Not only do security vulnerabilities lurk within software, but they can also be embedded directly into hardware, leaving technical applications open to widespread attack.
For their project, the researchers took thousands of microscopic images of microchips. Pictured here is such a chip in a golden chip package. The chip area that was inspected only measures about two square millimeters.
Researchers from Ruhr University Bochum, Germany, and the Max Planck Institute for Security and Privacy (MPI-SP) are pioneering innovative detection techniques to combat these hardware Trojans. Their advanced algorithm can identify discrepancies by comparing chip blueprints with electron microscope images of the actual chips. This groundbreaking method successfully detected irregularities in 37 out of 40 cases.
The research team has generously made available all chip images, design data, and analysis algorithms online at no cost, enabling fellow researchers to access and utilize these resources for their own investigations and advancements in the field.
Production facilities: A potential entry point for hardware Trojans
These days, electronic chips are integrated into countless objects. They are more often than not designed by companies that don’t operate their own production facilities. The construction plans are therefore sent to highly specialized chip factories for production.
“It’s conceivable that tiny changes might be inserted into the designs in the factories shortly before production that could override the security of the chips,” explains Dr. Steffen Becker and gives an example for the possible consequences: “In extreme cases, such hardware Trojans could allow an attacker to paralyze parts of the telecommunications infrastructure at the push of a button.”
The researchers at the CASA Cluster of Excellence headed by Dr. Steffen Becker, and the MPI-SP team headed by Endres Puschner analyzed chips produced in the four modern technology sizes of 28, 40, 65 and 90 nanometres. For this purpose, they collaborated with Dr. Thorben Moos, who had designed several chips as part of his PhD research at Ruhr University Bochum, and had them manufactured.
The researchers had the design files and the manufactured chips at their disposal. They obviously couldn’t modify the chips after the fact and build in hardware Trojans. And so they employed a trick: rather than manipulating the chips, Moos changed his designs retroactively to create minimal deviations between the construction plans and the chips. Then, the researchers tested if they could detect these changes without knowing what exactly they had to look for and where.
In the first step, the researchers had to prepare the chips using complex chemical and mechanical methods to take several thousand images of the lowest chip layers with a scanning electron microscope. These layers contain several hundred thousand so-called standard cells that carry out logical operations.
“Comparing the chip images and the construction plans turned out to be quite a challenge, because we first had to precisely superimpose the data,” says Endres Puschner. In addition, every little impurity on the chip could block the view of certain sections of the image. “On the smallest chip, which is 28 nanometres in size, a single speck of dust or a hair can obscure a whole row of standard cells,” he concludes.
Virtually all manipulations have been detected
The researchers used image processing methods to carefully match standard cell for standard cell and looked for deviations between the construction plans and the microscopic images of the chips. “The results give cause for cautious optimism,” as Puschner sums up the findings. For chip sizes of 90, 65 and 40 nanometres, the team successfully identified all modifications. The number of false-positive results totalled 500, i.e. standard cells were flagged as having been modified, although they were in fact untouched. “With more than 1.5 million standard cells examined, this is a very good rate,” says Puschner. It was only with the smallest chip of 28 nanometres that the researchers failed to detect three subtle changes.
Higher detection rate through clean room and optimized algorithms
A better recording quality could remedy this problem in the future. “Scanning electron microscopes do exist that are specifically designed to take chip images,” points out Becker. Moreover, using them in a clean room where contamination can be prevented would increase the detection rate even further.
“We also hope that other groups will use our data for follow-up studies,” as Steffen Becker outlines potential future developments. “Machine learning could probably improve the detection algorithm to such an extent that it would also detect the changes on the smallest chips that we missed.”