4

I heard that the attacks that focus on the bus between chip's blocks (e.g. between CPU and functional blocks / memory blocks) are possible. ​ The buses become the weak parts of hardware security.​ Then the secret such as secondary keys can be read out from the bus.

Is this kind of attack really achieved by someone or just staying at the theory stage?

If it is already a practical attack, how are the secrets read out from the bus, and is there any effective way to prevent it? ​ What do the chip manufactures do to reduce this risk?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
TJCLK
  • 818
  • 8
  • 23

3 Answers3

5

Do you mean the buses between chips, or within a single chip?

If the first case, yes, it's quite practical. For example, Andrew "bunnie" Huang describes doing it in detail in chapter 8 of his book Hacking the Xbox.

In the second case, it is much harder. You need to decapsulate the chip without destroying it and then probe the wires within the chip. This can be, and is, done, but it is much more expensive. Chips can be probed with (very small) physical wires, with an electron-beam probe, or by observing infrared light emitted by PN junctions on the chip.

Wim Lewis
  • 271
  • 1
  • 3
  • Within a single chip. I heard many manufactures implement the physical tamper resistance circuitry (or similar names). You mentioned "decapsulate the chip without destroy". So the main function of such circuitry is to destroy the internal circuits when someone try to decapsulate? And BTW, whether such vulnerability of bus is a popular issue that manufactures concern now? – TJCLK Dec 14 '15 at 05:49
  • 1
    Manufacturers only worry about it for chips which are supposed to be tamper-resistant, like smartcards or SIMs. You might be interested in this: http://www.engr.uconn.edu/~tehrani/teaching/hst/11%20Physical%20Attacks%20and%20Tamper%20Resistance.pdf – Wim Lewis Dec 14 '15 at 06:03
3

Is it possible? Yes. Hook an oscilloscope, or a logic probe, or a similar instrument up to the memory bus, and you can read the data as it goes by.

Is it practical? Not really. It requires physical access to the computer, and some rather expensive equipment. If an attacker has that level of access, there are generally easier ways to get teh data they're after.

Mark
  • 34,390
  • 9
  • 85
  • 134
2

Yes, such attacks are possible and practical. It sounds like you are thinking of a DMA attack in which an attacker connects a cable to a machine and reads certain bytes from the RAM. The attackers typically target cryptographic keys, such as those that may be encrypting the hard drive.

Since the keys are needed to boot the machine, they are present in RAM long before a user would be prompted to log on. And the DMA devices are active almost from the moment they receive power.

The best way to prevent bus attacks is to physically secure your equipment.

John Deters
  • 33,650
  • 3
  • 57
  • 110