Hardware Trojans in microchips: "The sky's the limit"
Hardware Trojans in microchips: "The sky's the limit"
Interview with Dr. Steffen Becker, Faculty of Computer Science - Embedded Security, Ruhr University, Bochum
They are secretly reading sensitive patient data or remotely switching off devices in intensive care units: while companies and private individuals are now well aware of software Trojans - never download an app or program without checking it - many companies or hospitals face a completely different threat. Namely, that the Trojans come into the house on the backs of the hardware. COMPAMED-tradefair.com spoke with Dr. Steffen Becker from the Ruhr University in Bochum about the problems that arise from this and how these Trojans can be countered.
A microchip lies next to a seemingly huge-looking 1-cent coin. The chips can only be examined under a scanning electron microscope.
Dr. Becker, you are tracking down hardware Trojans in microchips. Can you briefly explain the term?
Dr. Steffen Becker: The term hardware Trojan refers to an intentional manipulation of an integrated circuit or electronic device to negatively affect its security properties or functionality. Such Trojans are usually inserted after specification and chip or device design by an entity other than the original designer. The term traces back to the Greek myth of the Trojan horse.
When and how can hardware Trojans be infiltrated into chips?
Becker: A common attacker model for hardware Trojans was defined in 2005 by the Defense Science Board assigned to the U.S. Department of Defense: In today's globalized manufacturing chain, the vast majority of companies operate without their own microchip manufacturing capabilities. Instead, they design their chips themselves and then send them to large contract manufacturers in the form of finished blueprints. The fear now is that these blueprints will be tampered with either during digital "transport," for example by intelligence agencies, or directly at the contract manufacturers even before actual production. Depending on the type of hardware Trojan, this can be quite costly and requires a lot of expertise on the part of the attacker, who must first gain a partial understanding of the design blueprint to be manipulated - often through so-called "reverse engineering" - and then still come up with a working manipulation that may only be triggered under certain circumstances. For example, one could imagine a manipulation on a tracking chip that does not work in certain countries/regions. However, it often involves the hidden disclosure of cryptographic secrets, knowledge of which can be used to compromise the entire data transfer to and from a device.
In addition to this most common attacker model, it would also be conceivable, for example, for the hardware design tools used to insert a hardware Trojan into the construction plan of the microchip or for individual chips to be manipulated after production.
On the one hand, then, this is by no means a trivial attacker scenario; on the other, most companies have little chance of detecting such hardware Trojans. Certification authorities could, in principle, build up expertise in the detection of hardware Trojans, should this be required of them in the future.
Dr. Steffen Becker (left) and his colleague Endres Puschner develop methods to identify manipulations on chips.
Medical technology is becoming increasingly digital: What damage could be caused here if hardware Trojans were to be "built in"?
Becker: I am not an expert in the field of medical technology, but one scenario I could imagine in the medical field would be manipulation of the cryptographic functions of the card readers, which are responsible for protecting our sensitive patient data, so that they could be read by unauthorized third parties. Should the U.S. President require a pacemaker, all scenarios including tampering within the manufacturing chain that could lead to potentially life-threatening malfunctions will certainly be considered. Similar life-threatening or health-threatening scenarios are certainly conceivable for a wide range of medical devices. In principle, there is also the potential for blackmail in the form of relatively easy-to-implement "kill switches" being built into manufacturers' devices, which could thereby be threatened with shutdown - even remotely - if necessary. There is certainly a whole range of other potential malicious use cases; the sky is the limit here.
How did you proceed in the test setup to detect the changes?
Becker: First of all, we didn't build actual hardware Trojans into microchips, but asked ourselves what they look like in a very fundamental way, regardless of their specific application: At the lowest level, they consist of either additional or replaced logic devices on a chip. Digital microchips typically consist of thousands to several million such nanometer-sized logic devices.
One part of the researchers involved, the so-called "Red Team," then performed ten individual manipulations on each of four different chips containing between 500,000 and 1.5 million of these building blocks - in such a way that there were discrepancies between the blueprints and the actual chips at precisely these ten points.
Another part of the research team, the "Blue Team," then received the blueprints and the chips and had to detect the changes. To do this, the chips first had to be thinned out from the back using mechanical and chemical methods before images of the logic devices could be taken using a scanning electron microscope. These images were then compared to the original blueprints using image processing techniques to detect the manipulations.
To keep the error rate as low as possible, the researchers need optimal conditions in the laboratory. Shown here in the picture is a tiny impurity covering several standard cells.
You have checked microchips of different sizes. Does the quality of the inspection play a role in the size?
Becker: The constant progress in the semiconductor industry is leading to ever smaller and at the same time more efficient technologies. This means that more functions can be accommodated in the same space, and the operation of these chips is also more energy-efficient. In order to be able to make realistic estimates regarding Trojan detection, we have ventured into technology sizes from 90nm down to 28nm, which are also currently offered by contract manufacturers. Of course, the resolution or image quality of individual logic components deteriorates as technology sizes shrink, making it more difficult to detect subtle changes. You could then buy a new, better scanning electron microscope, but that is a multi-million dollar investment.
What was your hit rate on the examination?
Becker: We were able to achieve very good results here with our method. Across all technology sizes, we were able to detect all newly added logic devices - the most likely scenario in a Trojan injection. We were also able to achieve very good results with the replaced logic components and identify them completely for the three larger chips, tolerating a few dozen false-positive hits - these could quickly be sorted out manually. However, for the smallest chip, we missed three out of six extremely small changes. Better image processing algorithms based on artificial intelligence, for example, or imaging with a more advanced scanning electron microscope could remedy this.
At what point in the manufacturing process could your method be used?
Becker: Our method could be used by a specialized analysis company that has been commissioned by the chip design house and is then provided with samples of the finished chips as well as the necessary parts of the construction plans. Since the procedure is relatively complex and expensive, it is only worthwhile if there is already a concrete suspicion.
Do you see the possibility of industrializing the process of checking chips for Trojans so that it becomes part of a standard manufacturing chain?
Becker: In addition to the effort just mentioned, the method we use has a decisive disadvantage, which is why it cannot be used on an industrial scale: It is destructive, which means that the chip under investigation can no longer be used afterwards. It can therefore only ever be used to detect Trojans, but it cannot be used to obtain chips that are guaranteed to be Trojan-free - even though this could be ruled out with a high degree of probability by checking a few randomly selected chips from a production batch.
In the future, however, research could remedy this situation: On the one hand, through imaging methods similar to X-rays that do not result in the destruction of the chip - there have already been initial successes here with the synchrotron. On the other hand, there are also detection approaches that are based, for example, on observing the input/output behavior of the chips - but these can never be as accurate as detection with the aid of imaging processes. More transparency in the manufacturing chain could also help to detect unintentional changes more easily - this will also depend on the regulatory authorities in the future.
You make your research data freely available to other users. Why?
Becker: This transparency is important so that others can understand our experiments and also improve them. Especially in the semiconductor world, there is often a lack of practical and publicly available examples. That is why we decided to make our image datasets and algorithms available to the scientific community and beyond.
Further articles on this topic from the COMPAMED-tradefair.com editorial team: