Temperature: An increasingly concerning issue for chip security experts

Categories : tech

Even though the threat of temperature to chip security is currently still mainly at the laboratory stage, it can still become a vulnerability waiting to be exploited in the hands of those with malicious intent.

Everyone in the semiconductor industry wants to have the hottest new product, but this literal high temperature not only poses a threat to product stability and performance, but also to the security of the chip itself.

Due to the uncertainty of the physical properties of heat on performance, temperature has become a focus of security researchers. The chips inside the devices can only work normally within a strict range, just like humans. They require a certain range of temperature, voltage, radiation, and environmental conditions, all of which will affect how the chip works.

These conditions exist most of the time, but not always. "Just as humans like room temperature, so do chips," said Marc Witteman, CEO of Riscure (recently acquired by Keysight). "They work well at room temperature, but if the temperature becomes extremely extreme, then things may be different. Traditionally, we think that within any of these parameters, the chip can work well, and outside of this range, it cannot work. But in reality, there is a gray area where the chip can work most of the time, but it may not always work as well as you want. This area is very interesting to security researchers because if you go from working well to not working at all, then the security impact is not great, because the device is already unusable. Think about your electric car. If it freezes, then it will no longer drive, which is a problem. But at least it won't crash. However, if the temperature reaches a certain range, your car may start to crash or do other things you don't want it to do. That's really tricky."

Heat can not only be used to completely crash a system or device, but it also poses a second type of threat, that is, through temperature-based side-channel attacks, which have only been recognized until recently.

"This is a relatively new field of research," said Lang Lin, Chief Product Manager of Ansys. "In the past, people thought that temperature was just a slow response of the system. It's not like what we talk about with electricity or electromagnetism, they are immediate signals of the system, but temperature is usually slow," which means it is difficult to immediately extract any sensitive information from the system.Direct Attack

Thermal attacks are nothing new. In a paper from 2005, researchers at the University of Virginia warned that malware could be developed to alter the way chips dissipate heat, thereby increasing temperature. The paper used a Pentium 4 chip on an ASUS motherboard in a Windows XP system machine, listing several methods to achieve this goal, including using thermal throttling to launch a denial-of-service attack, which can be achieved by blocking air vents or by shutting down the system's fan through software. Another method of denial of service is to find ways to increase the temperature, forcing the computer to reset. Heat is also used to gradually damage components, causing them to age faster than normal. Researchers believe that more serious damage can even be caused by disabling the computer's fail-safe systems.

This paper is almost twenty years old, and since its publication, chips have undergone considerable changes, but heat remains a threat. In fact, Scott Best, Senior Principal Engineer at Rambus, pointed out that the transparency of silicon to infrared energy allows attackers to conduct semi-invasive attacks by heating the inside of the chip.

Best said: "Your adversary actually has the silicon chip, they have disassembled the silicon chip, and are looking at the back of the active chip and shooting a laser at it." "These lasers are tuned to the near-infrared spectrum. It is usually in the near-infrared region because silicon is transparent in the infrared region, so they are actually creating hot spots about 100 nanometers in size inside the chip. They are creating local hot spots that are pushing charges into certain parts of the chip. This attack is called fault injection, and your adversary is trying to sabotage secure computing."

AI PCs are hot selling, Lenovo copies Apple's strategy

Facing "patent trolls," Micron Technology faces a 480 million U.S. dollar infrin

The future of AI chips may not be GPUs

TSMC's Nanjing factory receives an unlimited exemption permit from the United St

Mitsui Chemicals will mass-produce a new photoresist film to support ASML's next

$3.34 trillion! Nvidia's market value tops the world

Dialogue with GAC Aion's Gu Huinan: discussing going overseas, technology, and i

The rise of storage power in the AI era

Temperature: An increasingly concerning issue for chip security experts

200,000: The shock China's new energy vehicles give to the world

In this attack, malicious actors use this technique to extract firmware from non-volatile memory at system startup. The attacker then runs an encryption process to verify the firmware. If the theoretical adversary shoots the laser at the right part of the chip at the right time, "it will not report zero to indicate inauthenticity, but will report one, indicating everything is normal. Now, this malicious firmware image has been loaded into the chip and is running."

This type of attack may not attract media attention, but Best said that it has been created under laboratory conditions and described in a recent paper. Researchers were able to make the malicious firmware image run and execute with high permissions, allowing it to remove other protections in the system.

"It went into the fuse memory and adjusted the fuse memory to indicate 'make sure you always allow the adversary's code to run correctly.' Then, you can take it out of the fault injection system and put it back into the system, and now it will be very happy to accept malware because the permissions have now been granted or removed. The malicious software that ran for the first time has now been deleted and disabled all the protective measures, so the system is now permanently damaged."

While this type of attack obviously poses a danger to individual chips or systems, it may have broader implications. It can allow attackers to access secrets stored on the chip and obtain valuable data about the entire series of chips. "If other chips in the product line are authenticated ICs, and this authenticated IC protects consumables for medical devices, it is a $10 billion industry, and the only factor preventing the adversary from shipping compatible medical components is this $20 authentication chip, they will use fault injection to crack this authentication chip. They will obtain your key material. They will launch compatible security chips. Now they are stealing most of your $10 billion a year."

The solution to this problem seems obvious - just use different keys in each device - but Witteman pointed out that this is not always possible. "If you design a new chip and want to produce a million, you usually produce a million identical copies. They will all have the same data initially," he said. "If it involves setting up secrets for secure communication, then it is the same for all these chips. So, this problem arises when the first data is loaded onto the chip. All their secrets are the same."

Lin said that another solution is proper monitoring. "If you have a good thermal sensor design, the system can respond immediately," he said. "When you detect high temperatures, you shut down the system, and you can still protect it."Although these heat-based system attacks are usually only theoretical, they can also lead to data theft. Lin uses a computer loaded with two different internet browsers as an example to explain how this can be achieved.

"Suppose you are opening a Chrome web server, instead of Safari or Firefox, and then you search for a website. From the moment you click to when the website is presented to you, the entire operation takes some time. This raises the temperature of the chip that correctly performs this operation. It's like a set of operations. The stable temperature of this different browser may be at a different temperature. Suppose Chrome might raise your temperature by two degrees, while Safari might raise your temperature by three degrees. This subtle difference, if you think about it carefully, can be perceived by some very precise temperature sensors."

Remote attacks

To exploit heat to attack a chip, direct access is not always required. Although Lin said he couldn't think of many historical remote thermal attacks immediately, they are still a possible method of penetration. However, Best pointed out that there are usually very strict measures to limit possible physical or economic damage.

"Denial of service attacks can be carried out in this way," said Best. "You can shut down remote servers by having some malicious hardware start consuming much more performance than intended. Usually, these remote servers carefully allocate the number of computing cycles allowed for each client, and they are willing to charge you according to the CPU cycles you actually use. So, if you consume so many cycles, they may move you to your own private server and charge you an unlimited fee, but you won't bring the server down. They will just continue to charge you more and transfer your computing load to other blades to manage the overall situation. So, if you can bring the server down, this is a potential denial of service path, but in a normal data center setting, a large number of protective measures have been set for the number of CPUs that any user can execute."

Although distributed denial of service (DDoS) attacks are unlikely, Best did point out that temperature can also be used indirectly for hacking purposes. Many cooling systems are programmed to automatically adjust to the level of heat generated inside the system, which provides another avenue for attack.

"There have been papers published, pointing out that this creates a so-called acoustic side-channel, because you just need to listen to the fan speed," he said. "The fan speed is adjusted so quickly that the actual computation that is now happening is related to the fan speed. So, if you listen carefully enough to the fan speed, you can actually collect some information about what is actually happening in the computation. People have been able to associate the fan speed with the key material and the processing of key material inside the system by forcing the system to generate computation and then increasing the fan speed. The fan speed will vary slightly according to the level of computation, which can give you real-time information about power consumption."

Conclusion

Temperature-based attacks currently seem difficult to implement and usually require laboratory-like conditions to be executed correctly. But Wittmann warns that this will not always be the case, and continuous experimentation is needed to strengthen defenses. Security experts have already started to take heat-based vulnerabilities seriously, working to identify all possible methods that can be exploited to prevent bad actors from drawing the same conclusions."We believe that as time goes on, the attacks will only get worse. The attacks will not become more difficult, but easier," said Wittman. "When it comes to heat, this is a method that requires precise equipment. Therefore, generally speaking, it is less likely that someone will withdraw money from your bank account just because you carry a bank card in a public place. There may be other methods that are more suitable for this approach. If you are particularly concerned about heat, then the application may need to be conducted in a laboratory. But then again, if the attacker is also the owner of the equipment, it is not impossible either."