DARPA Looks for Protocol to Root Out Hardware Backdoors
December 05, 2012
on
on
Rakshasa is malware buried deep inside the firmware of an Intel motherboard granting backdoor access to any outside party who knows what to look for. Rakshasa can replace the original boot firmware at time of manufacturing and is extremely difficult to detect. Security expert Jonathan Brossard demonstrated his code at the Black Hat convention in Las Vegas in July. His aim is to raise awareness about the dangers of non open source firmware. You could be buying a computer -or any hardware for that matter- with a backdoor already installed.
And that is exactly what is keeping some people at the US Department of Defense up at night.
The military is increasingly dependent on information technology and it uses commercial components to build its devices. But most hardware is manufactured outside US borders. The DoD fears that backdoors or malicious software might be pre-installed on chips allowing an adversary to listen in on communications or disable the chip all together. If the chips at the core of the US defense system would turn against it, the system would be seriously crippled. We’re talking sci-fi movie scenario kind of crippled.
The problem is the insecurity of the global supply chain. Devices are assembled from hundreds or thousands of components each coming from different parts of the world making it impossible to verify the trustworthiness of every supplier.
Nor is it possible to subject every component to an exhaustive test excluding every possible vulnerability. Today’s tests are set up to determine if the chip performs its specified functions correctly. But it is quite another thing to determine whether a chip has any unspecified functions. It's considered impossible because the sheer amount of possibilities is just mind boggling.
Well, at least until now, because that is exactly what DARPA, the DoD’s innovative research agency, is planning to do. The agency wants to demonstrate the absence of malware in every individual device the DoD is going to buy in the future. For its Vetting Commodity IT Software and Firmware (VET) program DARPA is inviting security experts to ‘look for innovative, large-scale approaches to verifying the security and functionality of commercial information technology devices bought by the DoD’.
The VET program aims to achieve three things: First, come up with a check list stating which components should be tested and which malicious functionalities to look for. Secondly, a means to demonstrate the absence of malware in said components. And thirdly, scaling up the testing so that that non-specialist technicians can proof the absence of malware in every device newly bought by the DoD.
It may sound ambitious in light of the present state of things but that is exactly what Tim Fraser, program manager at DARPA, is aiming for. ‘Rigorously vetting software and firmware in each and every device is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.’
Image: source 4.bp.blogspot.com
And that is exactly what is keeping some people at the US Department of Defense up at night.
The military is increasingly dependent on information technology and it uses commercial components to build its devices. But most hardware is manufactured outside US borders. The DoD fears that backdoors or malicious software might be pre-installed on chips allowing an adversary to listen in on communications or disable the chip all together. If the chips at the core of the US defense system would turn against it, the system would be seriously crippled. We’re talking sci-fi movie scenario kind of crippled.
The problem is the insecurity of the global supply chain. Devices are assembled from hundreds or thousands of components each coming from different parts of the world making it impossible to verify the trustworthiness of every supplier.
Nor is it possible to subject every component to an exhaustive test excluding every possible vulnerability. Today’s tests are set up to determine if the chip performs its specified functions correctly. But it is quite another thing to determine whether a chip has any unspecified functions. It's considered impossible because the sheer amount of possibilities is just mind boggling.
Well, at least until now, because that is exactly what DARPA, the DoD’s innovative research agency, is planning to do. The agency wants to demonstrate the absence of malware in every individual device the DoD is going to buy in the future. For its Vetting Commodity IT Software and Firmware (VET) program DARPA is inviting security experts to ‘look for innovative, large-scale approaches to verifying the security and functionality of commercial information technology devices bought by the DoD’.
The VET program aims to achieve three things: First, come up with a check list stating which components should be tested and which malicious functionalities to look for. Secondly, a means to demonstrate the absence of malware in said components. And thirdly, scaling up the testing so that that non-specialist technicians can proof the absence of malware in every device newly bought by the DoD.
It may sound ambitious in light of the present state of things but that is exactly what Tim Fraser, program manager at DARPA, is aiming for. ‘Rigorously vetting software and firmware in each and every device is beyond our present capabilities, and the perception that this problem is simply unapproachable is widespread. The most significant output of the VET program will be a set of techniques, tools and demonstrations that will forever change this perception.’
Image: source 4.bp.blogspot.com
Read full article
Hide full article
Discussion (6 comments)