1. Technical Field
The subject matter relates, in general, to a system and method for detecting a modification of the electrically powered devices and/or a modification of the results generated by electrically powered devices due to an effect of malicious software, malware, software, software updates, hardware, viruses, Trojan horses, Rootkits, spyware, adware, scareware, worms, zombie computers, privacy-invasive software, backdoors, Rowhammer exploits, or firmware. The subject matter recognizes abnormal or unexpected changes, patterns or characteristics in the intended or unintended electromagnetic emissions given off by the electrically powered devices due to such effect.
2. Description of Related Art
Conventionally, employed solutions to the problem of unwanted, dangerous, intrusive or malicious software, firmware or hardware changes typically utilize methods which intrusively examine digital data or digital operations within a device, subsystem or system. This typically requires system time and system resources to perform. Alternative methods typically use a system's own existing system hardware and/or software resources to examine digital data going into a system for known malicious patterns. This again typically requires additional system processing time and resources. The above methods do not address changes already placed in firmware or hardware circuitry. Further, the above changes require an intrusive means, modifying system operation to accomplish their goal. The above changes cannot be performed undetected and/or at a distance from a questionable device. More so, to the best understanding of the Inventors, conventionally solutions, employed to address the above described issues, are associated with many disadvantages. As for some examples, the conventional solutions cannot well detect deliberately concealed temporarily inactive malicious hardware or firmware modifications lurking in an infected system and waiting to be automatically invoked or unleashed when triggered by a condition, signal combination or status change. The conventional solutions cannot be implemented in a separate, portable, unobtrusive, non-contact, and attachment-not-needed handheld device for inspection of suspected equipment. The conventional solutions cannot function without modification of or addition to the aggregate digital signaling to or within, digital processing, or logical operations of the system under test. The conventional solutions cannot acquire a baseline of operations, baseline characteristics, or baseline behavior, without a period of intrusive changes such as data acquisition periods and execution to the known-good system and cannot do this at a distance. The conventional solutions cannot geolocate or locate an electronic device associated with a source of emissions indicating the presence of such undesired modifications or lack of modifications in software or firmware. The conventional solutions cannot invoke state changes which selectively activate, modify or inhibit such malware software activity or malware software activity results from a distance by active Radio Frequency (RF) illumination. The conventional solutions cannot determine if active RF illumination has succeeded in a desired malware mitigation state change from a distance.
Conventional test methodologies, to best knowledge of the Inventors, are incapable of unobtrusively detecting malicious malware in hardware components or software subsystems. Unit tests run on individual components or regression tests performed are only capable of assessing presence or absence of functionality, as for example described in specifications. Malware is easily hidden and its detection is thus difficult or virtually impossible using current methods, and not facilitated by these specifications, and therefore are out of the reach of currently employed assessment methods. Many Malware instantiations are triggered by very explicit patterns and/or event sequences that are nearly impossible to detect from analysis of provided code or assessment of the operating parameters of functional bitstream tests. Further complicating matters, third party software vendors often withhold critical information due to intellectual property concerns, making independent verification impossible using standard test methods. Sophisticated attacks such as control of assets, denial of service, altered or disabled functionality, and information leakage can be accomplished by malicious actors with smaller skillsets due to advances in automated tools. As the sophistication of cyber-security threats continues to evolve, the need for advanced tools for detecting malware becomes ever more apparent.
System on a Chip (SOC) produced by major device manufacturers such as Intel, Qualcomm, Nvidia, Texas Instruments, Samsung, and others are vulnerable to hardware Trojans as they integrate multiple IP core components from third party vendors. Malicious circuitry in the form of Hardware Trojans in any IP core can compromise the operability and security of the entire system, removing or altering core functionality or leaking sensitive information. A DARPA study assessing the level of trust associated with each stage of modern Integrated Circuit (IC) life cycle identified multiple untrusted steps at which malicious Trojans could be easily inserted into the IC. The vulnerability associated with this process poses an immense threat.
There exists a compelling need to screen, detect, and disqualify third party software and firmware IP cores with software or hardware Trojans to protect the integrity of critical systems which rely on complex ICs. These include FPGAs, CPLDs, microprocessors, microcontrollers, Digital Signal Processing (DSP) chips, Power PCs, and SoC architectures.
Conventional test methodologies are incapable of detecting malicious circuitry in VLSI/FPGA components. Unit tests run on individual components or regression tests performed on chip designs are only capable of assessing functionality described in part specifications. Trojans or other malicious circuitry are generally not included in these specifications, and therefore are out of the reach of currently employed assessment methods. Many Trojans are triggered by very explicit patterns or event sequences that are nearly impossible to detect from analysis of provided netlist. Further complicating matters, third party vendors often withhold critical information due to intellectual property concerns, making independent verification impossible using standard test methods.
Therefore, there is a need to mitigate or overcome the limitations of test intrusiveness, the limitations of acquiring or testing for malware by requiring modification of device operation, and the limitations of inability to test for firmware or hardware changes with conventional methods and/or techniques.
Further, there is also a need for a separate, isolated, portable, unobtrusive, non-contact, and/or attachment-free and even handheld apparatus or device for inspection of suspected equipment or electrically powered devices.
Modern industries from telecommunications to medical equipment are integrally reliant on embedded Integrated Circuits (ICs) and System-on-a-Chip (SOC) architectures to drive primary system functionality. Malicious software and circuitry in a modern device can subvert its functionality, enabling theft of Intellectual Property (IP), critical financial information and providing a backdoor into closed systems. Of additional concern is the use of third-party IP cores in programmable logic devices such as Very Large Scale Integration (VLSI) and/or Field Programmable Gate Arrays (FPGA) devices or third party software. For programmable logic, instantiation of tainted or malicious code results in creation of malicious circuitry that can compromise entire systems. Complex ICs are currently integrated into the smart grid, used in routine surgeries, and data servers that power the information economy. Firmware and software used to control these critical assets can be used to exert control, extract information from, disable functionality under specific conditions, or cause malfunction.
Users of modern electronic devices face a wide variety of threats. For example, innocent-looking websites can surreptitiously hide malicious software (malware) such as computer viruses, worms, Trojan horse programs, spyware, adware, and crimeware in files downloaded from the websites. The malware can capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, malware can provide hidden interfaces that allow the attacker to access and control the compromised device, or that cause the compromised device to malfunction.
Malicious circuitry can compromise security by providing a backdoor into crucial assets through the functioning of said or separate malicious circuitry or signaling, enabling subversive and criminal actions such as IP or identity theft, denial of service, or terrorist activity. The same can be said for software that uses this circuitry and in some cases the malicious firmware and software can be used cooperatively to inflict the most damage or exert maximum influence over a system. For example, subversion of the smart grid in California during summer months would cause many deaths and immense economic loss. Gate level modifications performed by state actors, criminal elements, or terrorist groups can alter the functionality of the ICs that work as the brains of communication security, financial systems, smart-grid technology, etc. Currently employed test methodologies are incapable of performing routine screening of complex Integrated Circuits (ICs) to detect and disqualify backdoor or malicious circuitry, also referred to as Hardware Trojans. The threat posed by hardware Trojans has been recognized across the domestic technology industry, including alarming reports concerning ‘undetectable’ malicious modifications to Intel microprocessors, Dell servers, and Google platforms.
Google's Kurt Rosenfeld has stated publicly that “Vulnerabilities in the current integrated circuit development process have raised serious concerns about possible threats from hardware Trojans to military, financial, transportation, and other critical systems”. The potential insertion of hardware Trojans into modern SOC/VLSI/FPGA devices through third-party IP cores is a growing concern throughout the domestic technology industry, posing a threat to telecommunications, medical equipment, financial systems, computer networks, and mobile devices. Hardware Trojans pose an insidious threat, jeopardizing intellectual property, proper system functionality, and the ingenuity of the nation. For the foreseeable future there will be a compelling need to have a robust capability to detect hardware Trojans and other kinds of malicious circuitry modifications in modern ICs. Multiple markets have this need, including device manufacturers, electronics integrators, and certified test laboratories.
Current approaches may use software security programs to search the binary data representation in computer memory of wanted or necessary software, firmware or hardware to find digital patterns associated with “potentially unwanted software, malware or programs” by programmatically scanning static memory patterns on fixed memory media for unexpected or known undesired patterns by doing a software file, ram, rom or memory scan. Alternatively, current approaches may examine incoming digital transmissions of software or raw digital data for specific patterns which are known to be unwanted or which deviate from the expected pattern or intermediate checksum results of the wanted software.
Third-party IP core designs typically supply at most a pre-synthesized netlist representation of the IP core design, with a VHSIC (Very High Speed Integrated Circuit) Hardware Description Language (VHDL) entity or Verilog module component solely for the purpose of design instantiation. As the VHDL or Verilog source code is not usually available, there is the risk of unknown, malicious circuitry being introduced into the overall design. Even in instances where the VHDL or Verilog source code for the IP is procured in addition to the netlist, these files are often developed using coding techniques and standards unfamiliar to the recipient, rendering source code analysis extremely difficult. The risks of malicious circuitry introduction are significantly increased when one considers the global nature of technological advancement, as it is entirely possible for a third-party supplier to sell an IP core through a US-based subsidiary, which may have been designed by engineers based in India, China, Korea, and numerous other countries.