Researcher is detecting Trojan horses embedded as hardware, firmware

Martin Swany's work with thermal imaging, electromagnetic probes could defend nation against cyberwarfare

Martin Swany is a professor and chair of the Department of Intelligent Systems Engineering at Indiana University Bloomington. He, David Crandall and Sara Skrabalak are among the IU researchers whose work is being advanced through the Indiana Innovation Institute, or IN3.

IN3, a statewide applied research institute, is composed of top leaders from academia, government and industry. It seeks to solve real-world problems that impact industry and the U.S. Department of Defense in a faster, more efficient and cost-effective way. Currently, it is engaged in projects focused on trusted microelectronics, hypersonics, electro-optics and target machine learning.

Swany was kind enough to answer questions about his work with thermal imaging and electromagnetic probes and the benefits of connecting with IN3.

Q: Tell us about your work to detect malicious Trojans in hardware.

MS: My group and I are looking for hardware Trojans that could affect the performance or behavior of microprocessors and microcontrollers. Current efforts have involved thermal imaging, electromagnetic probes and other external monitoring. We monitor the behavior of the devices through a variety of techniques, including treating them as black boxes.

We are also monitoring untrusted modules in field-programmable gate arrays, or FPGAs. These circuits can be programmed in the field after they have been manufactured. We're beginning to monitor embedded firmware as well.

Q: What are the strengths and drawbacks of traditional monitoring methods?

MS: Traditional methods would be to set up a firewall to stop bad things from getting in. The threat here is that hardware devices are being inserted that go behind the firewall. It's the Trojan horse -- If you can get past the gate and get inside, the threat is significant.

There's growing attention to hardware monitoring, but it hasn't been extensively applied. We used to trust that a chip would do what it was designed to do. It wasn't something you would have thought about years ago. The U.S. has very little to no manufacturing capability for hardware; it's all outsourced. Now that devices themselves are compromised at a much deeper level, it's extremely challenging.

Security is a spy-versus-spy game. You find something the bad guys are doing, and you find a way to detect it. Then they find a way to obfuscate what they're doing in a different way so you can't detect it, so you need to find a new way to detect it. Each vulnerability or tool gets exposed to something that gets fixed, and then you have to look for the next vulnerability. It's partially about the techniques, but it's also partially about training the workforce.

Q: How broad of an impact might malicious firmware and hardware have?

MS: The threat posed by malicious firmware and hardware is very real. An October 2018 report in Bloomberg claims a tiny chip hacked servers across industry and defense. The report has been denied several times, but regardless of whether the news was accurate, it highlighted the supply-chain threat that U.S. government and industry face.

The impact could be sweeping. For instance, if attackers breach Amazon, they can know users' purchasing history and credit card information. If they get into iCloud, they will have people's email and personal data. If a malicious nation-state has taken over control of servers communicating with the jets and running our drones, it leads to very bad things. It's also true for the embedded system space, such as work conducted at Naval Surface Warfare Center, Crane Division, a base in Southern Indiana that supports the Navy. If submarines can be sunk with a remote-control kill button, they're not very effective weapons.

Q: How does your work improve upon traditional methods?

MS: I traditionally understood networking, and I understand network security, which is the ability to block things at the edge and monitor the traffic that's going on. Inside a chip, the modules are connected by another little network. There's a network inside the motherboard for controlling and managing it. So, we're building on network monitoring to monitor the networks inside a system and inside a chip in a device.

We're also broadening techniques to include image analysis that ties into what David Crandall is doing. And we are growing the Department of Intelligent Systems Engineering's experience and expertise in FPGAs. These are growing in the market and entering the mainstream. The military uses them, and Microsoft's Bing search engine uses 10,000 of them to optimize search performance. As we grow our expertise, we're leveraging it to monitor FPGA-based devices for malicious activity.

Q: How have your connections with IN3 benefited you and your work?

MS: IN3 has facilitated our ability to work with Crane, which is an obvious collaboration since the university is in Crane's backyard. We are using this connection to bootstrap our ability to address other Department of Defense and intelligence funding. Working with IN3 has also fostered our ability to collaborate with Purdue, Notre Dame and other statewide institutions.

Q: What might be the end result when your work is widely adopted? How will society -- commercial, industrial, military, private individuals -- benefit?

MS: If it is adopted, we will provide higher levels of security, and personal data will not be free-floating. There would also be more-secure military operations. Cyberwarfare is a reality of the modern world. We have to defend ourselves against malicious actors, be they individuals or nation-states. Part of what we're doing is developing techniques that can be used to defend ourselves. We're also developing a growing workforce that is able to be engaged in cybersecurity.

IN3 encourages Indiana University innovators and researchers who have ideas, research or projects that fit the focus areas of electro-optics, hypersonics, trusted microelectronics and target machine learning to make contact via