Researchers create undetectable layout-level hardware Trojans

Protect your data with the world’s leading information security standard, ISO 27001 – Classroom courses now in New York. Book Now>>

The fact that most of computer hardware is produced outside the US and Europe has long presented a worry for the governments of those countries and for the companies and corporations based in them.

They are especially concerned about the security of integrated circuits used in military devices, industrial control systems, medical and other critical devices, and are aware that the possibility of hardware Trojans being integrated in them during the manufacturing process is not at all far-fetched.

A group of researchers from several universities in the US, Switzerland, the Netherlands and Germany have recently published a paper dealing with precisely that possibility, and have proposed an “extremely stealthy approach for implementing hardware Trojans below the gate level”.

“Often circuit blocks in a single IC are designed by different parties, manufactured by an external and possibly off-shore foundry, packaged by a separate company and supplied by an independent distributor. This increased exploitation of out-sourcing and aggressive use of globalization in circuit manufacturing has given rise to several trust and security issues, as each of the parties involved potentially constitutes a security risk,” they pointed out, adding that threat of hardware Trojans is expected to only increase with time, especially with the recent concerns about cyberwar.

Theirs is not the first research into creating a hardware Trojan, but it is among the first ones that instead of adding additional circuitry to the IC’s design have concentrated on changing the dopant polarity of a few of its transistors.

“Doping” a transistor is effected by introducing impurities into its structure with the purpose of changing its electrical properties. Previous research has managed to make them fail before they should have, but this group has succeeded in making the protection provided by an Intel random number generator (RNG) weaker than intended, and to create a hidden side-channel into an AES SBox implementation in order to leak out secret keys.

But most important of all, their modifications fooled a number of common Trojan testing methods that included optical inspection and checking against “golden chips” (i.e. a definitive, verified example of how the chip should look and be).

“To the best of our knowledge, our dopant-based Trojans are the first proposed, implemented, tested, and evaluated layout-level hardware Trojans that can do more than act as denial-of-service Trojans based on aging effects,” they concluded.