Detecting Imported Hardware Trojans
Advanced electronic engineers develop new integrated circuit security method
By Tracy Staedter
Computer security threats typically come by way of the internet, buried in software code. But now they're appearing in integrated circuit hardware — the chips responsible for computer functions like bank ATMs, bar code readers, smartphones, space vehicles and even rice cookers. High-performance semiconductor chips are often fabricated overseas, where hackers can exploit unused space on a computer chip. These lawbreakers may secretly insert difficult-to-detect hardware Trojans that can cause malfunction, expose secure data or open a back door.
With semiconductor chips made overseas, U.S. military technology faces high risks. Strong Trojan detection techniques reduce these security issues. These new integrated circuit security methods allow the government to contract with untrusted foundries with expertise in producing high-performance integrated circuits.
As a result of a long-standing partnership, Northrop Grumman and Prof. Ankur Srivastava’s research group at the University of Maryland, College Park developed a new integrated circuit security method that rapidly detects and locates hardware Trojans with a high level of accuracy. In computer simulations, the method detected all inserted hardware Trojans, including some that were undetected using other techniques.
Such a technique will let government and military agencies reap the cost and performance benefits while safeguarding against attacks.
"Ultimately, we want to build certain features into the chip that not only allow us to detect Trojans but also prevent the chip from being unlocked and exploited externally," says Michael Fitelson, Chief Scientist of Advanced Electronics at Northrop Grumman.
New Method Detects Trojans by Filling Free Space
Cutting-edge military equipment relies on high-performance integrated circuits. As protection against hackers, the Department of Defense developed the Trusted Foundry Program, an extensive, costly process ranking the trustworthiness of semiconductor chip manufacturers. Unfortunately, the most trusted factories can’t always fabricate the highest-end chips needed. And so far, no hardware Trojan detection method has located some of the smallest insertions.
The detection method proposed by Northrop Grumman and the University of Maryland researchers is one such technique. It capitalizes on the fact that a semiconductor chip doesn’t utilize all circuit space availability. Empty space can be filled with specially-designed logic circuits called Linear Hybrid Cellular Automata (LHCA), which only activate for test purposes, and leak little energy.
The new method fills about 99.9% of empty spaces with features that look like normal, working components of a semiconductor chip, but have little negative impact on power.
"You're basically filling up all of the spaces in such a way that it's not obvious to those that understand the circuitry," says Louise Sengupta, Director of Advanced Electronics at Northrop Grumman.
Hidden in Plain Sight
The LHCA chains are composed of logic cells that can be set to a specific binary state — 0 or 1. These chains are distributed across the chip to fill the free spaces between thousands of functioning logic chains. Depending on specific properties, including the length of the LHCA chain and the state of the neighboring cells within a chain, the LHCA chain updates to a new state with each new clock cycle.
“Bit sequences generated by LHCA chains possess highly beneficial mathematical properties which can be used to detect even minute changes in the underlying circuitry”, says Srivastava.
After the fabricated chip is received, it’s tested by activating the LHCA chains to produce a mathematical code. If the semiconductor hasn't been tampered with, the mathematical code will fall within a certain range. Anything outside that range indicates it's been hacked. For certain types of changes, it takes only one step to detect a hardware Trojan.
"Modifications are going to be relatively easy to spot with a specially-designed test fixture that allows us to exercise every chain in a very short period of time," says Fitelson. Because the tests can be done rapidly, says Fitelson, they can analyze a large enough number of semiconductor chips for hardware Trojans to rule out false positives.