Supply chain compromise: Adding undetectable hardware Trojans to integrated circuits

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Is it possible for attackers to equip integrated circuits with hardware Trojans that will not change the area or power consumption of the IC, making them thus indiscernible through power-based post fabrication analysis?

A group of researchers from the National University of Sciences and Technology (Islamabad, Pakistan), the Vienna University of Technology and New York University have proven it is.

They have also demonstrated that hardware Trojans (HTs) can be implanted not only by adding logical gates to the original circuit, but also by identifying and safely removing expendable, redundant gates and embedding malicious circuitry at the appropriate locations.

The TrojanZero approach

To implant undetectable hardware Trojans in the circuits, they have:

  • Devised a scheme to identify rarely-activated nodes in the circuit
  • Devised an algorithm to explore the space of circuit modifications that leave the circuit’s functionality on the defender’s test patterns unchanged
  • Devised a methodology to embed HTs in the target circuit without increasing area and power consumption
  • Implemented an HT with a low triggering probability during the functional testing phase.

hardware Trojans

“In the proposed attack model, we assume that the attacker resides at the foundry where she can modify the circuit in the form of addition, deletion or modification of the gates during fabrication,” the researchers explained.

“The TrojanZero methodology relies on the condition that attacker acquires a substantial knowledge pertaining to functional testing techniques of the defender. This scenario is conceivable, since the increasing complexity of system-on-a-chip (SoC) integration has raised the tendency of outsourcing IC testing services to the third- party vendors. This provides an attacker with a realistic opportunity to obtain relevant information from the third-party. Moreover, the design-for-testability techniques e.g., scan-based testing structures provide a reasonable insight to the attacker residing at the foundry about the testing structures employed by the end-user.”

Their methodology provides a foundation for devising new, stealthier attacks.

“An attacker with a reasonable knowledge of circuit configuration can circumvent its security with potentially no risk of getting detected. This instigates a need of exploring more sophisticated and viable techniques for the post-silicon detection of HTs,” they concluded.