Stealthy Dopant-Level Hardware Trojans
In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how difficult it would be in practice to implement one.
In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”. We demonstrate the effectiveness of our approach by inserting Trojans into two designs — a digital post-processing derived from Intel’s cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation — and by exploring their detectability and their effects on security.
KeywordsHardware Trojans malicious hardware layout modifications Trojan side-channel
Unable to display preview. Download preview PDF.
- 1.Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan Detection using IC Fingerprinting. In: IEEE Symposium on Security and Privacy (SP 2007), pp. 296–310 (2007)Google Scholar
- 4.Defense Science Board. Report of the Defense Science Board Task Force on High Performance Microchip Supply. US DoD (February 2005)Google Scholar
- 7.Hamburg, M., Kocher, P., Marson, M.E.: Analysis of Intel’s Ivy Bridge Digital Random Number Generator. Technical Report, Cryptography Research INC. (March 2012)Google Scholar
- 8.Hicks, M., Finnicum, M., King, S.T., Martin, M.M., Smith, J.M.: Overcoming an untrusted computing base: Detecting and removing malicious hardware automatically. In: IEEE Symposium on Security and Privacy (SP 2010), pp. 159–172 (2010)Google Scholar
- 9.Intel. Intel Digital Random Number Generator (DRNG) Software Implementation Guide, revision 1.1 (August 2012), http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R__DRNG_Software_Implementation_Guide_final_Aug7.pdf
- 10.King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 2008), pp. 1–8 (2008)Google Scholar
- 11.Li, J., Lach, J.: At-speed delay characterization for IC authentication and Trojan horse detection. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2008), pp. 8–14 (2008)Google Scholar
- 13.Markoff, S.: Cyberwar — Old Trick Threatens the Newest Weapons. New York Times (October 2009)Google Scholar
- 14.Moradi, A., Kirschbaum, M., Eisenbarth, T., Paar, C.: Masked Dual-Rail Precharge Logic Encounters State-of-the-Art Power Analysis Methods. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 99, 1–13 (2011)Google Scholar
- 15.Nangate Inc. Nangate Open Cell Library, version PDKv1_3_v2010_12 (August. 2011), http://www.si2.org/openeda.si2.org/projects/nangatelib
- 18.Rajendran, J., Jyothi, V., Karri, R.: Blue team red team approach to hardware trust assessment. In: IEEE 29th International Conference on Computer Design (ICCD 2011), pp. 285–288 (October 2011)Google Scholar
- 19.Rajendran, J., Jyothi, V., Sinanoglu, O., Karri, R.: Design and analysis of ring oscillator based Design-for-Trust technique. In: 29th IEEE VLSI Test Symposium (VTS 2011), pp. 105–110 (2011)Google Scholar
- 20.Sanger, D., Barboza, D., Perlroth, N.: Chinese Army Unit Is Seen as Tied to Hacking Against U.S. New York Times (February 2013)Google Scholar
- 21.Shiyanovskii, Y., Wolff, F., Rajendran, A., Papachristou, C., Weyer, D., Clay, W.: Process reliability based trojans through NBTI and HCI effects. In: NASA/ESA Conference on Adaptive Hardware and Systems (AHS 2010), pp. 215–222 (2010)Google Scholar
- 22.SypherMedia International. Circuit Camouflage Technology - SMI IP Protection and Anti-Tamper Technologies. White Paper Version 1.9.8j (March 2012)Google Scholar
- 23.Waksman, A., Sethumadhavan, S.: Silencing hardware backdoors. In: IEEE Symposium on Security and Privacy (SP 2011), pp. 49–63 (2011)Google Scholar
- 24.Walker, J.: Conceptual Foundations of the Ivy Bridge Random Number Generator. Presentation at ISTS Computer Science Department Colloquium at Dartmouth College (November 2012), http://www.ists.dartmouth.edu/docs/walker_ivy-bridge.pdf
- 25.Yier, J., Makris, Y.: Hardware Trojan detection using path delay fingerprint. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2008), pp. 51–57 (2008)Google Scholar