Aug_EDFA_Digital

edfas.org ELECTRONIC DEV ICE FA I LURE ANALYSIS | VOLUME 23 NO . 3 18 A layout attack is one inwhich the circuit-board layout file ismaliciously altered. One symptomof a layout attack should be clear: such a board would not match its sche- matic. A layout tool has powerful capabilities because it has access to the board’s netlist, which includes impor- tant information such as signal names, pin numbers, and interconnection information aswell as handy information such as package footprints. Detecting an attack involves a careful comparison of the circuit board to its original sche- maticand, unless it hasbeencorrupted, itsbill ofmaterials. A design file attack is one in which the design file, such as the Gerber file, is maliciously altered. This is very similar to a layout attack in that the attacker has access to the physical layout of the board. Unlike a layout attack, however, the attacker does not know the names of signals or the identities of components, such as integrated circuits or resistor values. Conversely, with access to a complete set of Gerber files, it is not terribly difficult for an experi- enced designer to figure out the basics of a circuit board. For example, most designs have a single processor or microcontroller which is a strikingly large component on a design. They interface with peripherals, like the flash memory needed for BIOS or sensors, over interfaces like SPI or I 2 C. Some interfaces, such as I 2 C and CAN, usually contain pullup resistors or terminating resistors thatmake identification possible. As with a layout attack, detection involves a careful comparison of the circuit board to its original schematic and its bill of materials. An example design-file attack was recently described. [4] A rework attack is one in which a part is added onto a board by hand after manufacturing. This type of attack may actually be easier than a design-file attack because the attacker has access to a fully assembledboard and can therefore identify components and pinouts. Conversely, detecting this type of attack is usually straightforward because components that are added by hand are often easy to spot. The attacker normally relies on the fact that boards inside fully assembled units are rarely exam- ined. This was the type of attack mounted on a server serial port. [3] The first three types of attack involve altering the design of the circuit board itself. Stated differently, they entail the creation of a maliciously altered counterfeit circuit board. Mounting a successful attack involves three more steps: inserting the counterfeit board into the supply chain, populating the board with the altered component, and shipping the board to desired targets. Inserting counterfeit boards into the supply chain may be straightforward, depending on the security of shipments from the board’s fabricator to the factory where assembly occurs. All aspects of this chain have to be considered, including the receiving area of the assem- bly facility. Populating the board with an altered component could be simple or complicated. A simple way to popu- late the board is to add it in the assembly facility’s repair area. It is quite normal for newly fabricated boards to fail manufacturing testing and require minor rework. Adding a component in repair would be extremely simple, merely requiring one employee to bring in almost-microscopic surface-mount components and add themusing the tools already found at the repair station. A much more compli- cated way would be to add the component to the assem- bly process. This entails adding the part to the feeder system and programming a pick-and-place machine to add the component. This would either be nearly impos- sible or require the cooperation of the assembly facility’s management. Shipping the boards with altered components could either be done at random, relying on adding parts to a fraction of assemblies, or could be targeted. The target- ing would only require one employee who knows which assemblies have altered components and which targets are desirable. In other words, it would only require the action of one employee in the shipping area. Note that a rework attack requires much less planning; an attacker simply obtains a systemand adds malicious components to it by hand. A second aspect of the taxonomy is themode of attack; there are two modes of attack. The first is to change a component’s footprint to add extra pins, known as altered component mode . For example, a two-pin footprint for a resistor could be replaced by an eight-pin footprint for a resistor network. The six extra pins could be used to supply power and ground to a small microcontroller with a SPI, CAN, or I 2 C interface. The second is to add a new component to the board’s design. This is called added component mode . It is normal for assembled circuit boards to contain population options, such as extra circuitry used in debugging and development and not in production. Hence it is normal for assembled circuit boards to contain unpopulated footprints. To fool an inspector, an added component wouldprob- ably alsoneeda reference designator. A reference designa- tor is the human-readable textmarking found next to each component. A component without a reference designator THE THREAT OF MALICIOUS CIRCUIT-BOARD ALTERATION: ATTACK TAXONOMY (continued from page 15)