Inside the Lab Where Intel Tries to Hack Its Own Chips
Credit to Author: Lily Hay Newman| Date: Wed, 23 Feb 2022 12:00:00 +0000
To revist this article, visit My Profile, then View saved stories.
To revist this article, visit My Profile, then View saved stories.
"Evil maid" attacks are a classic cybersecurity problem. Leave a computer unattended in a hotel and an attacker dressed as an employee could enter your room, plant malware on your laptop, and slip out without leaving a trace. Allowing physical access to a device is often game over. But if you're building processors that end up in millions of devices around the world, you can't afford to give up so easily.
That's why five years ago Intel launched a dedicated hardware hacking group known as Intel Security Threat Analysis and Reverse Engineering. About 20 iSTARE researchers now work in specially equipped labs in the northern Israeli city of Haifa and in the US. There, they analyze and attack Intel's future generations of chips, looking for soft spots that can be hardened long before they reach your PC or MRI machine.
“People don’t always quite understand all the security implications and may feel like physical attacks aren’t as relevant,” says Steve Brown, a principal engineer in Intel's product assurance and security department. “But this is a proactive approach. The earlier you can intercept all of this in the life cycle the better.”
When hackers exploit vulnerabilities to steal data or plant malware, they usually take advantage of software flaws, mistakes, or logical inconsistencies in how code is written. In contrast, hardware hackers rely on physical actions; iSTARE researchers crack open computer cases, physically solder new circuits on a motherboard, deliver strategic electromagnetic pulses to alter behavior as electrons flow through a processor, and measure whether physical traits like heat emissions or vibrations incidentally leak information about what a device is doing.
“It’s about the fun of breaking things.”
Uri Bear, iStare
Think about the security line at the airport. If you don't have ID, you could work within the system and try to sweet-talk the TSA agent checking credentials, hoping to manipulate them into letting you through. But you might instead take a physical approach, finding an overlooked side entrance that lets you bypass the ID check entirely. When it comes to early schematics and prototypes of new Intel chips, iSTARE is trying to proactively block any routes that circumnavigators could attempt to use.
“We basically emulate the hacker, figuring out what would they want to get out of an attack,” says Uri Bear, iSTARE's group manager and a senior security analyst for Intel's product assurance and security department. “We’re not tasked with just finding security vulnerabilities, we’re also tasked with developing the next generation of attacks and defenses and making sure we are ready for the next thing that will come. We fix things ahead of time, before they’re in the market.”
The mind-bending thing about hardware hacking is that software can also play a role. For example, physics-based “Rowhammer” attacks famously use little software programs running over and over again to cause a leak of electricity in a computer's memory. That strategic glitch physically alters data in such a way that hackers can gain more access to the system. It’s an example of the type of paradigm shift that iSTARE researchers are trying to presage.
“It’s about the fun of breaking things,” Bear says, “finding ways to use hardware that was either blocked or that it was not designed for and trying to come up with new usages. If there were no hackers, everything would be stale and just good enough. Hackers challenge the current technology and force designers to make things better.”
Working in cramped labs stuffed with specialized equipment, iSTARE vets schematics and other early design materials. But ultimately the group is at its most effective when it reverse engineers, or works backward from, the finished product. The goal is to probe the chip for weaknesses under the same conditions an attacker would—albeit with prototypes or even virtualized renderings—using tools like electron microscopes to peer inside the processor's inner workings. And while iSTARE has access to top-of-the-line analysis equipment that most digital scammers and criminal hackers wouldn't, Bear emphasizes that the cost of many advanced analysis tools has come down and that motivated attackers, particularly state-backed actors, can get their hands on whatever they need.
iSTARE operates as a consulting group within Intel. The company encourages its design, architecture, and development teams to request audits and reviews from iSTARE early in the creation process so there's actually time to make changes based on any findings. Isaura Gaeta, vice president of security research for Intel’s product assurance and security engineering department, notes that in fact iSTARE often has more requests than it can handle. So part of Gaeta and Brown's work is to communicate generalizable findings and best practices as they emerge to the different divisions and development groups within Intel.
Beyond Rowhammer, chipmakers across the industry have faced other recent setbacks in the security of core conceptual designs. Beginning in 2016, for example, Intel and other manufacturers began grappling with unforeseen security weaknesses of “speculative execution.” It’s a speed and efficiency strategy in which processors would essentially make educated guesses about what users might ask them to do next and then work ahead so the task would already be in progress or complete if needed. Research exploded into attacks that could grab troves of data from this process, even in the most secure chips, and companies like Intel struggled to release adequate fixes on the fly. Ultimately, chips needed to be fundamentally rearchitected to address the risk.
Around the same time that researchers would have disclosed their initial speculative execution attack findings to Intel, the company formed iSTARE as a reorganization of other existing hardware security assessment groups within the company. In general, chipmakers across the industry have had to substantially overhaul their auditing processes, vulnerability disclosure programs, and funding of both internal and external security research in response to the Spectre and Meltdown speculative execution revelations.
“A few years back, maybe a decade back, the vendors were much more reluctant to see that hardware, just like software, will contain bugs and try to make sure that these bugs are not in the product that the customers then use,” says Daniel Gruss, a researcher at Graz University of Technology in Austria.
Gruss was on one of the original academic teams that discovered Spectre and Meltdown. He says in recent years Intel has funded some of the PhD students in his lab, TU Graz's Secure Systems Group, though none of his students is currently funded by Intel.
“Finding vulnerabilities is a creative job, to some extent. You have to think about the hardware and software in ways others haven’t,” Gruss says. “I think it was a necessary step for vendors to create these teams or increase the sizes and budgets of them. But they won’t replace the massive scale of creativity you can find in academia, which is just so many more brains than you can hire in one red team.”
The iSTARE team says they feel acutely the responsibility of working on projects that will end up as ubiquitous Intel chips. And they must also live with the reality that some flaws and vulnerabilities will always slip by.
“It can be frustrating,” Brown says. “From a researcher’s point of view, you want to do the best you can, but there are times when maybe it wasn’t enough or the assumptions changed along the way that then create a different vulnerability or weakness in a product that wasn’t necessarily considered. But as those things are revealed, we learn more to make the next product better. So we try to take it in a positive form, though it may be sometimes in a negative light.”
Independent hardware hacker Ang Cui, founder of the embedded device security firm Red Balloon, says that groups like iSTARE are vital to large chip manufacturers, whose products power computation in every industry and government. “Groups like this have been around since man first used a paperclip to glitch a computer,” he says. But he argues that manufacturers have economic incentives that generally don’t align with maximum security, a challenging dynamic for a group like iSTARE to transcend.
“Chip vendors have to add extra features and bells and whistles so they can sell new, shiny things to the market, and that translates to billions more transistors on a chip,” Cui says. “So you're adding known and unknown vulnerabilities to this very complicated piece of hardware, and adding more and more things for these teams to defend against.”
When it comes to sharing the findings of its forward-looking research, Brown says iSTARE doesn't pull punches.
“It could be fairly adversarial—you’re finding issues and somebody else is the product owner, that can be kind of a contentious relationship,” Brown says. “But we try to approach it as if we’re part of those teams and that we have as much at stake as they do versus just pointing out deficiencies in their products.”
Security and privacy auditors can often seem like unwelcome Cassandras in large organizations, always nitpicking and finding problems that create more work for everyone. Bear agrees that part of iSTARE's job is to be aware of this dynamic and deliver findings tactfully.
“I think the solution is not to find a problem and throw it at somebody," he says. “It’s working on the solution together. That’s a huge part of the acceptance of issues that need solving.”
Gaeta emphasizes that by catching security issues while there's still time to fix them, iSTARE saves Intel and its customers money and the reputational damage that comes from major systemic security vulnerabilities. This is ultimately where the interests align between a tech behemoth like Intel and the creative, endlessly curious, pain-in-the-ass hackers needed for a team like iSTARE.
“Every few months we change completely in our heads the item that we are working on,” Bear explains. “It’s a new technology, it’s a new processor type, a new command set, a new manufacturing technology, and there are lots of tedious details. So we’ve got to keep it fun because really security researchers do this for fun. I’m paid to break other people’s toys, that's how I explain it.”