Scanning VHDL for Backdoors?

Pacific_northwest_totem_pole

There has been a rising concern as of late about potential security issues related to backdoor functionality included in processors.  This is predominantly a concern about state actors compromising products that are then exported to other nations.  Bruce Schneier posted earlier about a USENIX paper on the topic and I recently saw on Slashdot that DARPA is sponsoring a contest to spur some research about this issue.

That all got me thinking.  I attended a great talk by Chris Wysopal at OWASP AppSec 2007 titled “Backdoors and Other Developer Introduced ‘Features’”  He talked about a number of “signatures” that could be used to detect intentionally-introduced backdoors in application code.  Could the same thing be done for hardware-specification languages such as VHDL?  You could probably come up with a useful set of signatures that might help to provide some assurance, but you would run into at least two issues:

  1. Static analysis tools don’t understand the “intent” of the systems they are analyzing so there are defects that they simply will not be able to find.  This is even more of the case for backdoors where you would not know how the bad guys intent (“I want to this system to send me information about what it is doing via some covert channel”) was actually realized in the code (“Send it to a network socket.  Or send it to a hidden file.  Or change the timing by which the application responds to requests.”)
  2. How do you know that the specification code you reviewed was what was actually used to create the final hardware chip?  With software binaries at least you can re-run the software build process and do binary comparisons or hash comparisons to provide some assurance (This is, of course, ignoring Ken Thompson’s “Trusting Trust” problem for the moment).  With hardware?  It would be tough to calculate a “hash” of a piece of physical hardware.

This seems to be a pretty serious issue and there do not seem to be even reasonably good solutions for it yet.  Multinational companies are going to move operations to locations where they can minimize their costs and those locations are not necessarily going to be located in “friendly” parts of the world.

Perhaps some combination of static analysis of the specifications as well as dynamic “fuzzing” of the inputs and outputs of the device might provide some assurance, but, as always, good trust is hard to find.

–Dan
dan _at_ denimgroup.com

(Photo is of the Pacific Northwest Totem located in Nordnes park in Bergen, Norway)

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *