Globalization of the semiconductor industry and associated supply chains have made integrated circuits increasingly vulnerable to Trojan programs inside a microprocessor that executes designed microcode. A Trojan is a destructive program that masquerades as an application. The software initially appears to perform a desirable function for the user prior to installation, but steals information or performs illegal the system functions.
Vulnerabilities in the current integrated circuit (lC) development process have raised serious concerns about possible threats from hardware Trojans to military, financial, transportation, and electrical power systems.
An adversary can introduce a Trojan through an IC that will disable or destroy a system at some specific future time. Alternatively, an attacker can design a wire or some IC components to survive the testing phase but fail before the expected lifetime. A hardware Trojan can also covertly cause a system to leak confidential information.
Trojans can be implemented as hardware modifications to application-specific integrated circuits (ASICs), commercial off-the-shelf (COTS) parts, microprocessors, microcontrollers, network processors, or digital signal processors (DSPs), or as firmware modifications-for ex ample, to field-programmable gate array (FPGA) bit streams.
To ensure that an IC used by a client is authentic, either the developer must make the IC design and fabrication processes trustworthy or the client must verify the IC for trustworthiness. Because the former approach requires a trusted design center and foundry, it is expensive and economically infeasible given current trends in the globalization of IC design and fabrication. On the other hand, verifying trustworthiness requires a post-manufacturing step to validate conformance of the fabricated IC to the original functional and performance specifications nothing more and nothing less.
Most Trojan detection methodologies assume the existence of secure IC circuits, which are obtained by arbitrarily selecting chips from a large batch of fabricated ICs and thoroughly testing them. This procedure assumes that Trojans are inserted into random ICs, but to do so, an attacker must use a different set of masks for selected chips, making such an effort unattractive. It is more viable for an attacker to insert a stealthy Trojan into every fabricated IC that passes manufacturing tests and trust validations, obviating the need for additional expensive masks. This raises the challenge of detecting Trojans in ICs without relying on a proven secure IC.
Current design methodologies provide multiple opportunities to insert Trojans that can go undetected. It is important to incorporate new design-for-trust strategies that prevent attackers from inserting Trojans into a design as well as effectively detect Trojans in fabricated circuits. ICs must be designed such that undetected changes are nearly impossible.
COTS components are commonly used in today’s systems. These components are usually designed and fabricated offshore and thus cannot be trusted. The challenge is to develop testing methodologies that consider COTS components’ specifications and functionality without having access to their internal structure. The internal details of components are no longer supplied by the original equipment manufacturer.
Hardware has become a vulnerable link in the chain of trust in computing systems and must be overcome. The problem of hardware security has gained significant attention during the past several years. The assumption that hardware is trustworthy and that security efforts need only focus on networks and software is no longer valid given globalization of ICs and systems design and fabrication. Until DoD develops novel techniques to secure hardware any computer application potentially can be considered untrusted while in the field.
1 Extracted from Computer, IEEE Computer Society, July 2011