Paul van Gerven
26 April

Estonian research has shown that it’s possible to insert fully-functioning Trojan IP into IC designs using standard methods to make small post-layout alterations.

When we talk about a Trojan horse or a Trojan, we’re usually referring to a piece of malicious software. By concealing its true content, Trojan malware tricks the user into thinking he’s opening a harmless file. While unfortunately quite a successful approach to steal information or blackmail victims, there may be even more insidious ways for attackers to compromise systems, requiring no user action at all. Users and manufacturers could be completely unaware that they’re buying or selling a device with a pre-installed Trojan.

Research from Tallinn University of Technology (Taltech) in Estonia suggests that this mode of attack isn’t as outlandish as it may seem at first glance. As it turns out, it’s not that hard to slip a Trojan into the design of an IC, even after it has been sent to a foundry for manufacturing. Using a standard method to fix minor bugs after the IC layout has been finalized, it takes a little over an hour to slip in hardware Trojans that leak cryptokeys over a power channel.

Taltech 1
Layouts before and after being modified. The target circuit is the AES cryptographic core. Credit: Taltech

Power modulation

For more than almost two decades, researchers have hypothesized that hardware Trojan horses can be inserted in computer chips while they’re being fabricated, yet there are surprisingly few demonstrations of it. Previous work in this field tends to assume an infinitely capable adversary, resourceful and insightful, able to manipulate any circuit in a number of ways. The team at Taltech adopted a more restrained – and realistic – approach: there’s an ‘agent’ present at the chip fabrication site and he/she only has a few hours at most to make modifications.

“We looked at this problem from the point of view of a single rogue engineer from the chip factory,” says Samuel Pagliarini, head of the Centre for Hardware Security at Taltech. “The questions we wanted to answer were about the feasibility of this attack. Can a chip layout that’s ready for production still be manipulated? If so, who can do it? With what tools? How much time would it take to insert these Trojans? The only way to answer these questions is to pretend to be an adversary,” he explains.

The researchers set out to demonstrate that, by adding bits of logic to an IC design, it’s possible to leak bits from inside the chip. Obviously, this information needs to be communicated to the outside world using channels that are already part of the design – adding a pin, for example, would be a bit conspicuous. In fact, the added logic should cause minimal disturbance to the circuit, as even relatively small performance changes could lead to the detection of the Trojan.

This type of spying is known as a side-channel attack (SCA), which exploits the IC’s physical operating characteristics, such as timing, power consumption, electromagnetic radiation and even sound, to reveal information that would normally be confined to the IC. The Taltech team opted for power modulation via the IC’s power pins as a communication method, specifically to reveal on-chip cryptographic keys.

Weakest link

The challenge, then, was to insert malicious logic using tools that would typically be available for someone who works at a foundry. The researchers found the so-called Engineering Change Order (ECO) flow to suit their needs. ECOs allow engineers to make small post-layout alterations without too much of a hassle. Especially when the mask set has already been made, this ‘shortcut’ saves time, resources and money.

For this approach to work, there needs to be enough room available on the chip to fit the Trojan pieces. Especially for cryptographic cores such as AES and Present, this is no given: these circuits tend to be very dense. To the researchers’ surprise, however, they could always find enough ‘gaps,’ even in very dense circuits.

Taltech 2
The chip is leaking bits by modulating its power consumption. Credit: Taltech

From there, the researchers proceeded to produce real 65-nm CMOS ASICs containing four different variants of Trojan horses. Once back from the foundry, information leakage by modulation of power consumption was confirmed. All the attackers needed to do to learn the cryptographic key was to look for discrete steps in power being made. An end-user wouldn’t notice these variations, since they’re in the order of microwatts.

The real-world relevance of Taltech’s work isn’t clear. Surely, foundries have security protocols in place. How hard would it really be for a rogue element to access a design with the tools he needs? How much chip design knowledge does he need to possess to successfully install the Trojan? We don’t know if it’s reasonable to assume that these elements fall into place. We do know that the hardware Trojan may not require user action to be activated, but it still depends on the weakest link in any IT system: the human being.