IC development steps are vulnerable to malicious insertions that may compromise system security.
Electronic systems are at the core of an ever-increasing number of products and services. From power plants to automobiles, from medical devices to airplanes, from smartphones to home appliances, complex electronic systems enable an unprecedented level of automation, performance, safety, and security. Integrated circuits (ICs) are the backbone of these systems. It is of paramount importance that they can be trusted to operate in full compliance to their specifications and certifications. However, IC design, production, and distribution are surprisingly vulnerable to malicious agents that could infiltrate devices with poor performance and reliability, or even with hardware Trojans, i.e., additional, hidden functionalities designed for nefarious purposes.
Counterfeit ICs can be derived from multiple sources, including overproduced, discarded, and recycled parts. This U.S. government report from 2012 details numerous cases of counterfeit ICs infiltrating the defense system supply chain. With ever more ICs being produced or recycled overseas, authorities and OEMs are looking for ways to ensure that counterfeit parts are not used in their products.
IC production is also susceptible to foundry-based, malicious interventions that could be carried out at the layout level without modifications in the design. In this paper, for example, the authors insert a stealthy Trojan by applying a different dopant polarity to an inverter gate. As a result of this minimal change, the inverter always outputs VDD. They go on to demonstrate how this technique could be used to reduce the entropy of a random number generator (RNG) circuit, and in turn compromise the cryptographic capabilities of an IC.
The insertion of hardware Trojans during the IC design phase — in the register-transfer level (RTL) model or in the post-synthesis gate-level netlist (see Figure 1), for example — is also a serious concern. Integrators of third-party semiconductor IPs (3PIPs) are particularly concerned about Trojans. IP is complex and typically includes many configuration options necessary to support a wide range of applications. For instance, a rogue employee could make malicious modifications of the RTL code that could remain well-hidden among the numerous unused features or power, area, and performance optimizations.
Figure 1: IC development steps are vulnerable to the insertion of hardware Trojans.
It is worth noting that hardware Trojans could also result from non-malicious activity. It is common practice to introduce backdoors and hidden functions during IP development for debug purposes. These additional functions may seem innocuous to the naive observer. However, if not stripped out before release, they may provide a formidable attack surface to malicious agents. In this paper, the authors claim to have discovered a backdoor in a FPGA device used in military and safety-critical applications. With a special technique, they were able to extract keys and passcodes that could be used to reverse engineer the IP and even to reprogram the FPGA.
A thorough, detailed review of each licensed 3PIP using today’s technologies and methodologies would have a prohibitive cost. How to quickly get sufficient confidence that a 3PIP is trustworthy remains a challenge. The design flow includes thorough functional checks that could, at least in theory, detect the presence of a Trojan or other undocumented function. However, the focus of pre-silicon verification is to ensure that semiconductor IP and ICs behave as expected in their intended use cases. In other words, verification aims to ensure that hardware components do what they are supposed to do, but it does not provide significant confidence that they do not do anything else.
In the 2015 Design Automation Conference (DAC), engineers were challenged to introduce bugs in a design that would be missed by a high-quality formal testbench. As it turned out, it was relatively easy to achieve that goal using a malicious design change. The experience was later recounted in a paper (I. Tripathi et al., The Process and Proof for Formal Sign-off A Live Case Study, DVCon US 2016) that included the following statement:
This bug was inserted with a malicious intent, i.e. to specifically change the design so that the defect cannot be caught by the verification methodology; we believe that this can always be done, and defeats the purpose of true verification to find all naturally occurring bugs.
Malicious design changes are indeed different from naturally occurring, genuine mistakes. Functional verification processes, however advanced, are likely to miss hardware Trojans.
The industry acknowledges that hardware simulation and emulation are limited by time and computational capacity. Testing all possible combinations and sequences of input vectors is not feasible. Formal methods can check certain functions expressed using assertions exhaustively, thus revealing unknown corner-cases. However, checking the entire state space may lead to complexity issues. Moreover, there is no guarantee that a set of assertions covers all possible functions, including potential Trojans. Assertion coverage or other traditional verification metrics are useful for functional verification but inadequate for Trojan detection.
The industry is developing new formal-based solutions dedicated to identifying unknown unknowns in a systematic, efficient way. Detecting suspicious or hidden, undocumented functions in IP and IC models has a cost. Engineers must be able to demonstrate an appropriate level of trustworthiness depending on the target application. To achieve that, a key challenge is to establish metrics that can quantify the degree of trustworthiness of an IC.
OneSpin Solutions is at the forefront of the effort to develop solutions that measure and ensure hardware trustworthiness. For more information about one of our trust assurance activities, request a copy of the paper Complete Formal Verification of RISC-V Processor IPs for Trojan-Free Trusted ICs presented at the 2019 Government Microcircuit Applications & Critical Technology (GOMACTech) conference in Albuquerque, New Mexico.
Leave a Reply