Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Hardware trojans, RNGs, and Syphermedia

Matt Mackall mpm at
Fri Sep 13 11:24:39 PDT 2013

This paper outlines simple changes that can be made to insert
vulnerabilities into silicon that are invisible to current
reverse-engineering techniques:

It uses Intel's random number generator as an example, detailing
precisely how it can be weakened such that it has predictable output yet
still appear perfectly random. This hack can be done by unobtrusive
changes to the production masks in the chip fabs.

One interesting note in the paper is that Intel has intentionally not
included the normal JTAG-style debugging interfaces on the RNG that
would allow you to spot this sort of tricker, ostensibly for security.
The trade-off here is "attackers can't discreetly snoop on your RNG
internals by physically connecting to pins on your CPU (though they can
still snoop on everything else on your system including the RNG
_output_)" vs "no one can validate the RNG behavior". This choice seems
a little suspect.

Secondly, the company Syphermedia does this sort of silicon-level
trickery as a business:‎

Their primary customers appear to be companies making set-top boxes, but
it would be interesting to investigate if they have any links to the

Mathematics is the supreme nostalgia of our time.

More information about the liberationtech mailing list