3

If an attacker has an unlimited physical access to CPU, but does not have access to memory, including RAM, can he attack and gain access to the user's data?

I heard the opinion that this is impossible according to the laws of physics, even with an electron microscope. It's true?

  • Please expand the _"laws of physics"_ opinion. –  Jul 27 '18 at 20:49
  • Side-channel attacks are an obvious counterexample to this. Under some circumstances, they allow extracting cryptographic keys from processors only by observing physical side effects (power consumption, electromagnetic radiation) of the computation. – yyyyyyy Jul 27 '18 at 20:51
  • 5
    It's hard to imagine what the scenario actually is or how this scenario even happens. So the attacker has a CPU in his physical possession but does not have the rest of the computer? Or the CPU is installed but there are no RAM chips in the board? Or what? How does the attacker have unrestrained access to the CPU but not to RAM? – Ella Rose Jul 27 '18 at 20:52
  • 1
    This question needs further explanation and context... Please don't tell me that this question is related to recent marketing material/bounty for the BitFi hardware wallet. – hft Jul 30 '18 at 02:01
  • Are you explicitly excluding standard access mechanisms like JTAG? – forest Jul 30 '18 at 02:24

2 Answers2

9

If you have physical access, you can pretty much get anything you want out of the CPU. Particularly if you have a semiconductor test lab. Here's a quick, incomplete list, of how to get data out.

  • JTAG: JTAG is the simplest method as it does not require you have any specialized equipment, and it's inexpensive ($100USD). The downside is that you have to stop the clock. The system also might be aware that it is in boundary scan mode.

  • Probe Station: This is a complicated method. You decap the IC and then can physically probe metal lines to get power information if the circuits are CMOS as it is voltage mode. The engineering time to know what you are looking for, and the cost of a probe station is prohibitive. Outside of engineering time, you'll need ($25kUSD) just for a probe station to get you 8-bits. It will go on up from there, but in the case of AES-NI, because it's a physical implementation, it's pretty obvious where the S-BOX hardware is. Also, on the one die that I saw with a SEM, it would be really easy to get to the data because the keys ran a long way on higher metal. Furthermore, the risk of damage to the IC is high because you are physically touching the wires.

  • Optically: This is the safest method to extract information where you look at the emissions from "switching" that are created when you have hot carries that put out an emission as they return to a lower energy level. This is an effect in classic physics that will always happen in a MOS device. You still need to decap the IC, and have a feel for what you are looking for specifically, but it does no physical damage. You also need a very good high speed imager, a gas chamber for your inert gas to keep the die from oxidizing, and a good engineer. This very complicated method will set you back about ($1M USD).

I have left out power attacks as I don't consider them to be very practical in most cases. I have decapped and FIB'd on power taps, but that's similar to the probe station method. Most large CPUs just have too much substrate noise for an external power attack at this point. You could also use quantum magnetometers spy on the traces on the ICs; however, this is basically theory. Igor Savukov has magnetometers with sensitivity that is high enough get B-field information out of traces, but that's also in the exotic range.

Basically, unless you are doing JTAG, it is generally out of the realm of probabilities for individuals.

b degnan
  • 536
  • 3
  • 8
  • to be pedantic, I think you meant: "it is out of the realm of *probabilities* for individuals." – Lie Ryan Jul 30 '18 at 03:42
  • @LieRyan You are correct. I changed the answer to reflect this. Particularly because as an individual, I can do these attacks but I am a special case. – b degnan Jul 30 '18 at 10:34
  • `You could also use quantum magnetometers spy on the traces on the ICs` Do you have any resources that I can read more about this? I was under the impression that it did not take expensive or theoretical technology to sniff IC traces, just GHz-capable logic probes. – forest Sep 04 '18 at 06:43
  • 1
    @forest You have to "physical touch" lines with probes, which you can then design your system to be robust against. If the lines are voltage based, you might be able to do it if you don't violate timing. You can make pre-charge logic that then won't have enough charge to operate when probed. I don't believe there are any papers out there as it's a small group of us with procession magnetometers that are that good; however, I probably could do the same with a hard drive read head. I probably should write the paper. – b degnan Sep 04 '18 at 14:41
  • So these magnetometers are just another way to implement high-sensitivity logic probes, not another method of spying on a bus or traces all together? – forest Sep 04 '18 at 19:29
  • @forest They measure the B field from Maxwell's equations. They are tricky to use because you can see the field induced by electrons on a wire, or submarine 100km away. http://quspin.com/ is a vendor of some that you can get commercially. – b degnan Sep 05 '18 at 14:02
  • Why can sniffing the traces not be done by connecting a probe between them and the ground with a high-value resistor? It's not like you need to splice a live wire to detect when the voltage goes high. – forest Sep 06 '18 at 02:33
  • @forest it can in the classical sense; however, in reality, you generally have issues with charge sharing. If you stop your clock, there's no reason what you describe will not work well (outside of getting a probe on a 30nm wire). When I have a 0.2fc gate that I need to charge in 100ps to make timing, things get hard. If you make your circuits to be robust to probing (or use precharge circuits), you'll see the glitch. One way to do these circuits is with Razor (https://blaauw.engin.umich.edu/). In voltage mode, I uses asynchronous circuits so I see the completion violation. – b degnan Sep 07 '18 at 11:31
  • One comment on the answer, but the system will not necessarily know that it is in boundary scan mode since the CPU itself can be halted as soon as JTAG is used. – forest Sep 10 '18 at 02:29
5

If an attacker has an unlimited physical access to CPU, but does not have access to memory, including RAM, can he attack and gain access to the user's data?

If the attacker can listen in to the CPU instructions and register contents, he can obviously listen into the CPU as it processes the user data. In addition, if he can modify what the CPU does, he can have the CPU read the user data, even if the normal programming doesn't reference it.

I have no idea what the "laws of physics" have to do with it. About the only time that sort of thing can legitimately be invoked is if you're talking about a Quantum Key Distribution system or Quantum Random Number Generator, which we're not talking about.

poncho
  • 306
  • 1
  • 1
  • How can you possibly _"listen in on CPU instructions and register contents"_, much less modify it's operation in real time? –  Jul 27 '18 at 20:58
  • 1
    @PaulUszak: In the past, I've used an In Circuit Emulator for a CPU that gave me precisely this level of access. If we assume the attacker has "unlimited" access to the CPU (which the question posited), I don't see any specific reason to assume a lesser level of access – poncho Jul 27 '18 at 21:08
  • 1
    Do you think that would work on a 4GHz Xeon? You can't slow step them and there isn't any JTAG access. And in a laptop the CPUs are likely to be soldered in. Plus reverse engineering non trivial machine code is virtually impossible, so the attacker wouldn't understand any of the code. Further, a modern CPU is effectively non deterministic at the nanosecond scale adding to the obfuscation. –  Jul 27 '18 at 21:46
  • 6
    @PaulUszak The claim that "reverse engineering non trivial machine code is virtually impossible" is just wrong. Of course some pieces of (machine, or any other) code may be hard to understand, but I have yet to see a program that a sufficiently skilled individual cannot understand at all when given enough time and coffee. – yyyyyyy Jul 27 '18 at 22:38
  • @yyyyyyy Windows 10 running on the OP's CPU. –  Jul 27 '18 at 22:57
  • 2
    @PaulUszak no one has reverse engineered Windows 10 fully yet because no one needed to do so, not because there is anything that prevents it. – Maya Jul 29 '18 at 20:29
  • @PaulUszak Why do you say there isn't any JTAG access? – forest Jul 30 '18 at 01:56
  • 2
    @NieDzejkob Where did anyone get the impression that Windows 10 had not been reverse engineered many, many, many times? – Lie Ryan Jul 30 '18 at 03:47
  • @LieRyan I have yet to see a program that a sufficiently skilled individual cannot understand at all when given enough time and coffee. – yyyyyyy / [@] yyyyyyy Windows 10 running on the OP's CPU. – Paul Uszak. Also note the "fully" – Maya Jul 30 '18 at 11:01
  • How do you "listen to register contents" with just physical CPU access? Unlimited _physical_ access does not mean unlimited access in the abstract sense. – forest Sep 04 '18 at 06:48