Recent academic work focused on weak cryptographic protections in the implementation of the IEEE P1735 standard has been escalated to an alert published Friday by the Department of Homeland Security.
“In the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP,” US-CERT said in its alert, citing researchers that found the flaw. “Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts.”
The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard flaw was first reported by a team of University of Florida researchers. In September, the researchers released a paper titled Standardizing Bad Cryptographic Practice (PDF).
In all, seven CVE IDs are assigned to the flaw and document the weakness in the P1735 standard. Those CVE’s are below and include CERT’s descriptions:
- CVE-2017-13091: improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle.
- CVE-2017-13092: improperly specified HDL syntax allows use of an EDA tool as a decryption oracle
- CVE-2017-13093: modification of encrypted IP cyphertext to insert hardware trojans.
- CVE-2017-13094: modification of the encryption key and insertion of hardware trojans in any IP.
- CVE-2017-13095: modification of a license-deny response to a license grant.
- CVE-2017-13096: modification of Rights Block to get rid of or relax access control.
- CVE-2017-13097: modification of Rights Block to get rid of or relax license requirement.
The CVE have a Common Vulnerability Scoring System rating of 5.7 to 6.3.
CERT warns the bugs extend to electronic design automation tools used to “synthesize multiple pieces of IP into a fully specified chip design and to provide HDL (hardware description language) syntax errors.” Those tools, which have adopted the P1735 standard, are called electronic design automation (EDA) tools and provide a field-programmable gate array (FPGA) and debug environment.
The flawed standard has been adopted by EDA vendors such as Synopsys and its Synplify Premier tool, according to researchers. CERT warns other EDA “vendors who may be affected by the vulnerability” include Cadence Design Systems, Mentor Graphics, Xilinx and Zuken.
In addition to being able to recover entire plaintext IP, the bugs allow an “adversary (to) recover electronic design IPs encrypted using the P1735 workflow, resulting in IP theft and/or analysis of security critical features, as well as the ability to insert hardware trojans into an encrypted IP without the knowledge of the IP owner,” CERT wrote.
According to the University of Florida report, simple fixes that have come before have been inadequate. “Unfortunately, we show that obvious ‘quick fixes’ to the standard (and the tools that support it) do not stop all of our attacks. This suggests that the standard requires a significant overhaul, and that IP-authors using P1735 encryption should consider themselves at risk.”
The full impact of the vulnerability, according to the CERT warning, is that an attacker can not only recover electronic design IPs, but also a “loss of profit and reputation of the IP owners as well as integrated circuits with Trojans that contain backdoors, perform poorly, or even fail completely.”
Mitigation is limited, as CERT recommends users apply vendor updates to their EDA software, as it becomes available. “Developers of EDA software can apply suggested fixes from the researcher’s paper,” CERT said.