Thwarting Key Extraction and Supply Chain attacks by Detonating GPUs

All right, good afternoon everybody and welcome to Besides Las Vegas in the common ground. This is thorting key extraction and supply chain attacks by detonating GPUs given by MEMT. And a few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors Adobe and Iikido and our gold sponsors, Formal and Profit. It's their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live on YouTube. And as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. If there is still time by the end of the talk, we will have time for audience

questions where I will bring the mic around the room to whoever wants to ask a question. And just a reminder for besides cell phone policy, we do not allow photography in here. just as a quick reminder. But with that, I think we'll hand it over to Memed. Please take it away. >> All right. Thank you guys for showing up and liking this, I guess. I hope you like it. So, yeah, it's a thing we've been doing for about eight months now. And and I've been in the security field for about a year. Before that, I was injecting people with computer chips. We can talk about that if you want later, but it's detonating GPUs is what what

you want to see. And yes, this is about as much fire as we are showing in this presentation. Uh the idea is to keep things contained, but oh well, there's a video of that. So, first things first, be safe. Keep your limbs life and freedom. A lot of people have lost limbs working with explosives. So, if you want to try these at your facilities, please work with a licensed professional at a uh like we did. We work with John Norman of ACCX Research. He's no stranger to these conferences and the scene. anyway and just work with someone who knows what they're doing, please or don't blame if you don't. So, uh yeah, we're talking about like why

would you want to have self-destruct? Someone who possesses the device does not necessarily is the trusted party for that device. Uh how not to self-destruct. Thermite doesn't work. Just long and short of it. And explosives do. And I'll Yeah. So, that's the talk. Thermite doesn't work. Explosives do. You don't trust people who hold the devices necessarily. And uh in more details, hardware is v vulnerable to physical site channels. You can extract keys from things pretty convincingly. So if someone uh extracts keys from a device, they can pretend to be that device and so on and so forth. So it's important to actually risk physical access uh limit physical access to a device from an inspection point

onwards or from when secrets are injected onwards. Uh it also uh is important if you're going to deploy your device to a place where it's in a neighborhood that you don't trust it. Say you're building a data center in a country where you have good relationships today but maybe not tomorrow and you want to be able to make sure that uh someone who you know betrays your trust only pisses you off but does not actually have access to your devices. So like these are the kind of motivations we have in mind. And one way of making sure people don't get to your chips is keep a big honking metal on that and make sure that it can't come

off. So that's basically what we're doing. Uh you keep the heat sink on. You have some temper sensor which is out of scope for this talk but we can discuss this afterwards if you like. And in order for this to be applicable this destruction needs to be fast like milliseconds if not nanconds fast scalable. So you can actually deploy this in a large you know thousands of GPUs hundreds of thousand GPUs data center or your SSDs or what have you and you need to contain the damage so that people who install these things don't lose their digits if these things actually misfire or fire detonate and so so on and so forth. So we have basically

one option but we tried two. We tried thermites and explosives. Um there is other things you could think about and we can discuss afterwards but the these seemed fast and decisive. Um it turns out uh thermites uh are actually somewhat promising in that you can use you can actually manufacture them in a nanop fabrication facility. Same places where these chips are being manufactured. you just uh aluminum and copper oxide is stuff you can deposit easily except it takes if you want to do nano layers it takes about 10 hours to to actually have the stack that you see uh and and that is you know going a little too fast and we had one ignition out of like eight

wafers just because of how fast you deposit it heats up so I don't know if it's that feasible in terms of manufacturing but we tried it and we did fire it and when we fired the chips they actually em got embedded into the plastic the acrylic stage but they the chips were intact after we actually fired nano deposited nanoothermite on the chips. So you can get nanoothermite on a chip, you can manufacture it, but it doesn't seem to break things. So no go. We added powder and then so powdered nanootherm you know grams of about a gram of nanoothermite as opposed to whatever you can deposit and we honestly it was hard to ignite. So we had to put

insulating tape on top of this to actually get an ignition. It turns out these heat sinks actually can rob a lot of heat. So it's hard to actually ignite thermite. Like thermite is notoriously difficult to ignite and when you put a heat sink on top it even gets worse. But you know, we wanted a picture. So we got a tape on top of it and we got a dignite so that you can see this slow motion fire.

Yeah. So that's we got that. It turns out the chip got unscathed. That's perfectly fine. It's just fire. It's turns out silicon is basically rock. >> [snorts] >> So, but it's crystallin rock which we'll exploit. So, again, we want something faster uh so that we actually want to generate a shock wave and get some destruction going. And we did. We put a detonator behind uh we put a detonator on the back side of a GPU and you got product launch. As you can see, there's the GPU on the left side. After ignition, there is no GPU. So, it just launched straight off. Um, we figured, hey, maybe you want to keep a heat sink on. So, we did put a heat

sink on. It's This isn't Barto Stove Desert, by the way, if you ever wanted to visit us. Uh, this is the uh detonator behind the GPU and a rock on top so things don't fly. Yeah. And the heat sink absorbed all the shock. So, the GPU was intact. It turns out if you have an SXM card, those are pretty thick. And the the card itself is not useful afterwards because you know all the electronics are shattered. But if someone can like delaminate this GPU and use it on something else, they can uh on the like back side doesn't seem to work. So we tried front side. I mean there's a bunch of tests in the middle,

but we put a uh detonator on the top of a heat sink and detonated the heat sink came apart and absorbed the shock. So that didn't work as much. We put it the detonator inside the heat sink so that there isn't a air cavity. Uh like the the copper cold plate itself became our hammer as opposed to like fins getting in the way and we got a detonation and that actually drove the point home quite literally. There's nothing left after that. And this is sort of the damage the you can see the copper behind uh that's the interconnects between the chips. So or the interposer whatever. So in within the heat sink detonators are useful. That's something we can do. And

the heat sink itself can act as your uh act as your hammer. We detonators need to be stable. Uh if this is going to be in a data center it'll be 80 80 Celsius for five years. So, we figured we'll certify these or test these for 105 Celsius for 5 years, which means we did 130 Celsius for 47 days. That's how the math works out. And they still fire. We were still in love with the backside for a little bit. So, we tried it again with this detonator. Nope. We have a crack. It's a little stronger of a detonator. It's 450 migrams of RDX. So we cracked the chip but we didn't get a complete destruction

which is still useful if you want to deny access to a chip but if you want to also deny imaging it's not useful. The back plate of course uh came in became in pieces which is wasn't very helpful to us because you don't want this mess in your data center which we'll come back to. So front side is better. So you make a little hole for your uh detonator on the G on the heat sink as you see on the bottom and it works complete destruction of the GPU layer. One thing you see is that the GPU is uh the GPU computing die is very thin. It's the it's the middle die and it gets completely evaporate like

polymerized. The HBMs actually don't get pulverized. I think it's because of the way the DDR is structured. It's layers of layers upon layers of metal. Uh so it's I don't think you can read anything off of it, but I haven't tried. I don't have the means. But I I'll ship you if you if you want to image these things. Uh I'll ship your chips, but the GPU itself is destroyed. And we also tried this with a Von 100 uh PCI Express GPU. Uh again, made made a hole uh where where the detonator can fit. Close it up. complete destruction. Front side works. Now, of course, you don't want to destroy your hands. And one way

to not destroy things that contain destruction is actually like metal foam. This is available. It's dual cell foam from ERG out of Iris Space in Nevada. Thank you. And uh they we actually put it on put little bit of um aluminum tape just to keep it in place. And in between there's a thin 1 mm carbon fiber layer and we put a kevlar sock on that. This is a butcher sleeve uh so that you can actually contain the damage and things stay in place and damage seems to be contained. We still have some work to do but it seems like we can contain damage. Same thing with the PCI Express card and it works. So this is uh after an

initiation uh the uh the detonator is right behind this plate. the back this back plate we had a little hole but uh the carbon fiber plate was intact and nothing really reached the the kevlar even. So what's next? Uh the next is actually make this look neat uh and make it and go for an ATF special device exemption. It's a it's a kind of exemption you get for your pyrochnic fuses and such. If you have if if any of you have seen an electric car or driven one there there's actually a powerful bus bar just a piece of copper and that's very difficult to fuse uh normally because there's a huge amount of power going through. So they actually

have small explosive charge so that actually uh blows up as a onetime fuse in case there's a fire or anomaly. So we want to get that kind of exemption for the for these things so we can actually you know provide these to people who don't have training and they'll be safe and same goes for transport you need to have a transport exemption so that you can actually ship these things without placards and same with export controls. So yeah, uh questions, comments, thoughts?

>> Yes, sir. >> Have you published a formal paper on this? >> Uh not yet. No. >> Repeat the question. >> Oh, have I publish Have you published a formal paper on this? No, we published I mean in the uh submission page, I guess. Uh, we put a lot of information out there, but no, not a formal paper just yet. >> Are you planning to release the slides? >> Uh, I'll be happy to. >> I'd be happy to. Anything else? All right, I'll be around. Oh, yes. Few more questions, but I wanted to give other people opportunity as well. Um, have you looked into uh like detecting when someone opens a case and then tying

it into like a full system so that you could you could um cause the explosion uh before someone opens a case and and tries to tamper with the device? >> Yes. Yeah, we have. So, we worked with we're working with like Temper out of uh San Francisco and other players to actually like integrate this into a full system. In fact, you probably want that anyway because you don't want an accessible detonator in there. So, it's like two use cases we see is one is a scram button. You have a data sensor and it's being stormed. So, you press the big red button and there's no more a data center, but it's not a big explosion. It's just like everywhere. Uh

the other is uh having what you said a temporary response temporary detectives enclosure and then this is the temporary response. Uh, and where can we read more about your work uh on on this uh research? >> So, we have our website irrand.ai, which has nothing of this. Uh, I should probably put uh at least an archive paper up there. Stay tuned. >> Thank you. >> Oh, there's a question back back there. >> Thank you. Um I'm curious just from the applicability and use cases you're talking about um whether or not like why wouldn't you have something that just kind of overwrote the built you know the secrets that are stored in there why do you need to

destroy the whole chip are you trying to protect is this specifically for protecting like the IP of the chip because it's a specialized chip or beyond the secrets just >> so it's twofold one is protecting the IP IP of the chip uh beyond like the IP itself may be a secret. Uh the other would be uh this can be faster than override uh and if your attackers are strong enough to use say a shape charge to destroy your override circuitry. This might be a thing. Um but yeah, >> are you getting requests for that saying that like there's current methods that are ins like overwrite methods are insufficient because of that they take too long. So you have customers who

specifically want to destroy like the whole thing. >> So actually the request we get is about denying access to chips more more than more than anything else. >> More about protecting the whole chip itself. >> Protecting the chip itself protecting like repurposing of the devices. Uh that that's mostly the requests we get. >> Thank you. >> Thank you. There's a question over there. >> Just a quick one. Are you looking into at all combining this with using location data? I'm thinking about export controls and pieces like that. Like I don't know if that's part of the impetus for this or not, but >> Mhm. Yeah. Yeah. So people have uh actually come up with us come up to us

discussing this in a different different settings saying uh people some people might want location limiting and if you want that chip enforced actually it's very important to make sure that the the uh keys secrets in in the chip can't be extracted or rewritten and uh for for for these GPUs it's uh the compute fabric is is is the hard part it seems. So if people can actually inject their own keys or or spoof keys, they can actually get around hardware backed export controls. So a self-destruct would be very useful for that. >> And are you working on making a form factor that would work with that versus like a data center kind of Yeah, >> sure. Uh so that's kind of why we

actually went with both SXM and PCI Express. So the idea is to actually have ships have the chips ship with their heat sinks which in PCI Express is already the case. Uh of course it's not going to be a sock. We're working on it but that's that's the idea like have the containment on the PCI Express form factor or the SXM form factor so that it's actually useful. Thank you. Anything else? I'm around. I'll be around and you could reach me at Oh, go back all the way to the first slide. Mehmed at aair.ai. Should have put this in the first. Yeah. Oh, memed at arandel.ai or if you have signal, it's uh mehmed. 72.

You can reach me there as well. >> All right, let's give me another round of applause.