of course a chip designed for s...You are all naive. Of course a chip designed for special cases will be used on equipment targeting military. Don't be naive to think this was a "debugger" left on. What track record does this adversary have to give them the benefit of the doubt.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-27645652513038782062012-05-29T11:27:31.761-04:002012-05-29T11:27:31.761-04:00David a very good points that clearly the blogger ...David a very good points that clearly the blogger is glossing over. It appears there are different camps when it comes to security. Those such as this person and Bruce Schneier. They downplay everything. You have to wonder what the motivation could be. While I certainly agree that it would be an expensive and daunting endeavor, what a coup for a nation state to "pwn" their might at the most basic level. This is clearly not beyond the realm of possibility and anyone who thinks otherwise is living in a fantasy world. If the Chinese are the number one at hacking and stealing from the US, why not take to an indefensible level. Wake up and face reality Robert Graham.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-50191428226607238292012-05-29T11:06:41.197-04:002012-05-29T11:06:41.197-04:00The author of the original paper has determined th...The author of the original paper has determined that this backdoor was put there on purpose. The only questions are who put it there and why. Your entire post is based around your bias that this was an accident which you state right up front. But that is clearly not the case here. It might be a debug feature or something else, but it wasn't an accident.dangrsmindhttps://www.blogger.com/profile/02442168272288697036noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-6906163856588087292012-05-29T10:22:52.532-04:002012-05-29T10:22:52.532-04:00"In the meantime, it's important to note ...<i>"In the meantime, it's important to note that while the researchers did indeed discover a backdoor, they offer only speculation, but no evidence, as to the source of the backdoor."</i><br /><br />Actually, the paper is quite clear that the backdoor was added by the manufacturer (Section 4):<br /><br /><i>"We discovered that in fact Actel did implement such an access, with a special key used for activation."</i><br /><br />At no point in the paper does it claim that China was involved in inserting this backdoor (see <a href="http://www.cl.cam.ac.uk/~sps32/qvl_proj.html" rel="nofollow">the author's page</a>).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-45055725458124278362012-05-29T08:47:23.566-04:002012-05-29T08:47:23.566-04:00"Many false claims of security are to some ex..."Many false claims of security are to some extent accidental--we designed a mechanism (e.g., WEP) and thought it was secure, but we were too ignorant to do a good job." -- Olin: Oh, the good old humility vs. hubris. If you loudly proclaim that something can't be done, and you're so good hurr durr, you usually end up getting your ass handed over to you on a fancy plate. With a "get well soon" card to boot.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-70450566451423051482012-05-29T07:32:40.358-04:002012-05-29T07:32:40.358-04:00I find it rather disconcerting how easily you dism...I find it rather disconcerting how easily you dismiss the possibilities here. Granted JTAG exists by design and if not properly implemented in final products does provide exposure, and such may very well be the case here. But to dismiss the possibility that hardware or firmware could or has been modified for malicious intent and may remain yet undiscovered is irresponsible. Personally I believe it is in the interest of US national security the silicon foundries return home.David Brenchleynoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-83529562087541426382012-05-29T05:19:59.545-04:002012-05-29T05:19:59.545-04:00Informatics Outsourcing is an Offshore Intellectua...Informatics Outsourcing is an Offshore Intellectual Property Services company. They are providing Intellectual Property services for Bio Technology, Biochemistry, Drug Discovery, Chemistry, etcAnonymoushttps://www.blogger.com/profile/17702356548819676042noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-7802817859546236092012-05-29T05:12:28.657-04:002012-05-29T05:12:28.657-04:00I like this article because first you obviously kn...I like this article because first you obviously know hardware and most people dont.<br /><br />People dont understand that hardware is becoming software. And software has to be easy to commoditize, customize and yes debug.<br /><br />This is progress. The more flexible it becomes, the better it is, the cheaper it is.<br /><br />When you consider the ease with which this hardware can now be modified versus hardcoded chips you have to cheer. <br /><br />The people that will take advantage of it, are really not important. If people want t they will fly planes into buildings. Im not worried about Iranian geeks with a USB debugger. Im just not.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-90491415871455341372012-05-29T05:09:18.841-04:002012-05-29T05:09:18.841-04:00JTAGs not withstanding, the real scary scenario is...JTAGs not withstanding, the real scary scenario is someone finding a way to add a backdoor into a chip's microcode. This might require an inside man in the chip design team to inject the code, but if they do, all bets are off.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-56826266564307496842012-05-29T05:04:30.604-04:002012-05-29T05:04:30.604-04:00Spot-on: of course it wasn't the Chinese who d...Spot-on: of course it wasn't the Chinese who did this originally, and they certainly didn't do it in the manufacturing stage. While it is not unreasonable to consider the possibility that an agent in place arranged for this debugging capability to remain even when it should have been removed, there's no evidence.<br /><br />The real disappointment is that Actel made strong and explicit claims about the impossibility of reading out the FPGA configuration, and we now know those claims to have been completely false. What does that tell us about Actel's credibility? Should that make us worry similarly about other manufacturers? What should we do to assess such claims in the future?<br /><br />Many false claims of security are to some extent accidental--we designed a mechanism (e.g., WEP) and thought it was secure, but we were too ignorant to do a good job. Here, they implemented a mechanism that did clearly and precisely the opposite of what they claimed--and, if the paper is to be believed, did it for years and in many different products. Maybe just miscommunication between marketing and manufacturing, but it should never have happened, and its apparently pervasive nature is deeply troubling.Anonymoushttps://www.blogger.com/profile/16894020384351883048noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-47550472874792972042012-05-29T00:50:39.330-04:002012-05-29T00:50:39.330-04:00The original scam / dissertation is available at
...The original scam / dissertation is available at <br /><br />http://www.cl.cam.ac.uk/~sps32/sec_news.html#AssuranceAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-82299818152099011472012-05-29T00:14:27.489-04:002012-05-29T00:14:27.489-04:00The particular paper is here:
http://www.cl.cam.ac...The particular paper is here:<br />http://www.cl.cam.ac.uk/~sps32/Silicon_scan_draft.pdfRobert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.com