[121861] in cryptography@c2.net mail archive
Re: "Designing and implementing malicious hardware"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Apr 28 15:57:48 2008
To: Ed Gerck <edgerck@nma.com>
Cc: Cryptography <cryptography@metzdowd.com>
From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 28 Apr 2008 15:28:06 -0400
In-Reply-To: <481611B2.1000805@nma.com> (Ed Gerck's message of "Mon\, 28 Apr 2008 11\:04\:34 -0700")
Ed Gerck <edgerck@nma.com> writes:
> Each chip does not have to be 100% independent, and does not have to
> be used 100% of the time.
>
> Assuming a random selection of both outputs and chips for testing, and
> a finite set of possible outputs, it is possible to calculate what
> sampling ratio would provide an adequate confidence level -- a good
> guess is 5% sampling.
Not likely.
Sampling will not work. Sampling theory assumes statistical
independence and that the events that you're looking for are randomly
distributed. We're dealing with a situation in which the opponent is
doing things that are very much in violation of those assumptions.
The opponent is, on very very rare occasions, going to send you a
malicious payload that will do something bad. Almost all the time
they're going to do nothing at all. You need to be watching 100% of
the time if you're going to catch him with reasonable confidence, but
of course, I doubt even that will work given a halfway smart attacker.
The paper itself describes reasonable ways to prevent detection on the
basis of most other obvious methods -- power utilization, timing
issues, etc, can all be patched over well enough to render the
malhardware invisible to ordinary methods of analysis.
Truth be told, I think there is no defense against malicious hardware
that I've heard of that will work reliably, and indeed I'm not sure
that one can be devised.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
