Skip to main content
SpringerLink
Log in

Stealthy dopant-level hardware Trojans: extended version

  • CHES 2013
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like and how difficult it would be in practice to implement one. In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”. We demonstrate the effectiveness of our approach by inserting Trojans into two designs—a digital post-processing derived from Intel’s cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation—and by exploring their detectability and their effects on security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. The silicon area below the polysilicon wire is not subject to the dopant mask and hence remains the same polarity as the underlying well.

  2. We would like to note that the layout of a majority gate is very similar to an AOI gate and we verified that the Trojan also works with a standard majority gate.

  3. Simulations were performed with Synopsis Nanosim using the following configuration: sim \(=\) 4, model \(=\) 4, net \(=\) 4, set powernet default mode \(=\) 5, set sim ires 1pA, set print ires 1pA and set sim leak ires \(=\) 1fA.

References

  1. Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan detection using IC fingerprinting. In: IEEE symposium on security and privacy (SP 2007), pp. 296–310 (2007)

  2. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Cryptographic hardware and embedded systems-CHES 2004, LNCS, pp. 16–29. Springer, Heidelberg (2004)

  3. Canright, D.: A very compact S-box for AES. In: Cryptographic hardware and embedded systems-CHES 2005, LNCS, pp. 441–455. Springer, Heidelberg (2005)

  4. Defense Science Board. Report of the Defense Science Board Task Force on high performance microchip supply. US DoD (2005)

  5. Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Cryptographic hardware and embedded systems-CHES 2008, LNCS, pp. 426–442. Springer, Heidelberg (2008).

  6. Gorman, C.: Counterfeit chips on the rise. IEEE Spectrum 49(6), 16–17 (2012)

    Article  Google Scholar 

  7. Hamburg, M., Kocher, P., Marson, M.E.: Analysis of Intel’s Ivy Bridge digital random number generator. Cryptography Research INC., Technical Report (2012)

  8. Hicks, M., Finnicum, M., King, S.T., Martin, M.M., Smith, J.M.: Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: IEEE symposium on security and privacy (SP 2010), pp. 159–172 (2010)

  9. Intel. Intel digital random number generator (DRNG) software implementation guide. http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_RDRNG_Software_Implementation_Guide_final_Aug7.pdf (2012). Revision 1.1

  10. King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: proceedings of the 1st USENIX Workshop on large-scale exploits and emergent threats (LEET 08), pp. 1–8 (2008)

  11. Li, J., Lach, J.: At-speed delay characterization for IC authentication and Trojan horse detection. In: IEEE international workshop on hardware-oriented security and trust (HOST 2008), pp. 8–14 (2008)

  12. Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan side-channels: lightweight hardware Trojans through side-channel engineering. In: Cryptographic hardware and embedded systems-CHES 2009, LNCS, pp. 382–395. Springer, Heidelberg (2009)

  13. Markoff, S.: Cyberwar—old trick threatens the newest weapons. New York Times, New York (2009)

  14. Moradi, A., Kirschbaum, M., Eisenbarth, T., Paar, C.: Masked dual-rail precharge logic encounters state-of-the-art power analysis methods. IEEE transactions on very large scale integration (VLSI) Systems, pp. (99):1–13 (2011)

  15. Nangate Inc., Nangate Open Cell Library, version PDKv1\_3\_ v2010\_12. http://www.si2.org/openeda.si2.org/projects/nangatelib (2011)

  16. Popp, T., Kirschbaum, M., Zefferer, T., Mangard, S.: Evaluation of the masked logic style MDPL on a prototype chip. In: Cryptographic hardware and embedded systems-CHES 2007, LNCS, pp. 81–94. Springer, Heidelberg (2007)

  17. Popp, T., Mangard, S.: Masked dual-rail pre-charge logic: DPA-resistance without routing constraints. In: Cryptographic hardware and embedded systems-CHES 2005, LNCS, pp. 172–186. Springer, Heidelberg (2005)

  18. Rajendran, J., Jyothi, V., Karri, R.: Blue team red team approach to hardware trust assessment. In: IEEE 29th international conference on computer design (ICCD 2011), pp. 285–288 (2011)

  19. Rajendran, J., Jyothi, V., Sinanoglu, O., Karri, R.: Design and analysis of ring oscillator based design-for-trust technique. In: 29th IEEE VLSI test symposium (VTS 2011), pp. 105–110 (2011)

  20. Sanger, D., Barboza, D., Perlroth, N.: Chinese Army Unit is seen as tied to hacking against U.S. New York Times, New York (2013).

  21. Shiyanovskii, Y., Wolff, F., Rajendran, A., Papachristou, C., Weyer, D., Clay, W.: Process reliability based trojans through NBTI and HCI effects. In: NASA/ESA conference on adaptive hardware and systems (AHS 2010), pp. 215–222 (2010)

  22. SypherMedia International. Circuit camouflage technology-SMI IP protection and anti-tamper technologies. White Paper Version 1.9.8j, (2012)

  23. Waksman, A., Sethumadhavan, S.: Silencing hardware backdoors. In: IEEE symposium on security and privacy (SP 2011), pp. 49–63 (2011)

  24. Walker, J.: Conceptual foundations of the Ivy Bridge random number generator. Presentation at ISTS Computer Science Department Colloquium at Dartmouth College. http://www.ists.dartmouth.edu/docs/walker_ivy-bridge.pdf (2012)

  25. Yier, J., Makris, Y.: Hardware Trojan detection using path delay fingerprint. In: IEEE international workshop on hardware-oriented security and trust (HOST 2008), pp. 51–57 (2008)

Download references

Acknowledgments

The authors would like to thank Mario Kirschbaum from TU Graz for his helpful comments in implemeting iMDPL. This work was supported in part by the NSF Grants 0916854, 0923313 and 0964641 and by the HHS Grant 90TR0003/01.

Author information

Authors and Affiliations

  1. University of Massachusetts Amherst, Amherst, USA

    Georg T. Becker, Christof Paar & Wayne P. Burleson

  2. ALaRI-University of Lugano, Lugano, Switzerland

    Francesco Regazzoni

  3. Horst Görtz Institut for IT-Security, Ruhr-Universität Bochum, Bochum, Germany

    Christof Paar

Authors
  1. Georg T. Becker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Regazzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christof Paar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wayne P. Burleson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Georg T. Becker.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Becker, G.T., Regazzoni, F., Paar, C. et al. Stealthy dopant-level hardware Trojans: extended version. J Cryptogr Eng 4, 19–31 (2014). https://doi.org/10.1007/s13389-013-0068-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-013-0068-0

Keywords

Search

Navigation