Abstract
In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how difficult it would be in practice to implement one.
In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”. We demonstrate the effectiveness of our approach by inserting Trojans into two designs — a digital post-processing derived from Intel’s cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation — and by exploring their detectability and their effects on security.
The authors would like to thank Mario Kirschbaum from TU Graz for his helpful comments in implemeting iMDPL. This work was supported in part by the NSF Grants 0916854, 0923313 and 0964641 and by the HHS Grant 90TR0003/01.
Chapter PDF
Similar content being viewed by others
References
Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan Detection using IC Fingerprinting. In: IEEE Symposium on Security and Privacy (SP 2007), pp. 296–310 (2007)
Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Canright, D.: A very compact S-box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005)
Defense Science Board. Report of the Defense Science Board Task Force on High Performance Microchip Supply. US DoD (February 2005)
Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual Information Analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008)
Gorman, C.: Counterfeit chips on the rise. IEEE Spectrum 49(6), 16–17 (2012)
Hamburg, M., Kocher, P., Marson, M.E.: Analysis of Intel’s Ivy Bridge Digital Random Number Generator. Technical Report, Cryptography Research INC. (March 2012)
Hicks, M., Finnicum, M., King, S.T., Martin, M.M., Smith, J.M.: Overcoming an untrusted computing base: Detecting and removing malicious hardware automatically. In: IEEE Symposium on Security and Privacy (SP 2010), pp. 159–172 (2010)
Intel. Intel Digital Random Number Generator (DRNG) Software Implementation Guide, revision 1.1 (August 2012), http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R__DRNG_Software_Implementation_Guide_final_Aug7.pdf
King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 2008), pp. 1–8 (2008)
Li, J., Lach, J.: At-speed delay characterization for IC authentication and Trojan horse detection. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2008), pp. 8–14 (2008)
Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 382–395. Springer, Heidelberg (2009)
Markoff, S.: Cyberwar — Old Trick Threatens the Newest Weapons. New York Times (October 2009)
Moradi, A., Kirschbaum, M., Eisenbarth, T., Paar, C.: Masked Dual-Rail Precharge Logic Encounters State-of-the-Art Power Analysis Methods. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 99, 1–13 (2011)
Nangate Inc. Nangate Open Cell Library, version PDKv1_3_v2010_12 (August. 2011), http://www.si2.org/openeda.si2.org/projects/nangatelib
Popp, T., Kirschbaum, M., Zefferer, T., Mangard, S.: Evaluation of the Masked Logic Style MDPL on a Prototype Chip. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 81–94. Springer, Heidelberg (2007)
Popp, T., Mangard, S.: Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005)
Rajendran, J., Jyothi, V., Karri, R.: Blue team red team approach to hardware trust assessment. In: IEEE 29th International Conference on Computer Design (ICCD 2011), pp. 285–288 (October 2011)
Rajendran, J., Jyothi, V., Sinanoglu, O., Karri, R.: Design and analysis of ring oscillator based Design-for-Trust technique. In: 29th IEEE VLSI Test Symposium (VTS 2011), pp. 105–110 (2011)
Sanger, D., Barboza, D., Perlroth, N.: Chinese Army Unit Is Seen as Tied to Hacking Against U.S. New York Times (February 2013)
Shiyanovskii, Y., Wolff, F., Rajendran, A., Papachristou, C., Weyer, D., Clay, W.: Process reliability based trojans through NBTI and HCI effects. In: NASA/ESA Conference on Adaptive Hardware and Systems (AHS 2010), pp. 215–222 (2010)
SypherMedia International. Circuit Camouflage Technology - SMI IP Protection and Anti-Tamper Technologies. White Paper Version 1.9.8j (March 2012)
Waksman, A., Sethumadhavan, S.: Silencing hardware backdoors. In: IEEE Symposium on Security and Privacy (SP 2011), pp. 49–63 (2011)
Walker, J.: Conceptual Foundations of the Ivy Bridge Random Number Generator. Presentation at ISTS Computer Science Department Colloquium at Dartmouth College (November 2012), http://www.ists.dartmouth.edu/docs/walker_ivy-bridge.pdf
Yier, J., Makris, Y.: Hardware Trojan detection using path delay fingerprint. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2008), pp. 51–57 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 International Association for Cryptologic Research
About this paper
Cite this paper
Becker, G.T., Regazzoni, F., Paar, C., Burleson, W.P. (2013). Stealthy Dopant-Level Hardware Trojans. In: Bertoni, G., Coron, JS. (eds) Cryptographic Hardware and Embedded Systems - CHES 2013. CHES 2013. Lecture Notes in Computer Science, vol 8086. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40349-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-40349-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40348-4
Online ISBN: 978-3-642-40349-1
eBook Packages: Computer ScienceComputer Science (R0)