Tro·jan noun \trō-jən\
1 : someone or something that is used to hide what is true or real in order to trick or harm an enemy
2 computers : a seemingly useful computer program that is actually designed to harm your computer (such as by destroying data files)
Trojan chips in systems? “A backdoor in my smart phone?” As far-fetched as it might sound, there’s proof that malicious hardware and code has been found in commercial products and theU.S.military. What’s concerning is that these discoveries have been made by professors and hackers—not by the government. Unfortunately, it’s plausible that advances in assembly and packaging technology will provide a new entry-point for inclusion of malicious circuitry. On the bright side, however, with increased awareness, there are likely simple, concrete steps the semiconductor industry can take to thwart any major security incident, hopefully circumventing the need for the government’s heavy hand of intervention.
Stories of counterfeit electronic parts in our military systems have been all over the news. The National Defense Authorization Act for Fiscal Year 2012 specifically addresses this problem and calls out penalties for failure to detect and avoid “bad” parts. Even so, there appears to be little or no decrease in counterfeit activity. The problem is somewhat unique to the military, in that budget cuts and ensuing end-of-life extensions to older military systems force defense contractors to find replacements for obsolete parts as their stock depletes. Unfortunately, placing orders on the open market increases risk, as some chips originally pulled from old circuit boards sent as scrap to China (where 70% of counterfeit chips originate), are cleaned-up, re-blacktopped, re-marked, and resold.
Trojan Integrated Circuits (ICs)
Trojan chips are dissimilar from counterfeits in that additional, malicious circuitry has been inserted. The circuitry contains capabilities that may include, but are not limited to, the ability to intercept and forward information, modify data or system functionality, or even render a part and system non-functional. Imagine one of our surface-to-air defense systems or our public power grid being rendered “non-functional” in a time of need.
The preferred method for guarding against malicious circuitry is to prevent its inclusion at every point in the development process: design, layout, fabrication, assembly, and packaging. This flow is often split and outsourced across different suppliers, for cost and efficiency considerations. The interface between each stage provides a potential threat of malicious circuitry insertion.
This Trojan IC problem is not hypothetical. In September of 2012, a Cambridge Professor published a paper detailing a hardware backdoor inserted into the Actel/Microsemi ProASIC3 chips. The issue is significant in that the chip is used in military systems and advertised as providing the military with “the most impenetrable security for programmable logic designs.” The backdoor makes this often-used chip “wide open to intellectual property (IP) theft, fraud, re-programming as well as reverse engineering of the design.” As the hardware is impossible to patch, the chip must be replaced to maintain system security.
Unique 2.5-D and 3-D IC Targets
IC assembly and packaging outsourcing to Chinahas provided significant cost savings to the semiconductor industry. As a result, China’s market share in this area continues to expand. This outsourcing had been considered a safe and secure prospect, as inserting additional circuitry in this final stage of IC manufacturing, was not yet a real threat. However, the development of 2.5-D and 3-D IC packaging technology, changes this landscape.
By stacking together previously separate ICs, within a single package, 3-D IC technology provides large performance gains and, eventually, cost reduction. In addition, eventual standardization of heterogeneous-structure Through-Silicon Via (TSV) locations, may help provide a relatively uncomplicated path for inserting and hiding malicious circuitry as part of the IC assembly process. Slipping an additional chip, a Trojan, into a 3-D IC assembly, or adding circuitry to a 2.5-D, passive or active interposer, provides an opportune means of injecting malicious capability. Furthermore, detection is next to impossible as X-ray and thermal imaging of the stacked chips, once encapsulated, provides minimal visibility. Though destructive tear-down will likely reveal a rogue chip, an adversary may choose to randomly insert the additional or modified IC after initial acceptance tests and teardown are complete, helping conceal its presence.
At present, there are no production-grade, high-volume tools or maintainable processes available for detecting Trojan circuitry inserted into 2.5-D or 3-D IC packages. Beyond this, there are no government R&D programs in the works at DARPA, IARPA or Homeland Security to address this threat. While a major incident resulting from malicious circuitry might push the government to act, past reactions to security incidents have left us with government-sponsored, brute-force “solutions” such as TSA, Homeland Security, The Patriot Act, and the Defense Act of 2012. In this context, the industry would be better served to proactively develop its own solutions.
Going Forward—Design for Security
What can be done to reap the most technological benefits while maintaining security? For defense applications, a captive, US-based, 2.5-D and 3-D IC assembly and packaging operation must be funded and added into the Trusted Foundry mix of national security-directed solutions.
For consumer ICs, an industry-adopted, Design for Security methodology, anticipating the potential inclusion of 2.5-D and 3-D IC-enabled Trojan circuitry is a necessary start. Collecting and developing Design for Security best practices and guidelines, which address each stage in the semiconductor lifecycle and process flow, is in order. Once developed; regularly scheduled, internal courses, teaching new engineers and reminding seasoned ones, of Design for Security practices, must be required. Many engineers are simply not aware of the need for a security mindset, for example, sometimes putting and leaving a backdoor, for test convenience, into a design, and hoping that its undocumented presence will never be found. History shows that “Security by Obfuscation” never works. In the hands of a determined adversary, this undocumented backdoor, when found, will be no different than a Trojan—it will be used for ill-gain. A Design for Security mindset will help solidify industry ownership, hopefully heading-off any issues before they become pervasive.
2. Made inChina: ‘Flood’ of counterfeit parts used inU.S.military gear – which could ‘compromise national security’ Reuters. May 23, 2012.
3. “Breakthrough silicon scanning discovers backdoor in military chip,” Sergei Skorobogatov and Christopher Woods, Cryptographic Hardware and Embedded Systems Workshop (CHES 2012), 9–12 September 2012, Leuven, Belgium