Research Projects

  • Defensive Routing

    Defeating A2 with Defensive Routing

    Fabrication-time attacks, or the insertion of hardware Trojans into an integrated circuit (IC) design at fabricaiton time, is an increasing worry as there exist only three companies (Samsung, TSMC, and Global Foundries) capable of farbicating leading edge silicon at scale. Defensive Routing is a routing-centric defense designed to thwart the insertion of hardware Trojans, like the A2 Trojan, by surrounding security-critical wires with tamper-evident guard wires.

    Since the inception of the integrated circuit (IC), the size of the transistors used to construct them continually shrink. While this advancement significantly improves computing capability, the associated massive complexity forces IC designers to outsource fabrication. Outsourcing presents a security threat: comprehensive post-fabrication inspection is infeasible given the size of modern ICs, thus it is nearly impossible to know if the foundry has altered your design during fabrication (i.e., inserted a hardware Trojan). Defending against a foundry-side adversary is challenging because—with as little as two gates—hardware Trojans can completely undermine software security. Prior work attempts to both detect and prevent such foundry-side attacks, but all existing defenses are ineffective against the most advanced hardware Trojans.

    Defensive Routing (DR) is a preventive layout-level defense against untrusted foundries, capable of thwarting the insertion of even the stealthiest hardware Trojans. DR is directed and routing-centric: it prevents foundry-side attackers from connecting rogue wires to security-critical wires by shielding them with guard wires. Unlike shield wires commonly deployed for cross-talk reduction, DR guard wires present an additional technical challenge: they must be tamper-evident in both the digital and analog domains. To address this challenge, we present two different categories of guard wires: natural and synthetic. Natural guard wires are comprised of pre-existing wires that we route adjacent to security-critical wires, while synthetic guard wires are added to the design specifically to protect security-critical wires. Natural guard wires require no additional hardware and are digitally tamper-evident. Synthetic guard wires require additional hardware, but are tamper-evident in both the digital and analog domains.


    Research Paper
  • ICAS

    ICAS: Integrated Circuit Attack Surface

    With only three companies in the world (Samsung, TSMC, and Global Foundries) capable of fabricating leading edge silicon at scale, even nation states must trust third parties to manufacture their silicon without modifying the original design (e.g., a fabrication-time attack). Unfortunately, no computer aided design (CAD) tool exists to aid integrated circuit (IC) designers to optimize the physical layouts of their designs for security, i.e., resilience to fabrication-time attacks. ICAS is fills this gap as the first open-source framework for computing security metrics about an IC layout.

    The transistors used to construct Integrated Circuits (ICs) continue to shrink. While this shrinkage improves performance and density, it also reduces trust: the price to build leading-edge fabrication facilities has skyrocketed, forcing even nation states to outsource the fabrication of high-performance ICs. Outsourcing fabrication presents a security threat because the black-box nature of a fabricated IC makes comprehensive inspection infeasible. Since prior work shows the feasibility of fabrication-time attackers’ evasion of existing post-fabrication defenses, IC designers must be able to protect their physical designs before handing them off to an untrusted foundry. To this end, recent work suggests methods to harden IC layouts against attack. Unfortunately, no tool exists to assess the effectiveness of the proposed defenses—meaning gaps may exist.

    We present an extensible IC layout security analysis tool called IC Attack Surface (ICAS) that quantifies defensive coverage. For researchers, ICAS identifies gaps for future defenses to target, and enables the quantitative comparison of existing and future defenses. For practitioners, ICAS enables the exploration of the impact of design decisions on an IC’s resilience to fabrication-time attack. ICAS takes a set of metrics that encode the challenge of inserting a hardware Trojan into an IC layout, a set of attacks that the defender cares about, and a completed IC layout and reports the number of ways an attacker can add each attack to the design. While the ideal score is zero, practically, our experience is that lower scores correlate with increased attacker effort.


    Research Paper
    Nemo Repository
    GDS2Score Repository
  • Walnut

    Walnut: Acoustic Attacks on MEMS Accelerometers

    It had been theorized that inertial MEMS sensors (e.g., accelerometers and gyroscopes) were susceptible to acoustic interference. In this project, we demonstrate how an attacker can modulate acoustic signals to leverage full control over the outputs of inertial MEMS sensors, and therefore the autonomous systems that utilize such devices.
    (Photo: Joseph Xu/University of Michigan)

    Billions of accelerometers reside inside smartphones, automobiles, medical devices, anti-theft devices, drones, IoT devices, and many other industrial and consumer applications. My work investigates how analog acoustic injection attacks can damage the digital integrity of the capacitive MEMS accelerometer. Spoofing such sensors with intentional acoustic interference enables an out-of-spec pathway for attackers to deliver chosen digital values to microprocessors and embedded systems that blindly trust the unvalidated integrity of sensor outputs. The contributions of my work include (1) modeling the physics of malicious acoustic interference on MEMS accelerometers, (2) discovering the circuit-level security flaws that cause the vulnerabilities by measuring acoustic injection attacks on MEMS accelerometers as well as systems that employ on these sensors, and (3) two software-only defenses that mitigate many of the risks to the integrity of MEMS accelerometer outputs.


    Project Website
    Summary Video
    Research Paper
    Demo Video: Smartphone Attack
    Demo Video: Fitbit Attack
    Attack Audio

    Media Coverage:

    The New York Times, CNBC, IEEE Spectrum, Science Friday, University of Michigan, University of Michigan: CSE Department, IFL Science, Gizmodo, Fortune, CNET, Tom's Hardware, The Register, E&E News, EE Journal
  • Cloaking Order in Chaos

    Subverting the Linux Random Number Generator via the Xen Hypervisor

    Course project (EECS 588: Computer and Network Security) where we built attacks to programmatically control the output of /dev/random and /dev/urandom, as well as the generation of private keys for Diffie-Hellman key exchanges in Apache2/OpenSSL from the hypervisor, without modification to the Virtual Machine. Explored artifacts of these attacks and proposed detection methods to combat use in the wild.

    In the modern domain of computing, Nation State Adversaries (NSAs), are often characterized as having the most resources, researchers, and legal authority. We investigate a hypothetical attack vector an NSA could use to gain widespread access to modern communications and web services. We present the scenario in which an NSA has obtained superuser privileges on a fraction of the host machines of a cloud service provider. Specifically, we investigate how an NSA can subvert a virtual machine’s Random Number Generator (RNG) to produce deterministic outputs via the hypervisor.

    In this paper we describe our attack prototype against the Linux 4.4.6 kernel. Our attack subverts reads from /dev/random and /dev/urandom and allows an attacker to produce a deterministic byte stream. We extend this attack to work against user space RNGs, specifically the OpenSSL RNG which is used by modern web servers such as Apache2 and NGINX. Finally, we describe a detection scheme for the Linux RNG and discuss how we can extend the scheme to work against this class of attacks.


    Technical Report
    LibVMI Source Code
  • UbiCrypt

    UbiCrypt: Making Ubiquitous Encryption Compatible with Enterprise Security

    Course project (EECS 589: Advanced Networking) where we designed an alternative to split TLS, demonstrated using the QUIC protocol, that uses the mechanism of leaking TLS session keys in real-time to the network gateway to allow network traffic introspection while maintaining end-to-end encryption between the client and server.

    In many enterprise environments, network traffic introspection is a necessity. To make this possible, current implementations man-in-the-middle all network traffic using a technique known as split TLS. This has many drawbacks, including breaking the fundamental notion of end-to-end encryption. In this project we present UbiCrypt, an alternative to split TLS, which maintains end-to-end encryption, while still allowing trusted introspection on local network traffic. UbiCrypt provides a mechanism to securely leak ephemeral session encryption keys to a trusted gateway. UbiCrypt is easily deployable as it only requires software modifications and additions to the client and trusted gateway, not endpoint servers, which may not be owned by the enterprise.

    UbiCrypt was demonstrated using the QUIC protocol and its implementation in the publicly available Chromium source code. To add client support, we made slight modifications to the QUIC client code and added an external software module. To add gateway support, we built a prototype using iptables, a Linux firewall kernel application. We evaluated Ubicrypt using a virtual network topology, built using minimega, a virtual machine (VM) management tool. We demonstrate that Ubicrypt is practical by loading a small (1.6KB) webpage, showing that the overhead observed when using UbiCrypt was very similar to the overhead observed when using split TLS, 45.08 and 39.00 milliseconds respectively


    Technical Report