CCSDS Security Working Group Spring 2014 Meeting 31 March – 1 April 2014 Noordwijkerhout, The Netherlands Charles Sheehe NASA/Glenn Security Risks Charles Sheehe Objective of the risks discussion • To recommend that the threat book be updated with the threats to these emergent threats and technologies. • To recommend that a Green Book developed to provide guidance to the users of the emergent technologies. Back Ground What are the risks • Counterfeit parts • Genuine parts pre loaded with viruses. • Genuine parts with viruses embedded in the hardware of the parts. Threats Detection and Avoidance of Counterfeit Electronic Parts-Further Implementation • Defense Federal Acquisition Regulations Supplement; Counterfeit Electronic PartsFurther Implementation • Public Meeting: A public meeting is scheduled for March 27, 2014, from 9:00 a.m. to 12:00 p.m., EDT. The public meeting will be held at General Services Administration (GSA) Regional Office Building at 301 7th Street, SW, Washington, D.C. (Entrance on D Street). Electronic Parts • Richard Clarke: All U.S. Electronics Could Be Infected – Well, it’s been pretty obvious for a while now that China’s been hacking into some of America’s most important businesses and government agencies and stealing reams of data. We’ve heard countless reports about Pentagon info being stolen or about critical data on the F-35 Joint Strike Fighter being plucked from defense contractors networks. – Well, former U.S. counter-terrorism czar –currently running his own cybersecurity firm — Richard Clarke is coming out and saying that all electronics made in China may well have built-in trapdoors allowing Chinese malware to infect American systems on command. The malware could do everything from take over a device to disabling it to secretly siphoning information off of it. • Just remember, plenty of electronics parts are out sourced. Space contractors routinely buy things like processors and circuit boards — that end up on advanced systems. These parts often prove fake, something that’s dangerous enough due to the high risk of a fake part failing. What’s to stop real parts made from carrying an equally dangerous cyber trapdoor? Common hardware attacks • Manufacturing backdoors, for malware or other penetrative purposes; backdoors aren’t limited to software and hardware, but they also affect embedded radio-frequency identification (RFID) chips and memory • Eavesdropping by gaining access to protected memory without opening other hardware • Inducing faults, causing the interruption of normal behavior • Hardware modification tampering with invasive operations; hardware or jailbroken software • Backdoor creation; the presence of hidden methods for bypassing normal computer authentication systems • Counterfeiting product assets that can produce extraordinary operations, and those made to gain malicious access to systems Rakshasa backdoors • • Backdoors are usually supported by software. Flaws, including bugs, are common in software that runs on most devices. Fortunately, this type of backdoor is easier to detect and immunize. Last year, researcher Jonathan Brossard mentioned during the Black Hat security conference in Las Vegas, that a new strain of malware is nearly impossible to remove once it compromises a device. Brossard named his agent “Rakshasa“, defining it a “permanent backdoor” that’s hard to detect, and nearly impossible to remove. – It’s clear that he didn’t find a new vulnerability, but demonstrated how much harder is to detect that type of backdoor. – The abstract demonstrates that permanent backdooring of hardware is possible. Rakshasa is able to compromise more than a hundred different motherboards. The impact could be devastating. Rakshasa malware infects the host BIOS, taking advantage of a potentially vulnerable aspect of traditional computer architecture. Any peripheral, such as a network card or a sound card can write to the computer’s RAM or to smaller portions of memory allocated to any of the other peripherals. – First, there are backdoor disabling features such as NX, essential for protection against malware, viruses, and exploits. It also removes fixes for System Management Mode (SMM), in operating mode in which all normal execution (including the operating system) is suspended and special software, usually firmware or a hardware-assisted debugger, and is executed in high-privilege mode. – With these few steps, the attacker has properly compromised security of the machine, allowing malware to completely erase hard disks and install a new operating system. – “We shall also demonstrate that preexisting work on MBR subverts such as bootkiting and preboot authentication software brute force can be embedded in Rakshasa with little effort.” – Due the mechanism of infection, in order to sanitize a PC, it’s necessary to flash all the devices simultaneously to avoid that happening during a disinfection of a single device. That’s because it could affected by other compromised components. – “It would be very difficult to do. The cost of recovery is probably higher than the cost of the laptop. It’s probably best to just get rid of the computer.” said Brossard. – Rakshasa has been developed with open source BIOS software, including the Coreboot project and Sea BIOS, and because of their compatibility with most hardware, it’s hard to detect. – When the machine boots up, malware downloads all the malicious code it needs. Of course it disables the resident antivirus and stores the code in memory. In doing so, it avoids leaving traces on the hard disk that could be detected as infectious. – The most important issue about Rakshasa malware isn’t related to how it can infect victims randomly. But Brossard alerted the scientific community to the possibility of using it as a backdoor in hardware. In many cases doubt has been raised about if backdoors are present in devices, telecommunications in particular. – Hardware qualification is a serious problem. Let’s consider the impact of a compromised device in a military environment, or in any large systems. – “The whole point of this research is to undetectably and untraceably backdoor the hardware. What this shows is that it’s basically not practical to secure a PC at all, due to legacy architecture. Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge.” Rakshasa backdoors continued • In a paper for Intel, Brossard said: • “There is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. and it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.” • But the above scenario isn’t far from what could happen in a manufacturing plant that’s compromised by hackers. Hardware backdoors inserted at gate level • Backdoors based on supplementary circuits, electronics component substitution and firmware. But the research is also evaluating more sophisticated methods based on the manipulation of dopant chemical elements. • Recently, a team of experts, composed by researchers Georg T. Becker, Francesco Ragazzoni, Christof Paar and Wayne P. Burleson, published a study on stealth dopantlevel hardware Trojans. – The study describes how it is possible to conduct a hardwarebased attack introducing legitimate circuits that aren’t detectable as Trojans. • Extremely stealthy approach for implementing hardware Trojans below the gate level, insert hardware Trojans by changing the dopant polarity of existing transistors. CCSDS Relavance Security of System • Flight systems are susceptible to the embedded viruses. • An advisory should be mentions in the treat book as to the necessary steps to mitigate these threats. BACK UP References • • • • Richard Clarke: All U.S. Electronics Could Be Infected http://defensetech.org GAO Buys Fake Submarine Parts http://defensetech.org Hardware Trojan Taxonomy: Chakraborty, Narasimhan & Bhunia (2010) More info: – – – – – – – – – – – – http://securityaffairs.co/wordpress/16748/hacking/spy-agencies-ban-on-lenovo-pcs-due-to-backdoorvulnerabilities.html http://securityaffairs.co/wordpress/7786/hacking/rakshasa-is-it-possible-design-the-perfect-hardwarebackdoor.html http://securityaffairs.co/wordpress/17875/hacking/undetectable-hardware-trojan-reality.html#! http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf http://securityaffairs.co/wordpress/1198/cyber-crime/hardware-qualification-a-must-in-a-cyberstrategy.html http://www.darpa.mil/NewsEvents/Releases/2012/11/30.aspx https://www.ideals.illinois.edu/bitstream/handle/2142/35322/Edwards_Nathan.pdf https://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&ved=0CGQQFjAE&url=http% 3A%2F%2Fwww.dtic.mil%2Fcgibin%2FGetTRDoc%3FAD%3DADA547668&ei=oRtHUuO4FsWrtAa63YCACw&usg=AFQjCNH3gt2JT4VuIsQ4VLr Pkp7Vr4xwOg&sig2=NMrLhCdNn8DLB9LyxJNr_Q&bvm=bv.53217764,d.Yms http://www.cs.columbia.edu/~simha/preprint_oakland11.pdf http://people.umass.edu/gbecker/BeckerChes13.pdf http://www.infosecisland.com/blogview/15095-DHS-Imported-Devices-Infected-with-Malware.html http://www.eecs.berkeley.edu/~csturton/papers/defeating-uci-oak11.pdf