A team of researchers from the U.S. and Europe has developed a Hardware Trojan, which is an undetectable to many techniques, raising the question on need of proper hardware qualification.
They released a paper on stealthy Dopant-Level Hardware Trojans, showing how integrated circuits used in computers, military equipment and other critical systems can be maliciously compromised during the manufacturing process.
"In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors." states the paper abstract.
The Scientists devised two such backdoors they said adversaries could feasibly build into processors to surreptitiously bypass cryptographic protections provided by the computer running the chips. Instead of adding additional circuitry to the target design, the researchers inserted their hardware Trojans by changing the dopant polarity of existing transistors.
Doping is a process for modifying the electrical properties of silicon by introducing tiny impurities like phosphorous, boron and gallium, into the crystal. By switching the doping on a few transistors, parts of the integrated circuit no longer work as they should. Because the changes happen at the atomic level, the stuff is hard to detect. Their modifications fooled a number of common Trojan testing methods that included optical inspection and checking against golden chips.
“Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against ‘golden chips,’”
Hardware trojans have been the subject of considerable research since at least 2005 when the U.S. Department of Defense publicly expressed concerns over the military's reliance on integrated circuits manufactured abroad.
The exploitation of a hardware backdoor for cyber espionage purpose has always been the subject of heated debate, intelligence experts have accused in the past Chinese companies to have the ability to remotely access to the communication equipments sold in the United States and Western Countries thanks this kind of attacks.
The paper details how compromise the Intel Ivy Bridge processors pulling off a side channel attack that leaked secret keys from the hardware.
In the attack of the Ivy Bridge, researchers were able to get their Trojan onto the processor at the sub-transistor level: “Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen,”
“Despite these changes, the modified Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers.”
The possibility to infiltrate a supply chain with a hardware trojan is a target for any governments, the repercussion could be critical considering the penetration of technology in military and commercial sectors.
Last Snowden's revelations on the NSA surveillance activities evidenced the effort spent by US intelligence with major chipmakers for the introduction of backdoors into hardware sold to foreign targets.