Researchers at the Ruhr University Bochum and the Max Planck Institute for Security and Privacy (MPI-SP) have come up with an approach to analyzing die photos of real-world microchips to reveal hardware Trojan attacks — and are releasing their imagery and algorithm for all to try.
"It's conceivable that tiny changes might be inserted into the designs in the factories shortly before production that could override the security of the chips," says Steffen Becker, PhD and co-author of the paper detailing the work, of the problem the team set about to solve. "In extreme cases, such hardware Trojans could allow an attacker to paralyze parts of the telecommunications infrastructure at the push of a button."
Looking at chips built on 28nm, 40nm, 65nm, and 90nm process nodes, the team set about automating the process of inspecting the finished silicon chips for hardware-level tampering. Using designs created by Thorben Moos, PhD, the researchers figured out a way to test their approach: taking the physical chips Moos had already built and comparing them to original design files with minor modifications, meaning the two are no longer a direct match.
"Comparing the chip images and the construction plans turned out to be quite a challenge, because we first had to precisely superimpose the data," says first author Endres Puschner. "On the smallest chip, which is 28 nanometers in size, a single speck of dust or a hair can obscure a whole row of standard cells."
Despite these challenges the analysis algorithm showed promise, detecting 37 of the 40 modifications — including all the modifications made to the chips built on process nodes between 40nm and 90nm. The algorithm did, admittedly, throw up 500 false positives — but, says Puschner, "with more than 1.5 million standard cells examined, this is a very good rate."
The desire to analyze silicon-level hardware to detect either malicious modifications or counterfeit hardware was also behind recent work by engineer Andrew "bunnie" Huang, who developed a technique for peering inside packaged chips and uncovering the silicon within. Huang's approach lacks the resolution, however, for cell-level analysis — which this research team managed through electron microscopy.
The team's paper is available under open-access terms on the IACR Cryptology ePrint Archive, while the full imagery and source code behind the paper has been published to GitHub under the permissive MIT license. "We […] hope that other groups will use our data for follow-up studies, Becker says. "Machine learning could probably improve the detection algorithm to such an extent that it would also detect the changes on the smallest chips that we missed."