We often talk about software security and authenticity but computer hardware and the ICs on which software runs and critical application data is stored has to be consistently function in a dependable (correct, predictable) and trustworthy (non-malicious, non-exploitable) manner. Threats to a given IC and security modes have to be ensured are the focus to this article. Let’s explore …
Too often, software and system developers take the quality of computer hardware for granted, never doubting that the logic of the integrated circuits (ICs) on which software runs and critical application data is stored will consistently function in a dependable (correct, predictable) and trustworthy (non-malicious, non-exploitable) manner. After all, ICs seem to be free of the kinds of design and implementation flaws so common in software, and impervious to subversion by malicious code. So ICs are believed capable of achieving high levels of assurance impossible in software. This belief underpins Trusted Processor Modules (TPMs) and Hardware Security Modules (HSMs), devices conceived as high-assurance platforms for critical software processes and highly sensitive data that need strong protection against tampering, interference by untrusted processes, and leakage. But is such faith in IC quality really merited? In recent years, the hardware supply chain has been flooded with counterfeit ICs of substandard quality and, more recently, hardware Trojans have emerged as a threat to the trustworthiness of IC logic. As a result, engineers of critical software-intensive systems need to employ tools that give them deeper insight into the inner workings of the ICs on which their systems’ software will run. And the developers of that software need to design and implement their code so it can survive not only threats from human attackers and malicious software code, but from substandard hardware counterfeits and malicious IC logic.
Security Threats Specific to Integrated Circuits
The predominant threats to the security properties of ICs are:
ü Counterfeiting (threat to authenticity and often, due to deficient quality of counterfeits, dependability)
ü Reverse engineering to extract IP or discover sensitive data, such as cryptographic keys, contained in on-chip memory (threat to intellectual property and data confidentiality)
Tampering to sabotage IC operation or insert malicious functionality, such as Trojans or kill switches (threat to integrity and trustworthiness)
ICs are prone to security threats like software. The most common one is Counterfeited ICs, Moreover, it has emerged in the last few years that like software under development by rogue programmers, ICs are also susceptible during their manufacture; in the case of FPGAs, malicious logic can be inserted even after the IC’s deployment. And as with software, these problems are extremely difficult to detect once the hardware has been manufactured and fielded. Indeed, the expense and time required to inspect ICs for malicious circuits or counterfeiting indicators is even greater than the cost of reviewing source code and testing executables, because of the level of expertise and the cost of specialized equipment required. Unlike the software development lifecycle, which constitutes at most a half dozen or so stages or phases, the manufacturing process of an IC typically involves approximately 100-400 steps, each of which is susceptible to subversion by malicious actors. Such subversions may take the form deliberate design deficiencies (which, as with software, are probably only preventable through use of labor- and expertise-intensive formal methods) or malicious tampering during fabrication.
What’s the guarantee …?
The cost of fabricating ICs has driven many OEMs such as Intel, Motorola, Texas Instruments, to “go fabless”, i.e., to outsource the fabrication and testing of their ICs to offshore foundries in countries such as China, Taiwan, South Korea, Malaysia, and the Philippines, in which labor costs are much lower. As with outsourcing of software development, this raises the question of how the fables OEMs can assure that the ICs they received from the foreign foundry conforms exactly to the design (known as “the silicon”) that they provided to the foundry—with nothing added or omitted?
Also, increasingly OEMs are even outsourcing the design of their ICs, which raises questions about the trustworthiness not only of manufacturing, assembly, and packaging processes and tools, but of design kits and design libraries. Because most of ICs used throughout the worldwide information and communications infrastructure are produced in unsecured facilities outside the U.S., national and homeland security establishments are increasingly concerned about the possibility of sabotage and subversion during the IC manufacturing process. However, there are also those who question how much the U.S. really has to fear with regard to subversion/sabotage of ICs or other electronic components by foreign manufacturers.
Each IC may contain as many as a billion transistors. At the rate of one transistor per second, it would take 38 years for someone to inspect all of the transistors on a single IC—an inspection process that is so difficult, tedious, and error-prone that the likelihood of finding even one tainted transistor among so many is extremely unlikely. In principle, an electronic device containing multiple ICs can be undermined by a handful of rogue transistors. This explains why ICs have become an increasingly attractive target to attackers. Unclassified documentation of “built in” malicious logic—so called “hardware Trojans” and “kill switches” in ICs—has yet to emerge.
All ICs, but FPGAs in particular because they contain a significant portion of their own system-level, are vulnerable during manufacture to subversion by malicious design tools, which could be used to load a subverted design into the FPGA, in order to sabotage it (e.g., by causing it to short circuit). Unfortunately, as most hardware design-tool developers have few or no checks in place to ensure that their tools contain no such attacks on the specific functionality of ICs, the only available countermeasure at this point is to acquire only FPGAs with known-trusted cores.
Some FPGA manufacturers (e.g., Xilinx) digitally sign their FPGA cores to authenticate their trusted design. However, the typical FPGA chip may include multiple IP cores, both trusted and un-trusted, and a digital signature used for core authentication does nothing to prevent the core’s susceptibility to tampering or to snooping by other cores in the system. Interference between cores can be prevented by using a separate chip for each core; however, this approach increases power consumption and physical size, and does not prevent snooping via inter-chip communication lines on the board. Automated IC test equipment can test millions of transistors per second for certain types of manufacturing fidelity. But such equipment is designed only to detect the IC’s deviations from a narrow set of specifications. Any anomalies that involve aspects of the IC that are not covered by tests to verify and validate the IC against its specifications will go undetected. This not only leaves design weaknesses (especially in older IC designs), embedded hardware Trojans, “kill switches”, and other misbehaviors and alterations undetected, but renders them virtually impossible to detect due to their sheer theoretical numbers. Hardware attackers often exploit the sheer complexity of modern ICs to insert their Trojan circuits, and use special or unlikely events at run time to trigger the deeply-buried malicious logic. Inspections of suspected counterfeit ICs are somewhat more realistic. They begin with an analysis of the packaging and paperwork, then move on to several levels of inspection of the IC itself, including checking surface markings for permanency, and checking physical dimensions against known-genuine samples. Other techniques include external and internal visual analysis and radiographic inspection, material analysis, electrical testing, and accelerated life testing. Many of these tests involve specialized, often expensive equipment, such as scan electron microscopes, energy dispersive x-ray spectroscopes, Fourier transform infrared spectroscopes, s-ray fluorescence energy dispersion mechanisms, acoustic microscopes, and electrical test equipment. De-capsulation exposes the die to visual inspection under a metallurgical microscope, to reveal die markings for information such as the design year, which can then be checked with the OEM to verify whether the IC is authentic.
While IC manufacturers are likely to have some or all of the equipment necessary for IC counterfeit inspection, as such equipment is also used in IC quality and stress testing, purchasers of ICs are seldom so provisioned, nor skilled enough to use such equipment to perform the various tests. The cost of fabricating ICs has driven many original equipment manufacturers (OEMs) such as Intel, Motorola, Texas Instruments, and others, to “go fabless”, i.e., to outsource the fabrication and testing of their ICs to offshore foundries in countries such as China, Taiwan, South Korea, Malaysia, and the Philippines, in which labor costs are much lower. As with outsourcing of software development, this raises the question of how the fables OEMs can assure that the ICs they received from the foreign foundry conforms exactly to the design (known as “the silicon”) that they provided to the foundry—with nothing added or omitted? Moreover, increasingly OEMs are even outsourcing the design of their ICs, which raises questions about the trustworthiness not only of manufacturing, assembly, and packaging processes and tools, but of design kits and design libraries. Because most of ICs used throughout the worldwide information and communications infrastructure are produced in unsecured facilities outside the U.S., national and homeland security establishments are increasingly concerned about the possibility of sabotage and subversion during the IC manufacturing process. However, there are also those who question how much the U.S. really has to fear with regard to subversion/sabotage of ICs or other electronic components by foreign manufacturers.
Hardware Trojan
With semiconductor scaling to very deep submicron levels, the complexity and cost of IC design and fabrication increase dramatically. This advancement comprises of steps from design and manufacturing all the way to sale in the market. The first step of the process is the translation of the specifications into a behavioral description, typically in a hardware design language (HDL) such as Verilog or VHDL. Next, synthesis is performed to transform the behavioral description into a design implementation in terms of logic gates (i.e., netlist). After implementing the netlist as a layout design, the digital GDSII files are then handed to a foundry for IC fabrication. Once the foundry produces the actual ICs, the testing step ensures their correct operations. Those ICs that pass testing are packaged by assembly and, finally, the electronics components head to the market for sale and eventually deployment on systems. Because of the globalization of semiconductor industry, this current semiconductor supply chain is vulnerable to hardware Trojans.
A hardware Trojan is defined as a malicious, undesired, intentional modification of an electronic circuit or design that results in undesired behavior when the circuit is deployed. ICs that are infected” by a hardware Trojan may experience modifications to their functionality or specification, may leak sensitive information, may experience degraded or unreliable performance, or may be more susceptible to Denial of Service (DoS) and backdoors. Trojans can be differentiate on basis of:
ü Insertion phase
ü Abstraction level
ü Activation mechanism,
ü Effects
Location.
The hardware Trojan research domain has seen significant progress over the past decade. Various types of hardware Trojans have been developed and investigated. Regardless of combinational, sequential or other emerging hardware Trojans, in general, a Trojan contains two basic parts: trigger and payload. Trojan trigger is an optional part which monitors various signals and/or a series of events in the circuit. The payload usually taps signals from original (Trojan-free) circuit and the output of the trigger. Once Trojan trigger detects an expected event or condition, the payload is activated to perform malicious behaviors. Typically, the trigger is expected to be activated under extremely rare conditions, so the payload remains inactive most of the time. When the payload is inactive, the IC acts like Trojan-free circuit making it difficult to detect the Trojan. In the recent years, researchers have explored and investigated new Trojan triggers and payloads that could increase difficulty of activation and detection of Trojans. These triggers may utilize don’t care states in a design or silicon wear-out mechanisms for Trojan activation, while payloads might generate intentional side-channel signals to leak secret information without impacting primary outputs. Since extra circuitry introduced by Trojan trigger and payload inevitably causes some side-effects, such as additional area, timing, power or radiation, they could be utilized by defenders for Trojan detection. Thus, to make their Trojan stealthier and avoid being detected, Trojan designs could be further optimized and thus minimize Trojan impact on the original design as much as possible.
Reverse Engineering
Physical reverse-engineering attacks are used to glean information about the IC’s operation, and can be invasive or non-invasive. Invasive attacks, or destructive physical inspection attacks, are performed by “de-packaging”, i.e., partially or completely removing the packaging of the IC, either through use of acids, solvents, or other chemicals, through physical abrasion via planning, grinding, or chemical or mechanical polishing, or by evaporating the packaging material with a laser cutter. Once the IC has been de-packaged, the circuitry can be scanned as each IC layer is progressively revealed through grinding. Ability to access the circuitry also enables “reconnaissance” attacks, such as reverse-engineering the circuits of the IC, or locating positions of interest to be targeted in electromagnetic attacks. In addition, the metal tracks of the IC can be probed to measure signals and voltages or to actively inject signals. A focused ion beam (FIB) can also be used to drill fine holes in the IC’s insulating layer to expose the fine metal tracks without disturbing the IC’s other components; a FIB can also be used to alter the IC’s circuitry or to reenable disabled self-test circuitry. Non-invasive attacks are carried out by monitoring physical properties—or signals—associated with physical phenomena that arise while the IC is running. These physical signals can be analyzed to gain information about the IC’s state and the data it processes. Signals can be derived from device timing/clock rate, electrical voltage levels/power consumption (simple and differential), temperature levels, electromagnetic (EM) radiation, acoustics, and light emission. What an attacker looks for is anomalies, such as variations in power consumption or glitches in clock frequency; the attacker may also exploit the IC’s detectable signals to deliberately cause errors in the device’s operation. Non-invasive attacks are referred to as side-channel attacks, and cryptologists have long studied the timing, supply voltage, and electromagnetic side channels of cryptographic devices to determine whether they can be exploited to discover cryptographic keys and to detect surreptitious data leaks. While difficult to prevent, physical attacks are so technologically sophisticated, and require such substantial resources, expertise, and patience, that they remain rare. The most secure FPGA has a single chip, with the non-volatile memory located on the FPGA chip itself. The FPGA’s strong encryption capability is used not only for encrypting IP and programming bit-streams, but also the data in the on-chip memory. The non-volatile memory registers also store the encryption keys and the identifiers used to authenticate bit streams. Encryption also protects IP and data stored in FPGAs that are subjected to physical “sand-and-scan” reverse engineering or data extraction attacks
Recycled ICs
The counterfeiting of semiconductor components has been on the rise for many years as a result of several vulnerabilities in the electronics component supply chain. According to one estimate, the United States Department of Defense may have purchased between $15-100M USD worth of counterfeit ICs in 2005 alone. The most recent data provided by Information Handing Service Inc. (IHS) shows that reports of counterfeit ICs have quadrupled since 2009. If counterfeit ICs were to end up in the supply chain for mission-critical or life-saving applications, the results of the failure of an unreliable or insecure counterfeit part could be catastrophic. A counterfeit component is an unauthorized copy; does not conform to original component manufacturer (OCM) design, model, and/or performance standards is not produced by the OCM or is produced by unauthorized contractors is an is an off–specification, defective or used OCM product sold as \new” or working; or has incorrect or false markings and/or documentation.
Counterfeit components are differentiated into seven distinct categories: recycled, remarked, overproduced, out-of-spec/defective, cloned, forged documentation, and tampered ICs. The category that has contributed the most to the rise of counterfeits is the recycled ICs. It is estimated that these recycled ICs account for 80% of all counterfeits being sold worldwide. A report from the Office of Technology Evaluation, part of the U.S. Department of Commerce, also proves that the number of reported incidents of used ICs being sold as new or remarked as higher grade is larger than other types of counterfeits. In addition, electronics consumer and e- waste trends suggest that this recycling is only going to increase over time as more gadgets are used for shorter periods of time. These used or defective ICs enter the market when electronic \recyclers” divert scrapped circuit boards away from their designated place of disposal for the purposes of removing and reselling the ICs on those boards. After carefully cleaning and remarking, those used ICs look like new and could be re-used in critical applications. However, the used components have been deployed in a system and experienced aging degradations comparing with new components. Additionally, the recycling process usually involves a high temperature environment to remove ICs from boards, so recycled ICs could fail sooner and be less reliable than new chips. It is vital to identify and prevent recycled ICs from entering critical infrastructure, aerospace, medical, and defense supply chains.
Tampering
Tampering to alter the functionality of an IC other than an FPGA is always done to the design of the IC, because it is virtually impossible to tamper with fabricated chips in a way that is fine-grained enough to alter the hardware’s logic without simply destroying the hardware. Post-manufacture tampering is a greater concern for FPGAs whose system programming can only be modified safely if certain secure IC programming and data protections are provided to control access to the FPGA’s IP and the data stored in its on-chip memory. Due mainly to IC manufacturers’ concerns over physical tampering to extract IP, an increasing number of ICs now have countermeasures against physical attacks built in. Techniques for obfuscation of logic in ICs have also emerged, and are being improved upon to strengthen IC self-protection against intellectual property reverse-engineering. Several interesting anti-tamper mechanisms have been emerging from DoD’s Anti Tamper (AT) research initiative (the focus of which is to develop technologies that can prevent reverse engineering and extraction of IP from ICs used in sensitive DoD systems and applications). One such mechanism is IC metering, which provides a set of security protocols designed to enable an IC design house to maintain control of an IC after its fabrication. Such control may be passive, such as and may constitute limiting the number of ICs fabricated and the properties they exhibit, or it may be active, such as building into the IC the capability to automatically disable itself at run-time if any indication of tampering is detected. Like time bombs and logic bombs in software, the intentional corruption of hardware generally occurs during its design, implementation, or manufacturing—well before the malicious logic is activated. But unlike software, with the exception of FPGAs, sabotaged ICs cannot be patched, so they remain a threat indefinitely. Remediating well-crafted IC-level vulnerabilities or malicious insertions would likely require physically replacing the compromised hardware. The skill required to replace hardware, particularly in deeply embedded systems, would ensure that compromised ICs remain in active use even after the discovery of the vulnerability or Trojan. Also, because the IC represents the lowest layer in the computer system, malicious logic at the IC level can provide a means to bypass, subvert, or gain control over all software running above it allowing sophisticated and stealthy attacks to be crafted specifically to evade software-based defenses. More sophisticated hardware Trojan logic has been devised that enables attackers to escalate privileges, turn off access control checks, and execute arbitrary instructions, thereby gaining a path to taking control of the machine, and establishing a foothold for subsequent system-level attacks. An IC with such a hidden Trojan circuit installed in a firewall could facilitate remote exploits; e.g., a packet sent from a predetermined network address or a key encoded as a series of requests to different ports could be used as the trigger for the Trojan to “reset” the firewall, thereby granting full unprotected access to the network. But because the results of many hardware attacks manifest identically to “normal” hardware failures, such attacks may be misattributed to manufacturing defects or design flaws rather than malicious logic.
Summary
The integrated circuit (IC) development process is becoming increasingly vulnerable to malicious activities because un-trusted parties could be involved in this IC development flow. There are four typical problems that impact the security and trustworthiness of ICs used in military, financial, transportation, or other critical systems
- Malicious inclusions and alterations, known as hardware Trojans, can be inserted into a design by modifying the design during GDSII development and fabrication. Hardware Trojans in ICs may cause malfunctions, lower the reliability of ICs, leak confidential information to adversaries or even destroy the system under specifically designed conditions.
- The number of circuit-related counterfeiting incidents reported by component manufacturers has increased significantly over the past few years with recycled ICs contributing the largest percentage of the total reported counterfeiting incidents. Since these recycled ICs have been used in the field before, the performance and reliability of such ICs has been degraded by aging effects and harsh recycling process.
- Reverse engineering (RE) is process of extracting a circuit gate-level net-list, and/or inferring its functionality. The RE causes threats to the design because attackers can steal and pirate a design (IP piracy), identify the device technology, or facilitate other hardware attacks.
- Traditional tools for uniquely identifying devices are vulnerable to non-invasive or invasive physical attacks. Securing the ID/key is of utmost importance since leakage of even a single device ID/key could be exploited by an adversary to hack other devices or produce pirated devices.
To cater these challenges a series of design and test methodologies are being developed to deal with these four challenging issues and thus enhance the security, trustworthiness and reliability of ICs. The techniques mainly proposed are,
- A path delay fingerprinting technique for detection of hardware Trojans, recycled ICs, and other types counterfeit ICs including remarked, overproduced, and cloned ICs with their unique identifiers;
- A Built-In Self-Authentication (BISA) technique to prevent hardware Trojan insertions by un-trusted fabrication facilities; an efficient and secure split manufacturing via Obfuscated Built-In Self-Authentication (OBISA) technique to prevent reverse engineering by un-trusted fabrication facilities; and a novel bit selection approach for obtaining the most reliable bits for SRAM-based physical un-clonable function (PUF) across environmental conditions and silicon aging effects.
Conclusion
Hardware security in IC has been a concern over reduced quality. Intentional threats to ICs, both in- and post-production, threaten the dependable, trustworthy operation not only of the ICs themselves, but of any embedded and non-embedded software-intensive systems in which they are a core component. And hence Pre- and post-silicon IC testing tools and techniques became a must for detecting indicators of counterfeiting indicators and malicious inclusions in ICs.