Conventional computer security mechanisms focus on software security and implicitly assume that the microprocessor is trustworthy. However, microprocessors are vulnerable to insider attacks in which malicious logic is embedded in the microprocessor hardware. Such attacks may embedded in the microprocessor in the design or fabrication phases of the microprocessor production process.
For example, a hardware designer/attacker could easily introduce a “backdoor” into a microprocessor being fabricated by changing only a few lines of the code used to layout the logic elements. The attacker could modify, for example, an on-chip memory system to send data items it receives to a shadow address in addition to the original address. The embedding of backdoors in a microprocessor can be used to attack confidentiality, e.g., by outputting sensitive information, integrity, e.g., by disabling security checks such as memory protection, and availability, e.g., by shutting down the component based on a timer or external signal.
Because hardware components, including backdoors, are architecturally positioned at the lowest layer of a computational device, it is very difficult to detect attacks launched or assisted by those components. Indeed, it is difficult or impossible to do so at a higher layer, e.g., at the operating system or application level, and there is typically little functionality available in current processors and motherboards to detect such misbehavior. The state of practice is to ensure that hardware comes from a trusted source and is maintained by trusted personnel—a virtual impossibility given the current design and manufacturing realities. In fact, the inability to catch accidental bugs with traditional design and verification procedures, even in high-volume processors, makes it unlikely that hidden backdoors will be caught using the same procedures, as this is an even more challenging task.
Conventional approaches have focused on detecting hardware attacks during the production phase by malicious foundries. Such approaches assume the existence of a “golden netlist” produced during a trustworthy design phase. However, such approaches would not detect attacks embedded during the high-level design phase, as these attacks would be included in the golden netlist.
Other conventional approaches have attempted to build trustworthy systems from untrustworthy components. One such approach involves redundantly performing computations on several untrustworthy components and using “voting” to detect faulty behavior. For example, a number of cores designed by different designers can be used to run the same instructions and the most popular output can be accepted. However, this approach can lead to a significant increase in the size of the design team and can increase the complexity of verifying the design. This approach can also lead to a microprocessor having decreased performance and increased power consumption.