Intel introduced at Black Hat USA, a Tunable Replica Circuit to help protect against certain types of physical fault injection attacks without requiring any interaction with the computer owner.
The security community is so focused on attacks relying on software that it often forgets that physical attacks are possible. Physical attacks are also often seen as an attacker having the capability to physically access the targeted computer and then use some hardware to compromise the computer. Such hardware can be a Bash Bunny or a Rubber Ducky, for example. Yet it is still software that compromises the computer.
There is yet another possibility, less known but still existing: messing with the computer chip pins supplying clock and voltage. This is where the Tunable Replica Circuit (TRC) comes in, which Intel introduced in parts of its hardware at BlackHat USA 2022.
What is a TRC?
TRC uses hardware-based sensors to explicitly detect circuit-based timing failures that occur as the result of an attack, the attack being a non-invasive physical glitch on the pins supplying clock and voltage. Intel’s TRC also has the capability to detect electromagnetic fault injections (EMFI).
Fault injection attacks allow an attacker to cause a NOP (No Operation) instruction to be latched instead of a JMP (Jump) condition, altering the execution flow. It might also help to replace real keys in fixed-function crypto engines.
Intel indicated that the TRC is delivered in the 12th Gen Intel Core processor family, adding fault injection detection technology to the Intel Converged Security and Management Engine (Intel CSME)(Figure A).
It is enabled by default in CSME and does not need any interaction with the computer owner.
SEE: Mobile device security policy (TechRepublic Premium)
Intel CSME is an embedded subsystem in the Platform Controller Hub (PCH) designed to serve as the platforms silicon initialization, to provide remote-management capability that is independent of the operating system, and to provide additional security like Intel Boot Guard or integrated TPM (Trusted-Platform Module) which enables secure boot, disk encryption, secure storage, virtual smart card.
In the released paper from Intel’s Sr. Principal Engineer Daniel Nemiroff and Principal Engineer Carlos Tokunaga, they warn that “with the hardening of software vulnerabilities through the use of virtualization, stack canaries, authenticating code before execution, etc., attackers have turned their attention to physically attacking computing platforms. A favorite tool of these attackers is fault injection attacks via glitching voltage, clock pins, to cause circuits to fail timing, resulting in the execution of malicious instructions, exfiltration of secrets, etc.”
How does a TRC work?
The way the TRC works is that it monitors the delay of specific types of digital circuits. It is calibrated to signal an error at a voltage level beyond the nominal operating range of the CSME. Any error condition originating from the TRC indicates a possible data corruption and triggers mitigation techniques to ensure data integrity. To avoid false positives, Intel also developed a feedback-based calibration flow.
Security scenarios have been tested and proved that the TRC could be calibrated to a point where timing violations could only be the result of an attack. Those tests have been done by Intel Labs, iSTARE (Intel Security Threat Analysis and Reverse Engineering) team, a team specialized in attempting to hack Intel’s chips. The company also mentions external testing. To further gain confidence in the TRC and gain additional insight into fault injection testing, Intel contracted with Riscure for clock, voltage and EMFI testing. The company was unable to successfully execute a fault injection attack, concluding that “in all cases the successful glitches were detected by the implemented countermeasures.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Fault injections in the real world
One might wonder what are the odds that an attacker really attempts doing fault injections in the real world. The answer to that question is difficult since there is no real literature on the topic, yet researchers have indicated that those attacks are possible and often using injection devices that are below the thousand dollar mark.
The biggest interest in really doing fault injection, from an attacker’s point of view, would be to bypass secure boot. Embedded systems are also more prone to this kind of attacks than usual desktop or laptop computers.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.