Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NAND Flash Can Verify a Device's Identity

timothy posted more than 3 years ago | from the by-your-errors-shall-we-know-ye dept.

Security 34

itwbennett writes "Researchers at UC San Diego and Cornell University have developed software that they say can detect variations in flash behavior that are unique to each chip. The system uses 'physically unclonable functions' (PUFs), or variations in manufacturing that are unique to each element of each flash chip. Swanson described one PUF that his team has worked with, called Program Disturb. It uses a type of manufacturing flaw that doesn't affect normal operation but causes problems under test conditions." Related: from last October, another description of such error-based identity assignment.

Sorry! There are no comments related to the filter you selected.

BUT CAN IT ID MY ASS ?? (-1)

Anonymous Coward | more than 3 years ago | (#37080042)

What ?? No ??!!

Re:BUT CAN IT ID MY ASS ?? (-1)

Anonymous Coward | more than 3 years ago | (#37080192)

Depends on how full of shit you are.

Re:BUT CAN IT ID MY ASS ?? (0)

Anonymous Coward | more than 3 years ago | (#37081490)

I have an ass full of shit in my pants.

Which can be defeated (0)

Anonymous Coward | more than 3 years ago | (#37080044)

...which is defeated by a mitm attack spoofing the appropriate response.

Re:Which can be defeated (2, Interesting)

Anonymous Coward | more than 3 years ago | (#37080280)

Actually that would be very difficult. The PUF has a large enough input range so that not all outputs can conceivably be retrieved. After manufacture, the device will be tested with just a few of these inputs (chosen randomly for each device) which are held securely in a database along with its serial number. To test the device, a subset of those inputs are used again with the PUF and if the outputs match within a certain tolerance then the device is genuine, otherwise it is counterfeit.

The fact that the input space is so large and the particular function results chosen at random and kept secret, makes a man in the middle attack infeasible.

Re:Which can be defeated (0)

Anonymous Coward | more than 3 years ago | (#37080918)

MITM spoofing the appropriate response at precisely the appropriate time.

Kinda the whole point, you see. You have to emulate the chip. In real time.

Yeah, good luck with that.

because bleed over is oh so awesome. (0)

Anonymous Coward | more than 3 years ago | (#37080050)

right...lets program the chips thousands of times to detect bleed over voltages and reduce the life of the device by 1000 fold to get a unique fingerprint for the flash chip.
that will certainly help eliminate counterfeits. and recude the life of the device by a factor of many thousands so consumers will have to replace the entire device more frequently. win win all around!

Re:because bleed over is oh so awesome. (-1)

Anonymous Coward | more than 3 years ago | (#37080140)

right...lets program the chips thousands of times to detect bleed over voltages and reduce the life of the device by 1000 fold to get a unique fingerprint for the flash chip. that will certainly help eliminate counterfeits. and recude the life of the device by a factor of many thousands so consumers will have to replace the entire device more frequently. win win all around!

QFFT

Re:because bleed over is oh so awesome. (1)

Qzukk (229616) | more than 3 years ago | (#37081012)

lets program the chips thousands of times to detect bleed over voltages and reduce the life of the device by 1000 fold to get a unique fingerprint for the flash chip.
that will certainly help eliminate counterfeits. and recude the life of the device by a factor of many thousands so consumers will have to replace the entire device more frequently. win win all around!

That reminds me of ye olde heade knocke on 1541 floppy drives while the game checks to see if the right errors are on the disk to verify that you're not playing from a copy. I'd even imagine that these people are planning to sell this as a copy-protection feature. No more CDs/DVDs: sell your sofware on a uniquely identified 16GB stick and check to make sure they haven't copied it to a different thumbdrive.

Re:because bleed over is oh so awesome. (1)

mr_walrus (410770) | more than 3 years ago | (#37083326)

wasnt SD supposed to have been the uniquely identifiable memory stick for copy protection?

Yet another perfect key (2)

geogob (569250) | more than 3 years ago | (#37080056)

An the lock that goes with this 'perfect' key will most likely be picked through a deficient identification and validation system.

Re:Yet another perfect key (0)

Anonymous Coward | more than 3 years ago | (#37084300)

If a defect can be exacerbated externally then their validation will fail. I wonder how many power fails, soft power surges or watts of RF, or rapid temperature changes that would take?

Can it detect copies? (-1)

Anonymous Coward | more than 3 years ago | (#37080096)

Rhonda, was a soft bottom cheeks apart to find Carry
Her anus and small circle of hair around the ring in her Brownies
The folds and creases of his aversion to brownies. Oooohhh, baby, Cary,
Honey and press down. Even if you have not done a poo, let me look at the bottom of your
Press out the hole ... I watch it grow and grow, just to start
Open, ok? Carey began to push her back inside.
Sharon loving fingers, said to do the split
Massage of the clitoris and inner petals of her pee and girls.
          Ooohhh gawd, Ronda ... OOOOOOO ...... Sharon
          What is honey? Sharon asked.
          Ooohhhh I'm ... I am .....
          Cum, baby! Ooooh Yessss one, Sharon encouraged us to come ...
She began to touch .... love and a little more vigorously rubbing
Sweet smell of piss in. Split Rhonda Carry, was fingering
Then carry around a hole in the top and bottom, very, very bent
Beside her and listening and burns. Take only a few seconds before
Ernest really started to ejaculate, Ronda, sliding his finger
The opening of the dirty bottom of transport, she was the shit inside
Carey confirmed that the rectum and felt his touch
Sound. I appreciate OOOOHHH GAWWWWWDDDD .... OOOOO .... UUUUUHHHMMMMMM ...
cummmmmmm ..... cummmmming ...
          Yes, the baby ... Sharon has been said it can come. I soak
Hands and fingers, baby. YYYEeesssss, all over my hands cummm ....,
Sharon told him. Dip Me lover.
          Ooooh ... ooohhh ... Ronda Carey was OOOOOOOOmmmmmmmmmmmmmmmm
cummmmmmmminggggg. Rhonda GAWAAAWWWDDDD OOOOOOO, Oooohhh, you are
Inspires me ... me ... me inside my shit ... .. I OOOOHHHhhhhmmmmm
When Pee ... ... ... I. CUMMMMMMMMMMMM .....
          Sharon, honey, yes, I can feel it, she said. Gawd the Ooooh,
Yes dear, piss for us. Pee on my fingers ... UUUUhhmmmm ...
You are good boy ....... Sharon encouraged her to pursue
Peak for them. Sharon, great post explaining the flow
Goooo naked pussy hot and thick aromatic sweet Carrie
Good flow of urine from her his pee. She raised
Cummm soft finished his finger on his nose, after a delay. It
Sucked pee and a combination of smell and lick and goo
Rhonda is a little dirty with her fingers while removing the musk very
Carry your finger anal. She raised her fingers to her nose too
Mouth to lick and suck the bottom of the transport and the taste and flavor.
Carrie was red and immersed himself in his pee down so
Thighs and legs the past of his rash now, even around his ankles
Pee Pee Pants and his underpanties, while Sharon and
Ronda, you had to keep the hand dryer to dry.
          When the girl came into the bathroom with another couple, composed of
Of course, and Sharon could not help questioning look in Ronda
Perform dry trousers and breeches. Girlfriend we had a little
Accident, said Sharon first.
          Oooohhh no, sorry for her ... stalling ...?
          Yes, handicapped stall.
The girl went to report next stall, as it was resolved
Honey on the toilet, I feel for you my dear, he said. We all
Honcho small accident, she told the lead through the wall.
          It does not matter. I have a couple of friends and loving care of me.
Rhonda and Sharon, and restart the dryer, but all of them
Listened girls go pee on the back stool with three.
          We too, dear, Rhonda told her that a girl liked your pee
Came out of the barn. Sharon started the dryer again.
          Ooohhh is sooo disgusting. She resigned and blushing
Miller, washed his hands, dried in the dryer Second
The wall.
          Ronda, the second describes a young girl went to ask
They wear trousers and pants dry.
          Uuhhhmmm, the poor girl, she said, then either resign
Stand. Ronda again, listening to Sharon and carry her to go pee
Pee. Uuhhmmm, What a great noise by little, drop pee
The toilet and pee make noise out of her small spray
Scatters of water below it. Yummmmmmy!
          You may be listened to when I urinate? Gal paused
Look at each other, and Ronda condemn Sharon.
          Yes, books. We can not help myself, Rhonda said.
          Ooohh is wicked! She was attacked by angry!
          Excalibur spread the word back, some girls came
Ronda, tables and bring them to speak with Sharon.
          We heard that someone had fun with pee on the table. We will participate in the Can?
          No, Honcho, shame, it is very private.
          Who is going to pee on you?
          We have all three, do Honcho. Can we be alone, please? OK? But
Many people have made contact with themselves for fun and games later.
          Sharon Perking the "brown" everyone, some questions
Ear. How "red" Do you do?
          Rhonda, the largest of them drunk! And provide a business card
Respectively.

Properties get more unique as capacity goes up (3, Insightful)

CaptBubba (696284) | more than 3 years ago | (#37080150)

With increasing densities I doubt you have to go so far as to look at program disturb. Even just the distribution of bad cells which are present in all flash chips from the factory happens in a random enough manner to be able to ID each chip. There is no realistic way to be able to duplicate the bad cell pattern either. The only way you could ever hope to do it would be to get a flash chip with no defects (or only a few overlapping ones) and mark extra cells as defective. Feasible for a couple kilobit chip but not possible for gigibit densities.

A better ID system would be DRAM really. Write blanket 0s to a block of the memory and halt the refresh operation, then read it a second or two later and see how many have flipped to 1 and in what pattern (the 0 to 1 flip takes much longer than the 1 to 0 flip so it would be more reproducible).

Re:Properties get more unique as capacity goes up (1)

Trepidity (597) | more than 3 years ago | (#37080248)

The article's a little unclear, but I think they're trying to ID a chip design, rather than a specific individual chip. They want to be able to answer questions like: is my supplier cutting corners by putting an El Cheapo NAND chip inside a packaging labeled Expensive NAND?

So they can't rely on properties like the bad-cell distribution of one particular chip, but they're instead trying to use ideas like, this type of chip will show this kind of failure in many fewer iterations than this other kind of chip would. The trick is to pick properties where faking them is no easier than just fabbing the right chip in the first place.

Re:Properties get more unique as capacity goes up (0)

Anonymous Coward | more than 3 years ago | (#37080306)

No, the purpose of PUFs is to identify specific chips.

The scenario you are describing is already covered by standard quality control procedures, taking a sample from the batch and testing them to see if they are within the specified tolerances.

Re:Properties get more unique as capacity goes up (1)

maeka (518272) | more than 3 years ago | (#37084980)

While you are correct as to what the stated goal in TFA was, I think OP has an interesting insight.

Much as in firearm forensics where there are shell casing / bullet marks characteristic of both the product line as a whole and of the specific firearm I have little doubt PUFs would be able to identify not just a unique chip, but also what model it is.

Re:Properties get more unique as capacity goes up (1)

AdamHaun (43173) | more than 3 years ago | (#37081094)

But having several parameters to measure makes this method more reliable. Maybe they're talking about program disturb because they have a purely user-mode test. I was thinking the high-voltage outputs for program/erase or internal oscillator frequencies would be a better signature, but those require analog test pins that often aren't bonded out.

I don't buy this as an anti-counterfeiting technique, though. That would require some kind of public access to manufacturing test databases, which is a security risk in itself. Any non-user mode tests would require access to built-in test functionality, which is not something you usually want customers to have. The high security example with the stolen cell phone was more convincing.

Re:Properties get more unique as capacity goes up (0)

Anonymous Coward | more than 3 years ago | (#37081146)

Why would it be a security risk?

Re:Properties get more unique as capacity goes up (1)

AdamHaun (43173) | more than 3 years ago | (#37082716)

For the database -- if you can hack it, you can delete it and wreck the whole validation system. Or pull the data and use it to create valid signatures for close-enough counterfeit units. Competitors could use it for espionage on proprietary manufacturing processes, then spread rumors (true or not) about potential quality problems. Paranoid customers can complain about not getting the "best" chips. But the biggest problem is that's it's a direct link between production hardware and the public internet. Even if you're really careful about designing a one-way read-only database copying system, there's still a risk that you could screw something up, and then someone destroys your expensive test equipment.

Re:Properties get more unique as capacity goes up (1)

networkBoy (774728) | more than 3 years ago | (#37084466)

I used to work in (NOR) flash at chip densities up to 4 gBit (shows how long it's been).
Perfect chips are gettable. Roughly the centermost third of an 8 inch wafer was flawless in my lab.
I would figure that on a 12 inch wafer (what most NAND flash is on) that if even the inner 10th is good, you would expect a fairly high yield of "perfect" chips.

Re:Properties get more unique as capacity goes up (1)

AmiMoJo (196126) | more than 3 years ago | (#37093706)

There is no realistic way to be able to duplicate the bad cell pattern either.

Sure there is. The computer doesn't read the flash memory directly, it goes through the device's firmware first. In fact it is currently not possible to map out bad blocks on flash memory or HDDs because the firmware automatically re-allocates them from a pool of spares and all the PC can see is a counter incrementing in the SMART data. Some vendors have an API to get the raw details but they are not standardised, and of course the firmware could lie anyway.

It would be a very bad idea for a company to rely on these tests for identification. A controller chip could be re-programmed to reproduce the results from the ID device. The OS and drivers could interfere too. At best the technique could be used to track devices with certain caveats, but I imagine it will also be abused by law enforcement looking for "digital fingerprints".

legal? (3, Insightful)

tchdab1 (164848) | more than 3 years ago | (#37080222)

How long before it's used as evidence in court?

Re:legal? (0)

Trax3001BBS (2368736) | more than 3 years ago | (#37080252)

We all have different priorities I guess, my first thought was of Spam.

DRM systems (1)

Myria (562655) | more than 3 years ago | (#37080952)

How long before it's used as evidence in court?

I'm more worried that this will be used for new DRM systems that are hard to crack. You could make some really nasty anti-tampering protections with this.

Re:DRM systems (1)

maeka (518272) | more than 3 years ago | (#37084940)

I'm more worried that this will be used for new DRM systems that are hard to crack. You could make some really nasty anti-tampering protections with this.

I don't see how this would be any different, as a DRM system, than a dongle. Like a dongle one doesn't try to replicate what's being checked, but rather "pinch off" and bypass the code doing the checking.

Re:DRM systems (1)

ArcCoyote (634356) | more than 3 years ago | (#37094622)

Not reliable ones. The only DRM/anti-tamper that can't be short-circuited in code is an encryption key. Put the key in a secure chip and make it really, really hard to get to the key from outside the secure hardware. And if you are willing to accept the karma of bricking devices, zeroize the key when tampering is detected.

Using physical characteristics of flash to generate a key is a bad idea. First, you can't quickly destroy the key to prevent tampering. If the key can be extracted from the hardware, it can be emulated. Second, flash cells wear out and their characteristics are going to change, meaning your key is going to change. Third, you might find supposedly random characteristics are rather deterministic by manufacturer, chip type, and production run, reducing your key space significantly.

Physically Unclonable Functions (0)

Anonymous Coward | more than 3 years ago | (#37080590)

A team at the Fraunhofer Institute for Secure Information Technology, Garching, Germany, has produced such physically unclonable functionality in chip circuitry by using a component's particular material properties to construct a digital key. The chip fingerprinting method relies on a correspondence between the digital key and a material property of the silicon circuit that is not easily copied. More details at http://www.tikalon.com/blog/blog.php?article=2011/chip_fingerprint

Black Box Theory (2)

nashv (1479253) | more than 3 years ago | (#37080876)

From TFA

The hacker might test the NAND flash itself and store the expected values on the chip, then replay the expected results when the chip was tested. In this way, they could impersonate the authentic chip. However, tests showed that there would not be enough room on any chip to store the data needed to carry this out. The amount of data needed would grow with the capacity of the chip and would be orders of magnitude larger than its capacity, he said.

That's not what a hacker is going to do. A hacker is going to measure the chip's 'response function' to the ID/validation signals. And then he is going to find another chip. Probability dictates that for a sufficiently similar manufacturing process, another chip will have the same occurrence of behaviour NAND cells, except of course they will have a randomly different spatial location on the chip. Then all you need to do is remap the NAND cells' locations through a modified driver, and replicate the response function. YOu may not even need to have a similar occurrence of behaviours, it could be sufficient to find just enough to replicate the response function.

There is no need to have a complete deterministic model of the chip. You can treat it as a black box and replicate its essential characteristics in a different way. The principle is a mantra in reverse engineering anyway

Re:Black Box Theory (1)

JonySuede (1908576) | more than 3 years ago | (#37081456)

I would says that blackboxing and blackmagic are the mantras of reverse engineering.
<nostalgia>
  I remember when I cracked*1 the Orcad student version that was limited to 60 pieces to the full featured version, there was a really complex function involved in printing that counted the components but it also read things scattered all around the memory but it never seemed to write at any other place than the stack. After days and days of dead listing reading and debugging without source I was still in the dark with regard to what that function was doing. In a moment of despaired I decided to replace the start of the routine with a set of instructions the replaced the stack as it was when the function succeed and returned 0. To my amazement it worked. I tested it as hard I can to see if there were some functionalities missing but everything worked.
</nostalgia>
*1 legal disclaimer, I was minor at the time as it was in 1997 and I never did any cracking after this, +100hr of work for something that you can't publish under your own name is was not worth it at 17 so it is still not worth it now at 30.

Re:Black Box Theory (1)

JonySuede (1908576) | more than 3 years ago | (#37081478)

31, damn each year past faster than the last one...

Floppy disk weakly magnetized regions (0)

Anonymous Coward | more than 3 years ago | (#37083006)

This reminds me of floppy disk weakly magnetized regions which were used for copy protection back in the Apple II days.
They would read the same sector over and over and see if some of the bits changed. If they didn't, it was a copy.

Flash can already have a unique ID and locked area (0)

Anonymous Coward | more than 3 years ago | (#37083754)

Flash parts may already have a unique ID built in (i.e. serial number), and can also have one-time-programmable memory areas. So while this is interesting, I don't really see why it's needed.

Here's a technote about these features from 2007: http://www.micron.com/get-document/?documentId=138

Presumable counterfeit devices could be detected simply by reading the flash serial number and comparing it to sales records.

1 problem (0)

Anonymous Coward | more than 3 years ago | (#37084044)

Yes there are some unique traits that exist for different NAND chips. But age, usage, temperature and other external factors will alter this over time. The result your expensive PS4? is labeled 'hacked' because it got a bit hot and damaged the chip in a manor not noticeable under normal conditions. Your games no longer run and your hardware is worthless because companies feel the need to "verify device identities".

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?